Meraki

Community

MX GEO IP filtering on Port Forward rules

Solved
RichardChen1
Getting noticed
‎Sep 16 2019 2:30 PM
‎Sep 16 2019 2:30 PM

MX GEO IP filtering on Port Forward rules

Hi Everyone,

 

I found GEO IP filtering only appears under Layer 7 FW rules - does this mean it will apply to all inbound and outbound traffic for a specific country?

IE: if I block US, does that mean I won't be able to browse to US website as well?

 

 

I received a requirement to restrict countries under Port Forward "Allowed remote IPs" - is there any workaround to achieve this?

0 Kudos
1 Accepted Solution
Mr_IT_Guy
A model citizen
‎Sep 17 2019 6:27 AM
‎Sep 17 2019 6:27 AM

"Port forwarding, 1:1 NAT and 1:M NAT traffic are not inspected by layer 7 rules. So, any external traffic coming from one of the blocked countries will still be seen in your network; traffic will not go out to those countries though."

 

This is a response from the ticket I have had in with Meraki for quite sometime as we are seeing traffic from blocked countries inside of our network. I have brought this up with Meraki in the past and have been told that this is expected behavior. So while theoretically it should block the countries in question, in practice you may still see traffic from those countries coming into your network, but not going out.

Found this helpful? Give me some Kudos! (click on the little up-arrow below)

View solution in original post

6 Replies 6
BlakeRichardson
Kind of a big deal
Kind of a big deal
‎Sep 16 2019 3:34 PM
‎Sep 16 2019 3:34 PM

@RichardChen1  Yes it blocks both ways as mentioned below.

 

Geo-IP Based Firewalling

The Layer 7 Firewall can also be used to block traffic based on the source country of inbound traffic or the destination country of outbound traffic. To do so, create a new Layer 7 Firewall rule and select Countries... from the Application drop-down. You have the option of blocking all traffic to or from a specified set of countries or blocking any traffic that is not to or from a specified set of countries.

 

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Firewall_Settings#Geo-IP_Based_F...

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
In response to BlakeRichardson
RichardChen1
Getting noticed
‎Sep 16 2019 3:53 PM
‎Sep 16 2019 3:53 PM

Thanks, I have seem the documentation but still not sure about the questions I asked in the post.

  • Does this covers all incoming/outgoing traffic?
  • The option is to deny traffic to/from, so I block China, it mean no traffic come in and going out to China?
  • Any option to apply on port forward allow ip by countries?
0 Kudos
In response to RichardChen1
BlakeRichardson
Kind of a big deal
Kind of a big deal
‎Sep 16 2019 5:24 PM
‎Sep 16 2019 5:24 PM

@RichardChen1  Yes if you select China as an example it will block all traffic to and from China. 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
HitoshiH
Meraki Employee
Meraki Employee
‎Sep 17 2019 1:27 AM
‎Sep 17 2019 1:27 AM

@RichardChen1 The "Allowed remote IPs" of port forwarding is used when you want to restrict for the port forwarding rule by specific IP addresses. (This cannot be configured by based on source country of traffic)

 

The Geo firewall rule covers all incoming / outgoing traffic for the countries restricted by the firewall rule.

If you blocked China as country with "Traffic to/from" as condition, then traffic to/from IP address categorised in China is blocked.

~~If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.~~

The Meraki ECMS exam is now live! Test your knowledge of Meraki and become an official Cisco Meraki Solutions Specialist. More info on the ECMS exam found here.

For information regarding all of Meraki's training offerings, be sure to check out the Meraki Learning Hub.
0 Kudos
Mr_IT_Guy
A model citizen
‎Sep 17 2019 6:27 AM
‎Sep 17 2019 6:27 AM

"Port forwarding, 1:1 NAT and 1:M NAT traffic are not inspected by layer 7 rules. So, any external traffic coming from one of the blocked countries will still be seen in your network; traffic will not go out to those countries though."

 

This is a response from the ticket I have had in with Meraki for quite sometime as we are seeing traffic from blocked countries inside of our network. I have brought this up with Meraki in the past and have been told that this is expected behavior. So while theoretically it should block the countries in question, in practice you may still see traffic from those countries coming into your network, but not going out.

Found this helpful? Give me some Kudos! (click on the little up-arrow below)
In response to Mr_IT_Guy
Iridium79
Getting noticed
‎Oct 2 2021 10:48 AM
‎Oct 2 2021 10:48 AM

It might work if you create a group policy and attach it to that client.    That’s when the layer 7 will kick in.  Since group policies are stateless.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.