Hey Meraki Community,
Let me preface by saying that i very inexperienced in this topic, but i would love some input and assistance.
Currently, we are blocking nearly all Layer 7 firewall rules. However we are currently needing to allow a site to download files to our main station to allow it to upload data. We are a restaurant that is trying to make changes with a cloud based software that connects to our in store POS.
So my question is this:
Is there a way to find the attempted traffic that is being blocked by our MX64 and add a layer 7 (or 3) rule that will allow this port or IP to be able to correctly download and upload the data?
I have attempted to run parse logs for traffic, but being inexperienced makes it really complicated to try to read and understand these logs. If they are even giving me the info i need.
I am still learning the tools with the MX software, so any help is greatly appreciated.
Please keep in mind that global Layer3 and Layer7 firewall tables on MX run independently. If traffic is allowed through one feature but denied on another, the traffic will still be denied. With that being said, even if you figure out what IP, port, and protocol POS system is using to communicate with cloud server, there is no way to make it work because even if we explicitly allow that traffic under Layer 3, it is still entitled to get blocked under Layer 7 rules.
I will recommend manually whitelisting POS devices from clients list if POS systems are configured to communicate only with that cloud server. I can also help you in determining which IP MX is blocking when POS tries to communicate with cloud server, so let me know if you would like to know how to do that.
Thank you for your reply guaravgupta,
I misunderstood how the layer blocks worked and see how i did them incorrectly.
Currently, we are only using an Enterprise license instead of the Advanced Security license, which prevents basic website blocking, but makes it difficult to configure beyond that.
The main thing i need to figure out is allowing data from a specific address or ip, while preventing any users on our POS stations from accessing any websites beyond the approved sites.
A packet capture usually highlights the issue.
To answer your question, it is a yes and now. Is there a way to find the attempted traffic? Yes, can we apply a rule to allow this traffic, No, especially when it is L7 rules that are blocking the traffic.
If you want to know what flows are being generated at your restaurant, you can do this using Syslog. When you configure Syslog to report urls and flows, every HTTP get will generate a syslog message and also all the flows will be reported to the syslog server either.
Now the best way to block them to completely remove the L7 category which is blocking it (there is no way to bypass it for one specific Ip or url)
More information on Syslog reporting and L7 firewalls can be found in the below-attached documents:
I'm a bit confused about your architecture here @Geri0n . The "cloud" software needs to connect to your POS? How does it do that, does it try to reach the public IP of your MX and are you therefore doing port forwarding or 1:1 NAT? Or do you have autoVPN/site-to-site VPN between the locations?
Can you create a small drawing showing your Meraki network design, the POS and "main station" and this "cloud based software" and which connections need to be initiated from where to where?
Sorry about the confusion.
Here is the general layout.
ISP > MX64 > Network Switch > Patch Panel > All stations within the restaurant.
Currently, the MX64 configuration that i have setup, is able to block most websites, as we are only using an enterprise license vs a Security Advanced license. However due to these rules, we are unable to download updates for our POS from the servers.
Does that make better sense?