cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Blocking geographic regions

SOLVED
Getting noticed

Blocking geographic regions

Is there a simple way to block geographic regions in the MX without manually entering them? Mostly it's just an added layer to keep things like Crypto Lockers from phoning home, but without some way to keep them updated and push them down to each of the facilities it'll be a massive headache. I realize they released some templates and tools for Node-Red but I know next to no JS and not had time to learn it honestly. If anyone has something in mind though I'll be happy to consider it.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Kind of a big deal

Re: Blocking geographic regions

What do you mean by "without manually entering them"?

 

You can block countries under Security & SD-WAN > Firewall in the Layer 7 section:

 

image.png

 

Would that work for you?

View solution in original post

5 REPLIES 5
Highlighted
Kind of a big deal

Re: Blocking geographic regions

What do you mean by "without manually entering them"?

 

You can block countries under Security & SD-WAN > Firewall in the Layer 7 section:

 

image.png

 

Would that work for you?

View solution in original post

Getting noticed

Re: Blocking geographic regions

I pulled a few sites that had blocks listed for each country and there looked to be more than was feasible to block under L3. I was unaware you could block countries under L7 as we've never had much use for it. We normally block everything using content filtering and white listing anything that may be caught by it erroneously. I'll give this a look though, thanks

Kind of a big deal

Re: Blocking geographic regions

Will admit, I prefer to use content filtering or a utility like Umbrella to handle this task. It's too easy to use a prepaid credit card to buy space on AWS and launch an attack from there.

 

That said, I have some clients where our company policy is to block a heap of countries because we have poor political relationships with their governments. 

Getting noticed

Re: Blocking geographic regions

I agree, I'm mostly looking for an added layer of protection. We've talked about looking into umbrella, but until we actually sit down and look into it I'm going to block anything outside the U.S. If someone sets up an AWS or VPN to get around that there's not a lot I can do, but this will give me control of traffic going outside the country at least. 

Kind of a big deal

Re: Blocking geographic regions

If you have a master list of countries you want to use, you can update it via API. Set it up on one MX the way you want, GET a copy, then put it to all the others.

 

Do note that this will overwrite any other L7 rules you've got in place. So if you've got a set of rules that MX B needs, grab the list of countries from MX A and add it to the MX B return.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.