Blocking geographic regions

SOLVED
MMoss
Building a reputation

Blocking geographic regions

Is there a simple way to block geographic regions in the MX without manually entering them? Mostly it's just an added layer to keep things like Crypto Lockers from phoning home, but without some way to keep them updated and push them down to each of the facilities it'll be a massive headache. I realize they released some templates and tools for Node-Red but I know next to no JS and not had time to learn it honestly. If anyone has something in mind though I'll be happy to consider it.

1 ACCEPTED SOLUTION
jdsilva
Kind of a big deal

What do you mean by "without manually entering them"?

 

You can block countries under Security & SD-WAN > Firewall in the Layer 7 section:

 

image.png

 

Would that work for you?

View solution in original post

7 REPLIES 7
jdsilva
Kind of a big deal

What do you mean by "without manually entering them"?

 

You can block countries under Security & SD-WAN > Firewall in the Layer 7 section:

 

image.png

 

Would that work for you?

MMoss
Building a reputation

I pulled a few sites that had blocks listed for each country and there looked to be more than was feasible to block under L3. I was unaware you could block countries under L7 as we've never had much use for it. We normally block everything using content filtering and white listing anything that may be caught by it erroneously. I'll give this a look though, thanks

Nash
Kind of a big deal

Will admit, I prefer to use content filtering or a utility like Umbrella to handle this task. It's too easy to use a prepaid credit card to buy space on AWS and launch an attack from there.

 

That said, I have some clients where our company policy is to block a heap of countries because we have poor political relationships with their governments. 

MMoss
Building a reputation

I agree, I'm mostly looking for an added layer of protection. We've talked about looking into umbrella, but until we actually sit down and look into it I'm going to block anything outside the U.S. If someone sets up an AWS or VPN to get around that there's not a lot I can do, but this will give me control of traffic going outside the country at least. 

Nash
Kind of a big deal

If you have a master list of countries you want to use, you can update it via API. Set it up on one MX the way you want, GET a copy, then put it to all the others.

 

Do note that this will overwrite any other L7 rules you've got in place. So if you've got a set of rules that MX B needs, grab the list of countries from MX A and add it to the MX B return.

Vincent61
Comes here often

Is there a way to white list URLs from country block

CptnCrnch
Kind of a big deal
Kind of a big deal

In a nutshell: no (at least not currently. Just "Make a wish")

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels