Meraki

Community

Layer 7 rules to deny websites / counties not working

KB8WFH
Comes here often
2 weeks ago
2 weeks ago

Layer 7 rules to deny websites / counties not working

I have rules setup in Layer 7 of the firewall settings to deny any traffic NOT coming from/to the US as well as some specific international sites to deny. However, I am still able to visit all these sites after the settings are saved. What am I doing wrong?

 

Screenshot 2025-07-02 at 1.08.29 PM.png

0 Kudos
4 Replies 4
RWelch
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

After applying this, how long did you wait to try these sites?  If you have (had) an active or current connection to these locations, you would want to close out that session and give it a bit of time before re-trying, possibly clear the cache and re-initiate the connection as part of your test.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
alemabrahao
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

It's supposed to work, take a look at this article.

 

https://www.cisco.com/c/en/us/support/docs/security/meraki-cloud-managed-security-appliances/220219-...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
alemabrahao
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

Traffic Blocked by Layer 7 Rule

The MR access point and MX security appliance differ slightly in their processing of L7 firewall rules after the L3 firewall. On the MR, if traffic matches an allow rule on the L3 firewall, that traffic will bypass the L7 firewall altogether.

On MR, default L3 rules do not act as a bypass for L7 rules. Only allow custom rules will bypass L7 rules. 

On the MX, if traffic matches an allow rule on the L3 firewall, it can still be blocked by an L7 firewall rule.

On the MX, HTTP traffic (TCP port 80) to Facebook.com will be blocked by the L7 firewall, because rule 1 under layer 7 explicitly blocks it, even though the traffic was allowed through the layer 3 firewall.

Layer 3 Rules

  1. Matched - Traffic allowed through L3 firewall
  2. Not processed
  3. Not processed

Layer 7 Rules

  1. Matched - Traffic blocked

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Layer_3_and_7_Firewal...

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Brash
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

Summarizing what's been said above:

 - Applying L7 geo-blocking firewall rules should block connections to websites of those countries.

 - If you have any existing connections through the MX, you may need to wait for them to timeout (~5 minutes from memory) before they will be blocked. New connections should be blocked as soon as the MX receives the updated config from the dashboard (~30 seconds).

 - L7 geo-blocking firewall rules will not block inbound connections into DNAT rules.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.