Meraki

Community

Firewall log always shows Layer 7 default rule allowed the traffic

PhilippGreindl
Here to help
‎Apr 16 2024 12:47 AM
‎Apr 16 2024 12:47 AM

Firewall log always shows Layer 7 default rule allowed the traffic

Hello there,

yesterday we created about 80 new FW rules after migrating all services to our MX-Cluster.

Today I want to see if everything is working and if traffic is getting allowed by the correct rules.

In the firewall log I can see almost every entry is allowed by layer 7 default rule. We don't use any layer 7 rules, only layer 3.

See screenshot from log. Traffic from 10.10.241.130 should be allowed by rule #1.

PhilippGreindl_1-1713253276927.png

PhilippGreindl_2-1713253494049.png

Is this normal behaviour or am I missing something?

 

Regards

Philipp

Labels:
0 Kudos
5 Replies 5
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 16 2024 1:02 AM
‎Apr 16 2024 1:02 AM

When processing firewall rules, L3 rules are checked, and if not blocked then L7 rules are checked.  L7 rules are the last rules to be checked.

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Layer_3_and_7_Firewal... 

RaphaelL
Kind of a big deal
Kind of a big deal
‎Apr 16 2024 4:53 AM
‎Apr 16 2024 4:53 AM

I think you should be seeing both entries as per : https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/Firewall_Logging

PhilippGreindl
Here to help
‎Apr 16 2024 5:31 AM
‎Apr 16 2024 5:31 AM

Hi there, 

you guys are right. But most of the time only the L7 entry is shown. Sometimes I can see the associated L3 rule.

Its just getting weirder. Because the L3 rule is always shown as #0. I have no #0 rule allowing anything. Before the default allow rule is a deny any rule. 

Here is a screenshot of the log with L7 and L3 entries:

PhilippGreindl_1-1713270400434.png

Here a screenshot of my fw rules:

PhilippGreindl_2-1713270570062.png

Please enlighten me regarding this matter.

Regards Philipp

 

 

0 Kudos
In response to PhilippGreindl
RaphaelL
Kind of a big deal
Kind of a big deal
‎Apr 16 2024 5:38 AM
‎Apr 16 2024 5:38 AM

I would probably open a ticket if I were you. This seems like a bug ( probably a known issue ) 

A bit out of the topic , but why do you have a catch all allow and a catch all deny ? Seems counter intuitive 

0 Kudos
In response to RaphaelL
PhilippGreindl
Here to help
‎Apr 16 2024 5:47 AM
‎Apr 16 2024 5:47 AM

When doing a migration with over 80 fw rules its always good to have a catch all rule to see if traffic is not matched above. Its an allow rule because we dont want to get errors on the user end. If the firewall log is working like any other firewall I could easliy see what traffic matches that rule and make the corrections.

But it seems im stuck here. I will open a ticket. 

Thanks anyway 🙂

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.