cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MX GEO IP filtering on Port Forward rules

SOLVED
Getting noticed

MX GEO IP filtering on Port Forward rules

Hi Everyone,

 

I found GEO IP filtering only appears under Layer 7 FW rules - does this mean it will apply to all inbound and outbound traffic for a specific country?

IE: if I block US, does that mean I won't be able to browse to US website as well?

 

 

I received a requirement to restrict countries under Port Forward "Allowed remote IPs" - is there any workaround to achieve this?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
A model citizen

Re: MX GEO IP filtering on Port Forward rules

"Port forwarding, 1:1 NAT and 1:M NAT traffic are not inspected by layer 7 rules. So, any external traffic coming from one of the blocked countries will still be seen in your network; traffic will not go out to those countries though."

 

This is a response from the ticket I have had in with Meraki for quite sometime as we are seeing traffic from blocked countries inside of our network. I have brought this up with Meraki in the past and have been told that this is expected behavior. So while theoretically it should block the countries in question, in practice you may still see traffic from those countries coming into your network, but not going out.

Found this helpful? Give me some Kudos! (click on the little up-arrow below)

View solution in original post

5 REPLIES 5
Highlighted
Kind of a big deal

Re: MX GEO IP filtering on Port Forward rules

@RichardChen1  Yes it blocks both ways as mentioned below.

 

Geo-IP Based Firewalling

The Layer 7 Firewall can also be used to block traffic based on the source country of inbound traffic or the destination country of outbound traffic. To do so, create a new Layer 7 Firewall rule and select Countries... from the Application drop-down. You have the option of blocking all traffic to or from a specified set of countries or blocking any traffic that is not to or from a specified set of countries.

 

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Firewall_Settings#Geo-IP_Based_F...

Meraki CMNO, Ruckus WISE, Sonicwall CSSA, Allied Telesis CASE & CAI
Highlighted
Getting noticed

Re: MX GEO IP filtering on Port Forward rules

Thanks, I have seem the documentation but still not sure about the questions I asked in the post.

  • Does this covers all incoming/outgoing traffic?
  • The option is to deny traffic to/from, so I block China, it mean no traffic come in and going out to China?
  • Any option to apply on port forward allow ip by countries?
Highlighted
Kind of a big deal

Re: MX GEO IP filtering on Port Forward rules

@RichardChen1  Yes if you select China as an example it will block all traffic to and from China. 

Meraki CMNO, Ruckus WISE, Sonicwall CSSA, Allied Telesis CASE & CAI
Highlighted
Meraki Employee

Re: MX GEO IP filtering on Port Forward rules

@RichardChen1 The "Allowed remote IPs" of port forwarding is used when you want to restrict for the port forwarding rule by specific IP addresses. (This cannot be configured by based on source country of traffic)

 

The Geo firewall rule covers all incoming / outgoing traffic for the countries restricted by the firewall rule.

If you blocked China as country with "Traffic to/from" as condition, then traffic to/from IP address categorised in China is blocked.

Highlighted
A model citizen

Re: MX GEO IP filtering on Port Forward rules

"Port forwarding, 1:1 NAT and 1:M NAT traffic are not inspected by layer 7 rules. So, any external traffic coming from one of the blocked countries will still be seen in your network; traffic will not go out to those countries though."

 

This is a response from the ticket I have had in with Meraki for quite sometime as we are seeing traffic from blocked countries inside of our network. I have brought this up with Meraki in the past and have been told that this is expected behavior. So while theoretically it should block the countries in question, in practice you may still see traffic from those countries coming into your network, but not going out.

Found this helpful? Give me some Kudos! (click on the little up-arrow below)

View solution in original post

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.