L7 confusion

merakiinsanity
Here to help

L7 confusion

Hi

 

I'm in the process of migrating from a couple of Watchguard's to a couple of MX450s.

 

I'm looking at utilising the L7 firewall rules but have become utterly confused. Unless I'm total out-of-date, best practice for firewall rules is to have a catch-all deny rule at the bottom of the ACL, so you deny everything except for traffic you explicitly allow.

 

L7 firewall rules only come into play on MXs if the traffic has been allowed by L3, at which point L7 can deny it. However, surely, if you have a catch-all deny rule as is best practice for firewalls, the L3 rule will be denying a lot of these services anyway.

 

What would be infinitely more useful would be being able to configure *allow* rules at L7, so that if the traffic is denied at L3 based on non-wellknown port number for example, it then allows it through at L7 because it matches that particular service.

5 REPLIES 5
UCcert
Kind of a big deal

hi @merakiinsanity , good post.  I believe you've read this document:

 

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Layer_3_and_7_Firewal...

 

As you state, if the traffic is explicitly blocked at L3 then the traffic won't move onto the L7 rules.  I believe that holds true with a catch-all deny rule.  The traffic has been blocked so won't progress any further.  I prefer this route, helps me sleep better at night.

Darren O'Connor | uccert.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
Inderdeep
Kind of a big deal

@merakiinsanity : Hope you understand 

 

Inderdeep_0-1620244459655.png

 

Regards
Inderdeep Singh
www.thenetworkdna.com ( Awarded by Cisco IT Blogs award 2020)

Does this also apply to 1:1 Nat Scenarios when you are allowing certain ports to come in from any, Will the layer 7 rule country blocking kick in or will the traffic still pass.

Inderdeep
Kind of a big deal

@Iridium79 : check 1:1 Nat and country specific l7 rules on MX

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Firewall_Settings

Regards
Inderdeep Singh
www.thenetworkdna.com ( Awarded by Cisco IT Blogs award 2020)
Bruce
Kind of a big deal

When you create the 1:1 NAT and allow traffic inbound via that NAT you are effectively creating an inbound Layer 3 firewall rule (although you never normally see it). Since the Layer 3 firewall rules on the MX are stateful this will allow the returning traffic back out. However, the Layer 7 rule are stateless.

 

So even if the outbound traffic is returning to a remote host due to the stateful operation of the Layer 3 firewall, it will still be blocked if it matches a Layer 7 firewall since these are stateless. (This can work in your favour in some instances, and in others it creates a headache).

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels