MX Layer 7 P2P Blocking Issues

Adam
Kind of a big deal

MX Layer 7 P2P Blocking Issues

Under Security Appliance>Firewall we had a Layer 7 firewall rule setup to Deny P2P - BitTorrent.  This rule was blocking any Logmein traffic coming from the outside and was resulting in disconnection issues from the Logmein client.  When I removed the Layer 7 firewall rule above the issue subsided. Figured I'd give everyone a heads up and I'd also be interested in any dialog regarding effective prevention of P2P traffic on your networks.  Seems like the current Layer 7 implementation blocks a lot of legitimate traffic.  

 

Note:  Currently on firmware 12.24

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
7 REPLIES 7
PhilipDAth
Kind of a big deal

It is almost impossible to block all P2P traffic.  These days it tends to use random ports, random IP addresses and encryption.

 

Across the networks I look after I don't really see P2P issues anymore.  The likes of NetFlix and others has made it easy for people to get content legally.

Adam
Kind of a big deal

From time to time we get DMCA violations.  I'd like to make a best effort to block as much as we can programatically but, as specified, seems to cause issues for many legitimate applications.  Only other solution that has seemed to help is OpenDNS Umbrella.  Hopefully they'll fold that into Meraki's content filter eventually since Cisco own's both now. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
PhilipDAth
Kind of a big deal

If you are using content filtering, then try blocking the categories "Peer to Peer" and "Illegal".

 

"Illegal" is:

Criminal activity, how not to get caught, copyright and intellectual property violations, etc.

 

"Peer to peer" is:

Peer to peer clients and access. Includes torrents, music download programs

 

https://www.brightcloud.com/tools/change-request-url-categorization.php

Adam
Kind of a big deal

Thanks @PhilipDAth

 

I have that set but it doesn't seem to do a good job of blocking torrent trackers.  Best effort I suppose. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.

Phillip, Is there a way to see exactly what these rules do?  I don't like being blind when blocking something on thousands of endpoints. Trail and error in testing is hard to simulate and trial and error in production could be really bad.

No there is not.

CraigCummings
Getting noticed

Including Meraki's own "Cloud Communication" traffic, apparently....sigh.  On hold for support for 20 mins and was simply disconnected.  Thought I'd come out here and take a look.  Glad we pay the big bucks for "enterprise support" vs. having to DYI on the forums.

 

May 04 12:39:32 98.173.248.218 logger <134>1 1651685972.152202720 FER_Office_appliance l7_firewall src=192.168.128.105 dst=209.206.63.216 protocol=udp sport=45253 dport=7351 decision=blocked
May 04 12:39:32 98.173.248.218 logger <134>1 1651685972.205257006 FER_Office_appliance l7_firewall src=192.168.128.20 dst=209.206.63.216 protocol=udp sport=48040 dport=7351 decision=blocked

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels