MX GEO IP filtering on Port Forward rules

Solved
RichardChen1
Getting noticed

MX GEO IP filtering on Port Forward rules

Hi Everyone,

 

I found GEO IP filtering only appears under Layer 7 FW rules - does this mean it will apply to all inbound and outbound traffic for a specific country?

IE: if I block US, does that mean I won't be able to browse to US website as well?

 

 

I received a requirement to restrict countries under Port Forward "Allowed remote IPs" - is there any workaround to achieve this?

1 Accepted Solution
Mr_IT_Guy
A model citizen

"Port forwarding, 1:1 NAT and 1:M NAT traffic are not inspected by layer 7 rules. So, any external traffic coming from one of the blocked countries will still be seen in your network; traffic will not go out to those countries though."

 

This is a response from the ticket I have had in with Meraki for quite sometime as we are seeing traffic from blocked countries inside of our network. I have brought this up with Meraki in the past and have been told that this is expected behavior. So while theoretically it should block the countries in question, in practice you may still see traffic from those countries coming into your network, but not going out.

Found this helpful? Give me some Kudos! (click on the little up-arrow below)

View solution in original post

6 Replies 6
BlakeRichardson
Kind of a big deal
Kind of a big deal

@RichardChen1  Yes it blocks both ways as mentioned below.

 

Geo-IP Based Firewalling

The Layer 7 Firewall can also be used to block traffic based on the source country of inbound traffic or the destination country of outbound traffic. To do so, create a new Layer 7 Firewall rule and select Countries... from the Application drop-down. You have the option of blocking all traffic to or from a specified set of countries or blocking any traffic that is not to or from a specified set of countries.

 

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Firewall_Settings#Geo-IP_Based_F...

RichardChen1
Getting noticed

Thanks, I have seem the documentation but still not sure about the questions I asked in the post.

  • Does this covers all incoming/outgoing traffic?
  • The option is to deny traffic to/from, so I block China, it mean no traffic come in and going out to China?
  • Any option to apply on port forward allow ip by countries?
BlakeRichardson
Kind of a big deal
Kind of a big deal

@RichardChen1  Yes if you select China as an example it will block all traffic to and from China. 

HitoshiH
Meraki Employee
Meraki Employee

@RichardChen1 The "Allowed remote IPs" of port forwarding is used when you want to restrict for the port forwarding rule by specific IP addresses. (This cannot be configured by based on source country of traffic)

 

The Geo firewall rule covers all incoming / outgoing traffic for the countries restricted by the firewall rule.

If you blocked China as country with "Traffic to/from" as condition, then traffic to/from IP address categorised in China is blocked.

~~If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.~~

The Meraki ECMS exam is now live! Test your knowledge of Meraki and become an official Cisco Meraki Solutions Specialist. More info on the ECMS exam found here.

For information regarding all of Meraki's training offerings, be sure to check out the Meraki Learning Hub.
Mr_IT_Guy
A model citizen

"Port forwarding, 1:1 NAT and 1:M NAT traffic are not inspected by layer 7 rules. So, any external traffic coming from one of the blocked countries will still be seen in your network; traffic will not go out to those countries though."

 

This is a response from the ticket I have had in with Meraki for quite sometime as we are seeing traffic from blocked countries inside of our network. I have brought this up with Meraki in the past and have been told that this is expected behavior. So while theoretically it should block the countries in question, in practice you may still see traffic from those countries coming into your network, but not going out.

Found this helpful? Give me some Kudos! (click on the little up-arrow below)
Iridium79
Getting noticed

It might work if you create a group policy and attach it to that client.    That’s when the layer 7 will kick in.  Since group policies are stateless.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels