I see in the new Security Center there is an option to block IP or block country. The block country option creates a Layer 7 rule for the corresponding country.
Does anybody use this?
It's tempting to block some countries I could never see us sending traffic to or from.
Yes, We use it for a few... it works pretty well too... we had to remove one country...
Different countries are assigned different blocks of IP numbers. I looked at a list of top hacker countries and blocked all of them that I thought we would never have any dealings with. It's a good idea to block bots and porn under content filtering lots of infections come in that way.
Be mindful that a long list of countries can cause TCP timeouts on your internet connections. It happened to me. It's great that Meraki has a very easy-to-use packet capture tool to troubleshoot the issue.
Sometimes our customer get frequent attacks from specific countries, which Geo-based Firewall rules can help in mitigating any risks while investigating who is the attackers and how to apply rules to block them.
Is there an easy way to block specific countries (specifically emails from China) if we do not have the advanced security license?
You might need to consider email filtering solution to filter out email from certain countries.
Will Meraki SD-WAN have the all the MX Enterprise and or Advanced security features integrated?
I am not sure if I get your question but could you elaborate more about the integration you are looking for?
With Meraki SD-WAN, what are the security features/ licenses the MX will be provided with. Is Meraki looking to have source fire, NGIPS and Meraki insights? Thank you.
@Chandra2 Meraki MX has 2 licenses, Enterprise and Advanced Security. All the SD-WAN features (Auto VPN, traffic shaping, Policy based routing, etc.) are a part of the Enterprise License. Meraki Insight is a separate product and requires its own license.
For more info on what's included with the 2 separate MX license, you can look here under "MX licensing options"
We've found it useful to just allow certain countries rather than deny a huge list.
This is how we use it too. Is there a way to make an exception to this rule? For example if we block connections to/from China or Russia, can we allow access to certain websites or IP addresses in those countries?
No exceptions here... 😉
@WarrenG did you manage to find a workaround? i'm in the same dilemma - blocked access to/from china and need to allow one domain...