Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Layer 3 Firewall FQDN issues

Solved
TimP
New here
2 weeks ago
2 weeks ago

Layer 3 Firewall FQDN issues

Hey all, 

This has probably been asked before but my search hasn't given me what I need.

I've got a network, and I'm going to simplify to the relevant parts but ask questions if needed:

I have an MX84 and an MR33. DNS is routed via Umbrella.

I have many VLANs/subnets that route via the MX, so I can't blanket this restriction with a L7 or Content filter (well, from my research anyway)

I've got Android based Honeywell barcode readers that need to access specific URLs for Dynamics 365 mobile warehouse app:

*.microsoft.com
*.microsoftonline.com
login.windows.net
*.appcenter.ms
*.ces.microsoftcloud.com
*.onyx.azure.net
play.google.com
itunes.apple.com
*.cdn-apple.com
*.networking.apple
login.microsoftonline.com
login.microsoft.com
sts.windows.net
login.partner.microsoftonline.cn
login.chinacloudapi.cn
login.microsoftonline.us
login-us.microsoftonline.com
*.applicationinsights.azure.com
*.applicationinsights.azure.us
*.applicationinsights.azure.cn
*.gstatic.com
*.googleapis.com
CLIENTPRODURL.operations.dynamics.com

I've also allowed TCP/UDP 53 out for all for DNS

I've done a few audits using Umbrella reporting - compared the URLs, thats why gstatic and googleapis is in my list. 

I've got a test lab set up where DHCP is the Meraki and DNS is the Meraki

My reference article for these URLs is: Install the Warehouse Management mobile app - Supply Chain Management | Dynamics 365 | Microsoft Lea...

The problem is, despite this the app isn't working

I guess there's a few points to my question

1) Has anyone successfully limited the D365 Warehouse Management Mobile app using L3 rules?

2) What's the proper formatting for wildcard rules using FQDN. Presently I have them as policy objects without wildcards (such as microsoft.com for anything microsoft.com related)

3) Any suggestion of Android based applications for troubleshooting network connectivity issues?

 

 

 

0 Kudos
Subscribe
1 Accepted Solution
In response to TimP
alemabrahao
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

 

FQDN-based L3 firewall rules are implemented based on snooping DNS traffic. When a client device attempts to access a web resource, the MX will track the DNS requests and response to learn the IP of the web resource returned to the client device. 

 

There are several important considerations for utilizing and testing this configuration:

 

The MX must see a client DNS request and the server's response to learn the proper IP mapping. The DNS request doesn't need to be from a specific client, the MX will map the FQDN based on the DNS response, regardless of which client made the DNS Request. The communication between the client and DNS server cannot be intra-VLAN (this DNS traffic is not snooped).

In some cases, a client device may already have IP information about the web resource it is attempting to access. This could be due to the client having cached a previous DNS response, or a local statically configured DNS entry on the device. The MX may not be able to properly block or allow communications to the web resource in these cases if the client devices do not generate a DNS request for the MX to inspect.

FQDN rules imply a wildcard when no subdomain is used by prepending a * to the domain.tld. This wildcard is not shown on the Dashboard but is visible in syslog messages if syslog is configured for a network. For example, a rule to permit "yahoo.com" would permit any subdomain under yahoo.com such as mail.yahoo.com. Permitting "mail.yahoo.com" in the rule would only permit mail.yahoo.com and not the TLD or other subdomain of yahoo.com. 

MX will not be able to snoop TCP-based or encrypted DNS traffic. 

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Firewall_Settings#FQDN_Support

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

Subscribe
10 Replies 10
alemabrahao
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

Have you tried doing a packet capture on the MX to see what is being blocked?

 

What about the umbrella?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Subscribe
In response to alemabrahao
TimP
New here
2 weeks ago
2 weeks ago

In prod, yeah but it was too noisy - I've been focusing on Umbrella and forgot about this - Wireshark isn't a strong point of mine anyway but I'll sus it out

0 Kudos
Subscribe
In response to TimP
RaphaelL
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

Wireshark will be the way to go. 

5 easy steps.

1-Look for TCP SYN retransmission. (tcp.flags.syn == 1 and tcp.analysis.retransmission) && (tcp.flags.ack == 0)

2-Note the destination IPs

3-Search any DNS replies with those IPs.  dns.a == xx.xx.xx.xx

4- Find the DNS queries tied to the DNS replies from step #3.

5- Add those Domains ( from the DNS queries from step #4 ) to your rulebase.

0 Kudos
Subscribe
In response to RaphaelL
TimP
New here
2 weeks ago
2 weeks ago

Thanks, I'll give it a go. I've got a restricted, and an unrestricted capture available. Thank you for the clear steps - I found some articles but that was only for HTTP traffic, not HTTPs

0 Kudos
Subscribe
alemabrahao
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Content_Filtering#Using_...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
TimP
New here
2 weeks ago
2 weeks ago

If I'm to understand this is for Content Filtering, not L3 rules? I've seen conflicting information around FQDNs in L3 rules.

With content filtering, doesn't that apply to everything that passes the MX? I only want to limit the URLs to a specific subnet which is why I've been going down L3 rules

0 Kudos
Subscribe
In response to TimP
alemabrahao
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

You need to allow it on content filtering.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
TimP
New here
2 weeks ago
2 weeks ago

even if content filtering is disabled?

I'll add my list in to the Allow list now to test

0 Kudos
Subscribe
In response to TimP
alemabrahao
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

 

FQDN-based L3 firewall rules are implemented based on snooping DNS traffic. When a client device attempts to access a web resource, the MX will track the DNS requests and response to learn the IP of the web resource returned to the client device. 

 

There are several important considerations for utilizing and testing this configuration:

 

The MX must see a client DNS request and the server's response to learn the proper IP mapping. The DNS request doesn't need to be from a specific client, the MX will map the FQDN based on the DNS response, regardless of which client made the DNS Request. The communication between the client and DNS server cannot be intra-VLAN (this DNS traffic is not snooped).

In some cases, a client device may already have IP information about the web resource it is attempting to access. This could be due to the client having cached a previous DNS response, or a local statically configured DNS entry on the device. The MX may not be able to properly block or allow communications to the web resource in these cases if the client devices do not generate a DNS request for the MX to inspect.

FQDN rules imply a wildcard when no subdomain is used by prepending a * to the domain.tld. This wildcard is not shown on the Dashboard but is visible in syslog messages if syslog is configured for a network. For example, a rule to permit "yahoo.com" would permit any subdomain under yahoo.com such as mail.yahoo.com. Permitting "mail.yahoo.com" in the rule would only permit mail.yahoo.com and not the TLD or other subdomain of yahoo.com. 

MX will not be able to snoop TCP-based or encrypted DNS traffic. 

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Firewall_Settings#FQDN_Support

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Subscribe
In response to alemabrahao
TimP
New here
2 weeks ago
2 weeks ago

OK So you are nudging me in the sections I found and pretty sure I won't be able to achieve what I want:

I think the key element you've confirmed here was the no-intra VLAN snooping etc - while I was in Umbrella checking the request logs I started diving into policies but I don't seem to be able to create a broad policy on an internal subnet (haven't read any guides on this yet, literally just found it).

You've helped me confirm that it won't be available. I'm pretty sure I did find the above back in February when I was last looking at this ticket but it got deprioritised for a while.

I'm going to mark the above as the solution and close this one off, thank you so very much for the speedy replies, you're worth the kudos you've been getting!

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.