Meraki

CedricMX · ‎Jan 16 2023

Hello Meraki Team,

Nice to meet you !

A quick information about Meraki Firewall. I work on MX84 and MX67 Firewall and i am a little suprised about the behaviour of Meraki firewall.

I explain my problem :

I have 2 vlans and the deny all rule at the end of the configuration is blocking icmp flow between the 2 vlans => ok it is working fine.

I leave the ping working between the 2 computers that are in the 2 different vlans.

Above the deny rule i create an allow rule to open flow from vlan 10 to vlan 20 => Ok the flow is working.

The ping between 2 computer is still working and i decide to delete the previous allow rule. => logically the icmp flow must be interupted between my 2 computer because the deny all rule must apply. BUT it is not the case.

=> ping is still working and i must interupt the active ping, wait 5 minutes and reload the ping to see that the flow is deny.

Do you have any information about this Meraki firewall behaviour ? In 20 years in IT it is the first time in see that. With other firewall product like Watchguar or fortinet the icmp flow is deny instantly when the allow rule is delete.

Many thanks !

ww · ‎Jan 16 2023

i dont know about the documentation but i know that is the expected behavior,

meraki does not remove the active flows from the mx if you change the rulebase.

the timeout of that fw flow/entry is indeed around 5 minutes

the stateless acl/fw rules from the MR and the group policy should work instantly

CedricMX · ‎Jan 16 2023

Ok thank for the reply.

Is there a way to force the rule to be applied ?

It is pretty weird because on other firewall the deny rule is applied instantly (no need to wait 5 minutes timeout).

"the stateless acl/fw rules from the MR and the group policy should work instantly" => the MR it is Wifi access point ? The behaviour is different ?

Many thanks

RaphaelL · ‎Jan 16 2023

Yes it is different , it is stateless , the MX doesn't keep track of any 'sessions' at all. It must re-evaluate every packet , so when you delete the rule it is effective instantly.

I deleted a TCP allow 443 rule in the past and I was getting syslogs that people were still hiting that rule despite the rule being deleted 3-4 weeks ago. Support told me that in every case an active session was still 'active' so the flow was allowed. I had to reboot a couple of MX to purge the session table.

I agree with you , it doesn't make any sense at all , but it seems to be 'working as expected'.

CedricMX · ‎Jan 16 2023

I am agree with you.

Do you know if an official Meraki documentation is explain this weird behaviour (stateless instead of stateful) ?

Many thanks

RaphaelL · ‎Jan 16 2023

I tried to find a packet flow chart from Meraki without any success. You might need to open a ticket to get the confirmation / info needed for that I'm afraid.

BlakeRichardson · ‎Jan 16 2023

I'm not sure why Meraki does it this way but there must be a reason behind it, I have to admit it's not helpful when making changes and wanting to confirm those changes are working.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

Meraki

Community

MX deny rule applied working after 5 minutes on active ping

MX deny rule applied working after 5 minutes on active ping