I'm in the process of migrating from a couple of Watchguard's to a couple of MX450s.
I'm looking at utilising the L7 firewall rules but have become utterly confused. Unless I'm total out-of-date, best practice for firewall rules is to have a catch-all deny rule at the bottom of the ACL, so you deny everything except for traffic you explicitly allow.
L7 firewall rules only come into play on MXs if the traffic has been allowed by L3, at which point L7 can deny it. However, surely, if you have a catch-all deny rule as is best practice for firewalls, the L3 rule will be denying a lot of these services anyway.
What would be infinitely more useful would be being able to configure *allow* rules at L7, so that if the traffic is denied at L3 based on non-wellknown port number for example, it then allows it through at L7 because it matches that particular service.
As you state, if the traffic is explicitly blocked at L3 then the traffic won't move onto the L7 rules. I believe that holds true with a catch-all deny rule. The traffic has been blocked so won't progress any further. I prefer this route, helps me sleep better at night.
Darren O'Connor | uccert.co.uk https://www.linkedin.com/in/darrenoconnor/
I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
When you create the 1:1 NAT and allow traffic inbound via that NAT you are effectively creating an inbound Layer 3 firewall rule (although you never normally see it). Since the Layer 3 firewall rules on the MX are stateful this will allow the returning traffic back out. However, the Layer 7 rule are stateless.
So even if the outbound traffic is returning to a remote host due to the stateful operation of the Layer 3 firewall, it will still be blocked if it matches a Layer 7 firewall since these are stateless. (This can work in your favour in some instances, and in others it creates a headache).