Meraki

Community

Blocking geographic regions

Solved
MMoss
Building a reputation
‎Nov 25 2019 2:31 PM
‎Nov 25 2019 2:31 PM

Blocking geographic regions

Is there a simple way to block geographic regions in the MX without manually entering them? Mostly it's just an added layer to keep things like Crypto Lockers from phoning home, but without some way to keep them updated and push them down to each of the facilities it'll be a massive headache. I realize they released some templates and tools for Node-Red but I know next to no JS and not had time to learn it honestly. If anyone has something in mind though I'll be happy to consider it.

0 Kudos
1 Accepted Solution
jdsilva
Kind of a big deal
‎Nov 25 2019 2:34 PM
‎Nov 25 2019 2:34 PM

What do you mean by "without manually entering them"?

 

You can block countries under Security & SD-WAN > Firewall in the Layer 7 section:

 

image.png

 

Would that work for you?

http://blog.brokennetwork.ca | @jdsilva

View solution in original post

8 Replies 8
jdsilva
Kind of a big deal
‎Nov 25 2019 2:34 PM
‎Nov 25 2019 2:34 PM

What do you mean by "without manually entering them"?

 

You can block countries under Security & SD-WAN > Firewall in the Layer 7 section:

 

image.png

 

Would that work for you?

http://blog.brokennetwork.ca | @jdsilva
In response to jdsilva
MMoss
Building a reputation
‎Nov 26 2019 6:58 AM
‎Nov 26 2019 6:58 AM

I pulled a few sites that had blocks listed for each country and there looked to be more than was feasible to block under L3. I was unaware you could block countries under L7 as we've never had much use for it. We normally block everything using content filtering and white listing anything that may be caught by it erroneously. I'll give this a look though, thanks

In response to MMoss
Nash
Kind of a big deal
‎Nov 26 2019 7:00 AM
‎Nov 26 2019 7:00 AM

Will admit, I prefer to use content filtering or a utility like Umbrella to handle this task. It's too easy to use a prepaid credit card to buy space on AWS and launch an attack from there.

 

That said, I have some clients where our company policy is to block a heap of countries because we have poor political relationships with their governments. 

Windows 10 Client VPN scripts: Makes life better!
0 Kudos
In response to Nash
MMoss
Building a reputation
‎Nov 26 2019 7:07 AM
‎Nov 26 2019 7:07 AM

I agree, I'm mostly looking for an added layer of protection. We've talked about looking into umbrella, but until we actually sit down and look into it I'm going to block anything outside the U.S. If someone sets up an AWS or VPN to get around that there's not a lot I can do, but this will give me control of traffic going outside the country at least. 

0 Kudos
Nash
Kind of a big deal
‎Nov 25 2019 2:41 PM
‎Nov 25 2019 2:41 PM

If you have a master list of countries you want to use, you can update it via API. Set it up on one MX the way you want, GET a copy, then put it to all the others.

 

Do note that this will overwrite any other L7 rules you've got in place. So if you've got a set of rules that MX B needs, grab the list of countries from MX A and add it to the MX B return.

Windows 10 Client VPN scripts: Makes life better!
Vincent61
Comes here often
‎Jan 23 2022 10:08 AM
‎Jan 23 2022 10:08 AM

Is there a way to white list URLs from country block

0 Kudos
In response to Vincent61
CptnCrnch
Kind of a big deal
‎Jan 23 2022 12:23 PM
‎Jan 23 2022 12:23 PM

In a nutshell: no (at least not currently. Just "Make a wish")

0 Kudos
bergendc
Comes here often
Tuesday
Tuesday

See below.  Can't you just use the option, "Traffic not to/from"?

 

bergendc_1-1738690332383.png

 

 

For example, if I want to allow traffic from and to the US but no other countries I can add the rule that reads like this, "Deny Countries Traffic not To/From United States"

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2025 Cisco Systems, Inc.