Does deny countries also alter my layer3 rules?

Just browsing

Does deny countries also alter my layer3 rules?



I wonder if somebody can explain the effective firewall rules when using group policys in MX.


In my case I have a web application reachable with https from internet. The permissions are tcp/https from any. Since the IDS tells me that there are constant attempts to attack this server I would like to add a group policy to the interface which this server is attached to and only permit traffic from Sweden. The creating of the policy group and attach to the interface is ok, but I wonder it the default line "allow any any" in the group policy means that the server is allowed to access other internal subnets even though these are forbidden in the network firewall rules.. 

Kind of a big deal
Kind of a big deal

Allowing a country blocks all traffic to or from other countries and overrides everything else.  Also you can not "whitelist" exceptions.  It is a blanket ban.


Typically I find it is safer to block high-risk countries like North Korea, Russia, China, etc.

Hi, thanks for your reply, I agree that it is better to block high-risk countries. But the question was more about how the layer3 ip to ip rules are handled, country example was to explain why I create the policy from the first time.Perhaps you can give me a hint about that as well, I try to be more specific...


E.g. Suppose network firewall rules says "deny all private IP" and I create a policy with my country settings and apply to interface. Does that mean that my default "permit all" in the group policy give access to private IP even thou default firewall rules says no.. In my example traffic is incoming via NAT and allowed in the country part of the policy. But I want to be sure that the firewall "allow all part" do not override the default network firewall rules, when applied to an interface (for the servers attached to that interface).

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.