Layer 7 Allows rules Meraki MX appliances

NSGuru
Getting noticed

Layer 7 Allows rules Meraki MX appliances

All,

 

I was wanting to inquire and see if anyone else has had this problem and looked for or found a work around or solution with Meraki. My problem is the following. 

 

We are wanting to implement Geo IP filtering due to the continuous growth of cyber threats on our networks that we are facing. In doing so we would also like to allow specific remote IP ranges and/if necessary ports as well. The vendors we work with have publicly slated their IP ranges so that we can white list them unfortunately it seems like Meraki is limited in this endeavor as it does not have any L7 allow rules that can be built above the Deny rules to date. 

 

If you have a work around to this problem could you please explain how you setup your environment to work around the problem I am facing 

 

Any thoughts on this problem are much appreciated. I am trying to find the best way to tighten the security on my networks while also keeping flexibility with the vendors I have today. 

Cloud Network Engineer | cloudIT
Certified Meraki Networking Associate

Kudo this if it helped! 🙂
5 REPLIES 5
PhilipDAth
Kind of a big deal
Kind of a big deal

If you use Meraki geo-filtering then it is absolute.  You can not create exclusions to it.

if this is the answer should it be acceptable? Theoretically we should be able to put remote IP range rules above the hierarchy of geo filtering Layer 7 rules  and the would take precedence over remainder of policies because it would see an allow and then let the traffic pass-through without it ever reaching the geo filter rule. 

 

There are other firewalls with this capability today. I began to dig through the forums here as well and it appears this has been a requested feature for at least 2 years now. 

Cloud Network Engineer | cloudIT
Certified Meraki Networking Associate

Kudo this if it helped! 🙂
Nash
Kind of a big deal

Not what you're asking for, but I would question the utility of geoblocking frankly. You're probably not blocking the entirety of the United States, therefore AWS and a prepaid credit card can still wreck your world.

 

Regarding feature requests: best you can do is go to the appropriate page on the dashboard and make a wish. I recently had a wish turn into a conversation with Meraki Research, so I can promise that they do pay attention to wishes and take action in response to them.

NSGuru
Getting noticed

Nash,

 

What preemptive measures are you taking to secure your network? Maybe I am thinking this through the wrong way.One of my core reasons for utilizing Geo Filtering is because the amount of 1:1 and many:1 we are doing from our firewall. Unfortunately having these devices open has left them exposed to the world and leaves them open to a constant hammering. My security center reports show hits on a continuous basis and because of this it has brought me to Geo-filtering specific regions of the world which are utilizing systems to consistently hammer our environment. 

 

I haven't found the U.S. to be a problem yet but when we do we will be sure to handle that as it comes.

 

Turning on Geo Filtering to protect our NAT statements is a way to increase their security from being hit from regions or countries where they are being hammered but that doesn't mean the firewall shouldn't be flexible to allow a few remote IP ranges from that country as long as you know and trust the IPs from that provider/vendor. 

Cloud Network Engineer | cloudIT
Certified Meraki Networking Associate

Kudo this if it helped! 🙂
CptnCrnch
Kind of a big deal
Kind of a big deal

Depends on what your threat vector looks like:

 

  • Your‘re trying to narrow down the possibility to reach your systems from countries not supposed to hit your systems. This of course will prevent automated scanning etc. (which adds a little bit of security) and prevent your logs from being filled up with garbage mostly.
  • Nash‘s very valid point on the other hand is: if somebody from one of countries you‘re blocking is really up to something, he / she / it will simply make sure the connections are coming from some other country, most likely the one you‘re residing in.

Guess it‘d add way more security would be to have the systems open to the internet as secured as possible, cause after all this is what‘s preferable nonetheless.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels