Meraki

Community

Layer 7 Firewall ingress rules failing to stop countries from establishing connections

nullspace-dev
New here
2 weeks ago
2 weeks ago

Layer 7 Firewall ingress rules failing to stop countries from establishing connections

We have a client's firewall we are helping manage and there is a layer 7 ingress firewall rule the blocks all but 4 countries. Any-Any Deny "explicit list of denied countries". But the event lot still shows "TLSv1.2 connection established" on the under the any connect VPN logs from pariah countries, no authentications thankfully but this seems like a failure of the firewall to just drop these connections. What is going on? Is there a misconfiguration somewhere?

Labels:
0 Kudos
3 Replies 3
Mloraditch
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_a_Layer_7_Fi...


See note: Firewall rules, of any type, apply only to traffic which traverses through the firewall device. This means that firewall rules do not apply to traffic originating from (such as LDAP binds) or terminating at (such as client VPN) the firewall device.  Additionally, MX VLAN interfaces and the MX WAN IP addresses, themselves, are not considered in Allow or Deny rules.


You can't block inbound client vpn connections with Layer 7 rules. You can enable Inbound Layer 3 firewall with this EA feature: https://documentation.meraki.com/MX/Networks_and_Routing/NAT_Exceptions-No_NAT_on_MX_Security_Applia...

However that still only adds Layer 3 rules.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
cmr
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

I ran into this issue with some Cisco ASAs and ended up putting them behind some FTDs to protect the VPN.  I think a similar approach is needed for protecting the Meraki VPN.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
Brash
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

You can't block inbound connection attempts from specific countries to services hosted on the MX.

As @cmr mentioned, you would need to sit the MX behind another device that can perform this function.

 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.