Meraki

MaKo

We have a Meraki MX84, with an Advanced Security license.

I have blocked a few countries with a Layer 7 Countries rule.

However, the "Top sources of threats" screen still shows traffic and threat events from the Russian Federation.

Top sources of threats shows Russian Federation

I assume that Russian Federation is the same as Russia in the Layer 7 rule.

Is this behavior normal?

Why am I still seeing threats, when all inbound traffic should be blocked from these countries?

Is there some setting (besides layer 7) that I should enable?

RWelch

How are you applying group policies to devices? Is that L7 rule in the group policies for those devices as well as the firewall?

RaphaelL

Hi ,

From the thread :

This is the Scenario that you are most likely experiencing.

Meraki MX appliance received packets from the source IP address from Russia.
The packets were copied to the IDS process for further analysis.
The IDS flagged the flow as potentially harmful, as it matches the pattern of a known attack vector.
Before the IDS could take preemptive action to drop the flow, the Meraki MX's inbound firewall rules had already dropped it
As a result of the firewall's prompt action, the IDS process could not apply its own measures, which is why the Meraki Dashboard indicated the action as "Allowed."
It is important to note that despite this indication, the flow was effectively blocked by the MX.

Key Takeaways:

The swift response by the firewall prevented any action from being required on the part of the IDS.
An "Allowed" status on the Meraki Dashboard could sometimes mean that the threat was blocked by other security layers, not that the traffic was permitted through the network.

Was the flow listed as allowed or blocked ?

Community