Hi Everyone,
I found GEO IP filtering only appears under Layer 7 FW rules - does this mean it will apply to all inbound and outbound traffic for a specific country?
IE: if I block US, does that mean I won't be able to browse to US website as well?
I received a requirement to restrict countries under Port Forward "Allowed remote IPs" - is there any workaround to achieve this?
Solved! Go to solution.
"Port forwarding, 1:1 NAT and 1:M NAT traffic are not inspected by layer 7 rules. So, any external traffic coming from one of the blocked countries will still be seen in your network; traffic will not go out to those countries though."
This is a response from the ticket I have had in with Meraki for quite sometime as we are seeing traffic from blocked countries inside of our network. I have brought this up with Meraki in the past and have been told that this is expected behavior. So while theoretically it should block the countries in question, in practice you may still see traffic from those countries coming into your network, but not going out.
@RichardChen1 Yes it blocks both ways as mentioned below.
The Layer 7 Firewall can also be used to block traffic based on the source country of inbound traffic or the destination country of outbound traffic. To do so, create a new Layer 7 Firewall rule and select Countries... from the Application drop-down. You have the option of blocking all traffic to or from a specified set of countries or blocking any traffic that is not to or from a specified set of countries.
Thanks, I have seem the documentation but still not sure about the questions I asked in the post.
@RichardChen1 Yes if you select China as an example it will block all traffic to and from China.
@RichardChen1 The "Allowed remote IPs" of port forwarding is used when you want to restrict for the port forwarding rule by specific IP addresses. (This cannot be configured by based on source country of traffic)
The Geo firewall rule covers all incoming / outgoing traffic for the countries restricted by the firewall rule.
If you blocked China as country with "Traffic to/from" as condition, then traffic to/from IP address categorised in China is blocked.
"Port forwarding, 1:1 NAT and 1:M NAT traffic are not inspected by layer 7 rules. So, any external traffic coming from one of the blocked countries will still be seen in your network; traffic will not go out to those countries though."
This is a response from the ticket I have had in with Meraki for quite sometime as we are seeing traffic from blocked countries inside of our network. I have brought this up with Meraki in the past and have been told that this is expected behavior. So while theoretically it should block the countries in question, in practice you may still see traffic from those countries coming into your network, but not going out.
It might work if you create a group policy and attach it to that client. That’s when the layer 7 will kick in. Since group policies are stateless.