Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Does deny countries also alter my layer3 rules?

Per
Just browsing
‎Jan 17 2022 6:30 AM
‎Jan 17 2022 6:30 AM

Does deny countries also alter my layer3 rules?

Hi,

 

I wonder if somebody can explain the effective firewall rules when using group policys in MX.

 

In my case I have a web application reachable with https from internet. The permissions are tcp/https from any. Since the IDS tells me that there are constant attempts to attack this server I would like to add a group policy to the interface which this server is attached to and only permit traffic from Sweden. The creating of the policy group and attach to the interface is ok, but I wonder it the default line "allow any any" in the group policy means that the server is allowed to access other internal subnets even though these are forbidden in the network firewall rules.. 

Labels:
0 Kudos
Subscribe
2 Replies 2
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 17 2022 9:20 AM
‎Jan 17 2022 9:20 AM

Allowing a country blocks all traffic to or from other countries and overrides everything else.  Also you can not "whitelist" exceptions.  It is a blanket ban.

 

Typically I find it is safer to block high-risk countries like North Korea, Russia, China, etc.

0 Kudos
Subscribe
In response to PhilipDAth
Per
Just browsing
‎Jan 17 2022 4:50 PM
‎Jan 17 2022 4:50 PM

Hi, thanks for your reply, I agree that it is better to block high-risk countries. But the question was more about how the layer3 ip to ip rules are handled, country example was to explain why I create the policy from the first time.Perhaps you can give me a hint about that as well, I try to be more specific...

 

E.g. Suppose network firewall rules says "deny all private IP" and I create a policy with my country settings and apply to interface. Does that mean that my default "permit all" in the group policy give access to private IP even thou default firewall rules says no.. In my example traffic is incoming via NAT and allowed in the country part of the policy. But I want to be sure that the firewall "allow all part" do not override the default network firewall rules, when applied to an interface (for the servers attached to that interface).

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.