Geo-IP blocked traffic showing in Top sources of threats

Solved
MaKo
New here

Geo-IP blocked traffic showing in Top sources of threats

We have a Meraki MX84, with an Advanced Security license.

 

I have blocked a few countries with a Layer 7 Countries rule.

Meraki Layer 7.PNG

 

However, the "Top sources of threats" screen still shows traffic and threat events from the Russian Federation.

Top sources of threats shows Russian FederationTop sources of threats shows Russian Federation

I assume that Russian Federation is the same as Russia in the Layer 7 rule.

 

Is this behavior normal?

Why am I still seeing threats, when all inbound traffic should be blocked from these countries?

Is there some setting (besides layer 7) that I should enable?

 

1 Accepted Solution
RaphaelL
Kind of a big deal
Kind of a big deal

Hi ,

 

Pretty sure this is expected : https://community.meraki.com/t5/Security-SD-WAN/Security-Center/m-p/252049#M56197

 

From the thread : 

This is the Scenario that you are most likely experiencing. 

 

  • Meraki MX appliance received packets from the source IP address from Russia.
  • The packets were copied to the IDS process for further analysis.
  • The IDS flagged the flow as potentially harmful, as it matches the pattern of a known attack vector.
  • Before the IDS could take preemptive action to drop the flow, the Meraki MX's inbound firewall rules had already dropped it
  • As a result of the firewall's prompt action, the IDS process could not apply its own measures, which is why the Meraki Dashboard indicated the action as "Allowed."
  • It is important to note that despite this indication, the flow was effectively blocked by the MX.

Key Takeaways:

  • The swift response by the firewall prevented any action from being required on the part of the IDS.
  • An "Allowed" status on the Meraki Dashboard could sometimes mean that the threat was blocked by other security layers, not that the traffic was permitted through the network.

 

 

Was the flow listed as allowed or blocked ?

View solution in original post

6 Replies 6
RWelch
A model citizen

How are you applying group policies to devices?  Is that L7 rule in the group policies for those devices as well as the firewall?

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
RaphaelL
Kind of a big deal
Kind of a big deal

Hi ,

 

Pretty sure this is expected : https://community.meraki.com/t5/Security-SD-WAN/Security-Center/m-p/252049#M56197

 

From the thread : 

This is the Scenario that you are most likely experiencing. 

 

  • Meraki MX appliance received packets from the source IP address from Russia.
  • The packets were copied to the IDS process for further analysis.
  • The IDS flagged the flow as potentially harmful, as it matches the pattern of a known attack vector.
  • Before the IDS could take preemptive action to drop the flow, the Meraki MX's inbound firewall rules had already dropped it
  • As a result of the firewall's prompt action, the IDS process could not apply its own measures, which is why the Meraki Dashboard indicated the action as "Allowed."
  • It is important to note that despite this indication, the flow was effectively blocked by the MX.

Key Takeaways:

  • The swift response by the firewall prevented any action from being required on the part of the IDS.
  • An "Allowed" status on the Meraki Dashboard could sometimes mean that the threat was blocked by other security layers, not that the traffic was permitted through the network.

 

 

Was the flow listed as allowed or blocked ?

Brash
Kind of a big deal
Kind of a big deal

This seems likely but fascinating that the firewall would copy the packet to IDS before applying the geoblock.

I assume it's for speed of packet processing but there's a potential argument to be made that you wouldn't have to process nearly as many packets if they're geoblocked from the start.

MaKo
New here

Thanks for the information.

Most events are listed as blocked, others (same rule, same IP) are listed as allowed. I have to trust that the layer 7 rule still takes precedence.

I am sure this is technically how it works and people smarter than me have thought this up, but from a users perspective it is confusing.

 

Thanks again.

CptnCrnch
Kind of a big deal
Kind of a big deal

From a technical point of view, Layer 7 as well as IPS is handled by Snort processes. Therefore, these packets will have to run through that one to be handled accordingly.

cmr
Kind of a big deal
Kind of a big deal

As I understand it, Cisco firewalls apply the geo blocking to traffic passing trough them, not traffic passing to them.  Therefore the IDS/IPS will see the traffic, even if it can't go anywhere.  At a recent job, I placed a pair of Cisco firewalls being used as VPN concentrators, behind another pair that are the main edge devices with a geoblocking rule on them.  This was so that the blocked countries could not attack the VPNs so easily.  It does seem to have worked and the attacks have all but stopped now.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
Get notified when there are additional replies to this discussion.