Meraki

Community

Finding inbound traffic and creating rules to allow

Geri0n
Here to help
‎Oct 11 2019 10:39 PM
‎Oct 11 2019 10:39 PM

Finding inbound traffic and creating rules to allow

Hey Meraki Community,

Let me preface by saying that i very inexperienced in this topic, but i would love some input and assistance.

Currently, we are blocking nearly all Layer 7 firewall rules. However we are currently needing to allow a site to download files to our main station to allow it to upload data. We are a restaurant that is trying to make changes with a cloud based software that connects to our in store POS.

So my question is this:

Is there a way to find the attempted traffic that is being blocked by our MX64 and add a layer 7 (or 3) rule that will allow this port or IP to be able to correctly download and upload the data?

I have attempted to run parse logs for traffic, but being inexperienced makes it really complicated to try to read and understand these logs. If they are even giving me the info i need.

I am still learning the tools with the MX software, so any help is greatly appreciated.

Thank you.

0 Kudos
8 Replies 8
gauravgupta
Meraki Employee
Meraki Employee
‎Oct 12 2019 8:43 PM
‎Oct 12 2019 8:43 PM

Hi there,

 

Please keep in mind that global Layer3 and Layer7 firewall tables on MX run independently. If traffic is allowed through one feature but denied on another, the traffic will still be denied. With that being said, even if you figure out what IP, port, and protocol POS system is using to communicate with cloud server, there is no way to make it work because even if we explicitly allow that traffic under Layer 3, it is still entitled to get blocked under Layer 7 rules.

 

I will recommend manually whitelisting POS devices from clients list if POS systems are configured to communicate only with that cloud server. I can also help you in determining which IP MX is blocking when POS tries to communicate with cloud server, so let me know if you would like to know how to do that.

 

Best Regards,

Gaurav Gupta

 

 

 

0 Kudos
In response to gauravgupta
Geri0n
Here to help
‎Oct 15 2019 2:40 PM
‎Oct 15 2019 2:40 PM

Thank you for your reply guaravgupta,

I misunderstood how the layer blocks worked and see how i did them incorrectly.
Currently, we are only using an Enterprise license instead of the Advanced Security license, which prevents basic website blocking, but makes it difficult to configure beyond that.

The main thing i need to figure out is allowing data from a specific address or ip, while preventing any users on our POS stations from accessing any websites beyond the approved sites.

0 Kudos
In response to Geri0n
gauravgupta
Meraki Employee
Meraki Employee
‎Oct 18 2019 9:15 PM
‎Oct 18 2019 9:15 PM

Hi Geri0n,

I am a bit confused. Let me tell you what I understood here - You have user machines and POS systems in a restaurant. One requirement is to allow POS systems to only reach out to a cloud server (using a specific Public IP address) and everything else should be blocked. The other requirement is to have user machines access only approved sites. Am I correct?

Note: I am talking about inbound to outbound traffic (LAN-WAN) meaning flows are initiated by local devices to outside network and not the other way around.

Cheers,
Gaurav
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 13 2019 12:56 AM
‎Oct 13 2019 12:56 AM

A packet capture usually highlights the issue.

https://documentation.meraki.com/zGeneral_Administration/Cross-Platform_Content/Packet_Capture_Overv... 

Raj66
Meraki Employee
Meraki Employee
‎Oct 13 2019 8:59 PM
‎Oct 13 2019 8:59 PM

Hi @Geri0n 

 

To answer your question, it is a yes and now. Is there a way to find the attempted traffic? Yes, can we apply a rule to allow this traffic, No, especially when it is L7 rules that are blocking the traffic.

 

If you want to know what flows are being generated at your restaurant, you can do this using Syslog. When you configure Syslog to report urls and flows, every HTTP get will generate a syslog message and also all the flows will be reported to the syslog server either.

 

Now the best way to block them to completely remove the L7 category which is blocking it (there is no way to bypass it for one specific Ip or url)

 

More information on Syslog reporting and L7 firewalls can be found in the below-attached documents:

 

https://documentation.meraki.com/zGeneral_Administration/Monitoring_and_Reporting/Syslog_Server_Over...

 

https://documentation.meraki.com/zGeneral_Administration/Cross-Platform_Content/Layer_3_and_7_Firewa...

 

Cheers!

 

Raj

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it
In response to Raj66
BrechtSchamp
Kind of a big deal
‎Oct 14 2019 7:40 AM
‎Oct 14 2019 7:40 AM

I'm a bit confused about your architecture here @Geri0n . The "cloud" software needs to connect to your POS? How does it do that, does it try to reach the public IP of your MX and are you therefore doing port forwarding or 1:1 NAT? Or do you have autoVPN/site-to-site VPN between the locations?

 

Can you create a small drawing showing your Meraki network design, the POS and "main station" and this "cloud based software" and which connections need to be initiated from where to where?

0 Kudos
In response to BrechtSchamp
Geri0n
Here to help
‎Oct 15 2019 2:35 PM
‎Oct 15 2019 2:35 PM

Hey BrechtSchamp,

Sorry about the confusion.

Here is the general layout.

ISP > MX64 > Network Switch > Patch Panel > All stations within the restaurant.

Currently, the MX64 configuration that i have setup, is able to block most websites, as we are only using an enterprise license vs a Security Advanced license. However due to these rules, we are unable to download updates for our POS from the servers.

Does that make better sense?

0 Kudos
In response to Raj66
Geri0n
Here to help
‎Oct 15 2019 2:36 PM
‎Oct 15 2019 2:36 PM

Thank you Raj66,

I will look through these and see if there is something i should do along side removing the L7 blocks.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.