Meraki

Community

BUG - Layer 7 country block list uses different engine than what security center geo-location uses

alceryes
New here
‎May 21 2018 5:50 PM
‎May 21 2018 5:50 PM

BUG - Layer 7 country block list uses different engine than what security center geo-location uses

I currently have a case oven with Meraki support on this issue. Basically, the source country for any give IP can be different between what is being displayed in the security center and the actions you may take under layer 7 blocking (at the least). I've been experiencing hack attempts on FTP server over the last week. Security Center reports that the IP is from Seychelles. I go and block Seychelles but the hack attempts continue. WTF???

Well it appears that the security center uses Cisco SourceFIRE but layer 7 blocking uses Maxmind. I can't believe that cisco wouldn't make sure that the information given in security center matches, across the board, with all other functions within Meraki. Isn't this what we're paying for?

 

Oh, and the exact words from Meraki support - "So if you want to block it in layer 7, you have to put "netherland" (and "turkey" maybe) instead of "seychelles""

 

Turkey, maybe...? Great! Meraki support doesn't even know.

 

6 Replies 6
Adam
Kind of a big deal
‎May 22 2018 6:35 AM
‎May 22 2018 6:35 AM

Can you just block the specific IP(s)? But this is good to know.  Also worth noting that if you do blacklist a country there is no way to whitelist certain legitimate IPs from within that country yet.  We've had some IPs misidentified and had to unblacklist an entire country until the IP was properly categorized.  

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
Pegasus79
Conversationalist
‎May 25 2018 11:09 PM
‎May 25 2018 11:09 PM

I have the same issue with voip... We expose port 5060 for our soft clients,  now China is blocked but we can still see registration attempts from china.  Our PBX has an internal firewall and blocks the Attempt but seriously what is the point if the MX does not stop it.   Another way to stop it from hitting our pbx is to create a Rule in the switch.

creepingdeth
Conversationalist
‎Aug 16 2019 12:16 PM
‎Aug 16 2019 12:16 PM

Came upon this same issue today.  We've blocked many foreign countries due to several attempted attacks.  We have no reason to pass or receive information to/from any of these countries so there's no need for them to be Whitelisted.  We blocked traffic from France and we still had attempts.  Not sure what else to do.

0 Kudos
In response to creepingdeth
Pegasus79
Conversationalist
‎Aug 16 2019 12:30 PM
‎Aug 16 2019 12:30 PM

Well I was on the phone with the support guys from Meraki when I had the Advanced License.  So basically what they said was if you have a layer 3 firewall rule 1 to 1 nat or port forwarding that allows IP addresses from any the Layer 7 Firewall Rules will ignore the country you are blocking, since the layer 3 comes first.   A work around will be to get the offending IP or IP's and place it in the Cisco Meraki Switch ACL Rules.  I know  its stupid ...

In response to Pegasus79
creepingdeth
Conversationalist
‎Aug 16 2019 12:48 PM
‎Aug 16 2019 12:48 PM

That is stupid. That is what I did this morning after finding the offending attempted attack. Thanks for the reply.
0 Kudos
In response to creepingdeth
Richard_W
A model citizen
‎Oct 3 2019 4:58 AM
‎Oct 3 2019 4:58 AM

Any clarification from a Meraki Employee here would be nice

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.