Layer 7 rule to block countires

Dave
Getting noticed

Layer 7 rule to block countires

I see in the new Security Center there is an option to block IP or block country.  The block country option creates a Layer 7 rule for the corresponding country. 

Does anybody use this?   

It's tempting to block some countries I could never see us sending traffic to or from. 

16 REPLIES 16
NFL0NR
Getting noticed

Yes, We use it for a few... it works pretty well too... we had to remove one country... 

Bradley
Just browsing

Different countries are assigned different blocks of IP numbers.  I looked at a list of top hacker countries and blocked all of them that I thought we would never have any dealings with.   It's a good idea to block bots and porn under content filtering lots of infections come in that way.

 

 

 

blocked countries.JPG

Be mindful that a long list of countries can cause TCP timeouts on your internet connections.  It happened to me.  It's great that Meraki has a very easy-to-use packet capture tool to troubleshoot the issue.

Fady
Meraki Employee
Meraki Employee

Sometimes our customer get frequent attacks from specific countries, which Geo-based Firewall rules can help in mitigating any risks while investigating who is the attackers and how to apply rules to block them.

DJSky
Here to help

Is there an easy way to block specific countries (specifically emails from China) if we do not have the advanced security license?

Fady
Meraki Employee
Meraki Employee

You might need to consider email filtering solution to filter out email from certain countries. 

Chandra2
Conversationalist

Will Meraki SD-WAN have the all the MX Enterprise and or Advanced security features integrated?

Fady
Meraki Employee
Meraki Employee

I am not sure if I get your question but could you elaborate more about the integration you are looking for?

Chandra2
Conversationalist

With Meraki SD-WAN, what are the security features/ licenses the MX will be provided with. Is Meraki looking to have source fire, NGIPS and Meraki insights? Thank you.  

davidvan
Meraki Alumni (Retired)
Meraki Alumni (Retired)

@Chandra2 Meraki MX has 2 licenses, Enterprise and Advanced Security. All the SD-WAN features (Auto VPN, traffic shaping, Policy based routing, etc.) are a part of the Enterprise License. Meraki Insight is a separate product and requires its own license.

 

For more info on what's included with the 2 separate MX license, you can look here under "MX licensing options"

 

Screen Shot 2018-12-17 at 1.48.45 PM.png

Fady
Meraki Employee
Meraki Employee

Meraki SD-WAN is feature that available on both Enterprise and Advanced so if you are looking for IPS, Content filtering, you will need to go with the Advanced license and this will still cover SD-WAN. Meraki Insight is additional license to the MX in general that you can buy on top of either Enterprise or Advanced license of the MX.

In regards Cisco SourceFire and NGIPS, we keep integrating with Cisco product more and more whenever we see benefits to do so.
NordOps
Getting noticed

We've found it useful to just allow certain countries rather than deny a huge list.

 deny.png

 

 

This is how we use it too. Is there a way to make an exception to this rule? For example if we block connections to/from China or Russia, can we allow access to certain websites or IP addresses in those countries?

CptnCrnch
Kind of a big deal
Kind of a big deal

No exceptions here... 😉

@CptnCrnch None Captain? What sort of firewalling are you up to?

@WarrenG did you manage to find a workaround? i'm in the same dilemma - blocked access to/from china and need to allow one domain...

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels