Meraki

victormartins71

Hi everyone,

I know it's possible to activate Layer 7 (L7) outbound rules on a Meraki MX appliance, but I'm wondering if it's also possible to activate L7 inbound rules.

Has anyone managed to configure this?

Additionally, I want to implement geofencing for my incoming traffic.

If I activate the early access NAT Exceptions with Manual Inbound Firewall, it enables NAT Exceptions to be configured per-WAN interface and/or per-VLAN and includes a manual Inbound Firewall table.

However, I only get Layer 3 inbound ruling.

Does anyone know if L7 inbound rules are in the roadmap or if there's any alternate solution?

Thanks in advance!

Brash

I believe it's already been explained above but to attempt to be a bit more succinct, my notes are below.

Inbound L3 firewall rules will block all inbound traffic by default, except for that destined to ports/services available on the MX itself.

L7 Geo-blocking firewall rules do not apply to unsolicited inbound network traffic. It does however apply to inbound and outbound traffic where the flow originated from the LAN.

If you are looking for something to perform more aggressive Geo-blocking, you may need to look at putting a device in front of the MX to perform this task.

View solution in original post

DarrenOC

Layer 7 rules for inbound traffic is already an available feature especially the GEO part.

Go to:

Security &SD-WAN > Configure > Firewall

Scroll down to Layer 7 Firewall Rules. Next to Deny you’ll see a scrolly box. At the bottom is Countries

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.

DarrenOC

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.

victormartins71

This is for inbound traffic.

PhilipDAth

Geographic L7 rules apply both inbound and outbound.

jimmyt234

My understanding is that the L7 Geo only blocks outbound initiated sessions, so whilst it will block inbound attempts to your NAT rules from those countries, it is only doing it because the response from the server gets dropped.

Solved: MX GEO IP filtering on Port Forward rules - The Meraki Community

EDIT: The documentation also states: "The Layer 7 Firewall can be used to block traffic based on the destination country of outbound traffic and the source of return traffic."

MX Firewall Settings - Cisco Meraki Documentation

victormartins71

I have certain L7 countries blocked, but attacks still happen from those very countries.

victormartins71

My objective is to block incoming traffic not outgoing.

alemabrahao

A firewall alone does not have the ability to handle all security features, multiple layers are needed. What you want to do cannot be done directly on the firewall; you need to do it on a layer before the firewall.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

alemabrahao

All incoming traffic is blocked by default. I don't understand what the problem is?

Even if the traffic is blocked, there will always be attempts to access it. Anyone exploiting a vulnerability will usually scan the open ports or even attempt a denial of service.

If you don't want these requests to reach your firewall, you need to hire an anti-DDoS service from your ISP.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

alemabrahao

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Firewall_Settings

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

victormartins71

On the same document:
The remote IPs cannot be blocked inbound for L2TP VPN or AnyConnect VPN.

victormartins71

That could be a solution.
And since I've seen some attempts on the 443 port to connect to our client VPN, I should look at another VPN concentrator and forgo any Anyconnect Client VPN.

Mloraditch

If you need geo blocking for RA VPN, Cisco has added it to Firepower recently.

See here https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/release-notes/threat-defense/770/thre...

You could get a small firepower unit and retain Secure Client.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

Brash

I believe it's already been explained above but to attempt to be a bit more succinct, my notes are below.

Inbound L3 firewall rules will block all inbound traffic by default, except for that destined to ports/services available on the MX itself.

L7 Geo-blocking firewall rules do not apply to unsolicited inbound network traffic. It does however apply to inbound and outbound traffic where the flow originated from the LAN.

If you are looking for something to perform more aggressive Geo-blocking, you may need to look at putting a device in front of the MX to perform this task.

Meraki

Community

L7 rules for inbound traffic

L7 rules for inbound traffic