cancel
Showing results for 
Search instead for 
Did you mean: 

BUG - Layer 7 country block list uses different engine than what security center geo-location uses

New here

BUG - Layer 7 country block list uses different engine than what security center geo-location uses

I currently have a case oven with Meraki support on this issue. Basically, the source country for any give IP can be different between what is being displayed in the security center and the actions you may take under layer 7 blocking (at the least). I've been experiencing hack attempts on FTP server over the last week. Security Center reports that the IP is from Seychelles. I go and block Seychelles but the hack attempts continue. WTF???

Well it appears that the security center uses Cisco SourceFIRE but layer 7 blocking uses Maxmind. I can't believe that cisco wouldn't make sure that the information given in security center matches, across the board, with all other functions within Meraki. Isn't this what we're paying for?

 

Oh, and the exact words from Meraki support - "So if you want to block it in layer 7, you have to put "netherland" (and "turkey" maybe) instead of "seychelles""

 

Turkey, maybe...? Great! Meraki support doesn't even know.

 

2 REPLIES 2
Kind of a big deal

Re: BUG - Layer 7 country block list uses different engine than what security center geo-location us

Can you just block the specific IP(s)? But this is good to know.  Also worth noting that if you do blacklist a country there is no way to whitelist certain legitimate IPs from within that country yet.  We've had some IPs misidentified and had to unblacklist an entire country until the IP was properly categorized.  

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
New here

Re: BUG - Layer 7 country block list uses different engine than what security center geo-location us

I have the same issue with voip... We expose port 5060 for our soft clients,  now China is blocked but we can still see registration attempts from china.  Our PBX has an internal firewall and blocks the Attempt but seriously what is the point if the MX does not stop it.   Another way to stop it from hitting our pbx is to create a Rule in the switch.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.