All,
I was wanting to inquire and see if anyone else has had this problem and looked for or found a work around or solution with Meraki. My problem is the following.
We are wanting to implement Geo IP filtering due to the continuous growth of cyber threats on our networks that we are facing. In doing so we would also like to allow specific remote IP ranges and/if necessary ports as well. The vendors we work with have publicly slated their IP ranges so that we can white list them unfortunately it seems like Meraki is limited in this endeavor as it does not have any L7 allow rules that can be built above the Deny rules to date.
If you have a work around to this problem could you please explain how you setup your environment to work around the problem I am facing
Any thoughts on this problem are much appreciated. I am trying to find the best way to tighten the security on my networks while also keeping flexibility with the vendors I have today.
If you use Meraki geo-filtering then it is absolute. You can not create exclusions to it.
if this is the answer should it be acceptable? Theoretically we should be able to put remote IP range rules above the hierarchy of geo filtering Layer 7 rules and the would take precedence over remainder of policies because it would see an allow and then let the traffic pass-through without it ever reaching the geo filter rule.
There are other firewalls with this capability today. I began to dig through the forums here as well and it appears this has been a requested feature for at least 2 years now.
Not what you're asking for, but I would question the utility of geoblocking frankly. You're probably not blocking the entirety of the United States, therefore AWS and a prepaid credit card can still wreck your world.
Regarding feature requests: best you can do is go to the appropriate page on the dashboard and make a wish. I recently had a wish turn into a conversation with Meraki Research, so I can promise that they do pay attention to wishes and take action in response to them.
Nash,
What preemptive measures are you taking to secure your network? Maybe I am thinking this through the wrong way.One of my core reasons for utilizing Geo Filtering is because the amount of 1:1 and many:1 we are doing from our firewall. Unfortunately having these devices open has left them exposed to the world and leaves them open to a constant hammering. My security center reports show hits on a continuous basis and because of this it has brought me to Geo-filtering specific regions of the world which are utilizing systems to consistently hammer our environment.
I haven't found the U.S. to be a problem yet but when we do we will be sure to handle that as it comes.
Turning on Geo Filtering to protect our NAT statements is a way to increase their security from being hit from regions or countries where they are being hammered but that doesn't mean the firewall shouldn't be flexible to allow a few remote IP ranges from that country as long as you know and trust the IPs from that provider/vendor.
Depends on what your threat vector looks like:
Guess it‘d add way more security would be to have the systems open to the internet as secured as possible, cause after all this is what‘s preferable nonetheless.