Meraki

Community

Help with MX Firewall Rule

Solved
IanMcNamara
Conversationalist
‎Apr 6 2022 3:47 PM
‎Apr 6 2022 3:47 PM

Help with MX Firewall Rule

Can anyone tell me why this Layer 7 rule:

 

IanMcNamara_0-1649284899724.png

 

Doesn't block this IP Address: 

 

141.98.11.14

 

The above IP address also appears to be from Lithuania, and I've added Lithuania to the blocked country list, yet it is still able to access my network.  

 

Thanks,

 

Ian

0 Kudos
1 Accepted Solution
In response to Ryan_Miles
IanMcNamara
Conversationalist
‎Apr 6 2022 7:10 PM
‎Apr 6 2022 7:10 PM

I figured this out.  I appreciate your responses.  The appliance in question uses Group Policies and I was using the firewall settings page and not controlling the firewall on the particular group policy.  

View solution in original post

8 Replies 8
Ryan_Miles
Meraki Employee
Meraki Employee
‎Apr 6 2022 4:00 PM
‎Apr 6 2022 4:00 PM

Your rule blocks the destination of 141.98.11.0/24 from inside traffic heading out through your MX

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to Ryan_Miles
IanMcNamara
Conversationalist
‎Apr 6 2022 4:21 PM
‎Apr 6 2022 4:21 PM

Thanks.  Is there a way to block incoming IPv4 traffic?

 

Any idea why the Deny countries rule isn't blocking traffic from Lithuania?

IanMcNamara_0-1649287227743.png

 

  

0 Kudos
In response to IanMcNamara
Ryan_Miles
Meraki Employee
Meraki Employee
‎Apr 6 2022 4:37 PM
‎Apr 6 2022 4:37 PM

MX blocks all inbound traffic by default. What specifically are you seeing happen in your network?

 

I tested and while I couldn't ping 141.98.11.14 .13 did respond to ping. So, I tried both a L7 rule denying the entire /24 and also tested blocking Lithuania. In both cases pings no longer went through. So, it appears to be doing its job in my test.

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to Ryan_Miles
IanMcNamara
Conversationalist
‎Apr 6 2022 4:52 PM
‎Apr 6 2022 4:52 PM

We're seeing a continuous trickle of authentication attempts on our Exchange server.  It's nothing major, about 20 attempts / hour, but since the HAFNIUM attacks last March, I'm trying to monitor and be more proactive against potential threats.

 

We have a 1:1 NAT to our exchange server allowing TCP ports 25, 443 & 587.

 

Additionally, we have a 1:1 NAT to a VPN server allowing TCP 443 & UDP 500/4500. 

 

Soon after I enabled the Deny countries rule about a year ago, it prevented us from receiving email from the countries listed, but perhaps it also only blocks outbound traffic even though the rule uses the terminology "To/From"?  

 

Thanks again for you help. 

 

Ian   

0 Kudos
In response to Ryan_Miles
IanMcNamara
Conversationalist
‎Apr 6 2022 5:40 PM
‎Apr 6 2022 5:40 PM

We're seeing a consistent trickle of failed authentication attempts on our Exchange server.  It's nothing major, around 20 / hour, but since the HAFNIUM attacks last march, I'm trying to be more proactive about monitoring and blocking unwanted access attempts. 

 

We've got a 1:1 NAT to our Exchange server allowing TCP ports 25, 443 & 587.  We've also got a 1:1 NAT to our VPN server allowing TCP 443 & UDP 500/4500. 

 

I'm pretty sure the Deny countries rule has blocked email from countries listed in the past.  Does it only block outgoing traffic?  The rule language says To/From, so I assumed it blocked incoming traffic as well as outgoing. 

 

Thanks again for your help,

 

Ian  

0 Kudos
In response to Ryan_Miles
IanMcNamara
Conversationalist
‎Apr 6 2022 5:53 PM
‎Apr 6 2022 5:53 PM

I've responded to you twice and my messages aren't getting posted for some reason.  

 

I'll try again.  

 

I'm seeing a consistent trickle of failed authentication attempts on our Exchange server.  It's nothing major, around 20 / hour, but after the HAFNIUM attacks last March, I'm trying to be more proactive about blocking these IP addresses.   

 

We're got a 1:1 NAT allowing TCP ports 25, 443 & 587 to our exchange server. We've also got a 1:1 NAT allowing TCP 443 & UDP 500/4500 to our VPN server.  

 

I tried your ping test from our exchange server and despite having rules denying traffic to 141.98.11.0/24, Lithuania & explicitly blocking 141.98.11.13, the ping is still successful. 

 

We're on version MX 17.6, if that makes a difference.    

 

Edit: We have 5 MX Appliances.  2 with 1:1 NAT and 3 with no NAT forwarding rules.  The only appliance that the Layer 7 firewall rules do not work as expected is the one I originally posted about.  

0 Kudos
In response to IanMcNamara
CarolineS
Community Manager
Community Manager
‎Apr 6 2022 8:15 PM
‎Apr 6 2022 8:15 PM

Sorry about our over-zealous spam filter, @IanMcNamara! I’ve released your messages (though that’s probably not that helpful at this point) 

 

Cheers!

Caroline S | Community Manager, Cisco Meraki
New to the community? Get started here
0 Kudos
In response to Ryan_Miles
IanMcNamara
Conversationalist
‎Apr 6 2022 7:10 PM
‎Apr 6 2022 7:10 PM

I figured this out.  I appreciate your responses.  The appliance in question uses Group Policies and I was using the firewall settings page and not controlling the firewall on the particular group policy.  

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.