MX deny rule applied working after 5 minutes on active ping

CedricMX
Comes here often

MX deny rule applied working after 5 minutes on active ping

Hello Meraki Team,

Nice to meet you !

A quick information about Meraki Firewall. I work on MX84 and MX67 Firewall and i am a little suprised about the behaviour of Meraki firewall.

I explain my problem :

 

I have 2 vlans and the deny all rule at the end of the configuration is blocking icmp flow between the 2 vlans => ok it is working fine.

I leave the ping working between the 2 computers that are in the 2 different vlans.

Above the deny rule i create an allow rule to open flow from vlan 10 to vlan 20 => Ok the flow is working.

The ping between 2 computer is still working and i decide to delete the previous allow rule. => logically the icmp flow must be interupted between my 2 computer because the deny all rule must apply. BUT it is not the case.

=> ping is still working and i must interupt the active ping, wait 5 minutes and reload the ping to see that the flow is deny.

 

Do you have any information about this Meraki firewall behaviour ? In 20 years in IT it is the first time in see that. With other firewall product like Watchguar or fortinet the icmp flow is deny instantly when the allow rule is delete.

 

Many thanks ! 

 

 

6 Replies 6
ww
Kind of a big deal
Kind of a big deal

i dont know about the documentation but i know that is the expected behavior,

meraki does not remove the active flows from the mx if you change the rulebase.

the timeout of that fw flow/entry is indeed around 5 minutes

 

the stateless acl/fw rules from the MR and the group policy should work  instantly

 

 

CedricMX
Comes here often

Ok thank for the reply.

Is there a way to force the rule to be applied ?

It is pretty weird because on other firewall the deny rule is applied instantly (no need to wait 5 minutes timeout).

 

"the stateless acl/fw rules from the MR and the group policy should work  instantly" => the MR it is Wifi access point ? The behaviour is different ?

Many thanks

RaphaelL
Kind of a big deal
Kind of a big deal

Yes it is different , it is stateless , the MX doesn't keep track of any 'sessions' at all. It must re-evaluate every packet , so when you delete the rule it is effective instantly.

 

I deleted a TCP allow 443 rule in the past and I was getting syslogs that people were still hiting that rule despite the rule being deleted 3-4 weeks ago. Support told me that in every case an active session was still 'active' so the flow was allowed. I had to reboot a couple of MX to purge the session table.

 

I agree with you , it doesn't make any sense at all , but it seems to be 'working as expected'.

CedricMX
Comes here often

I am agree with you.

Do you know if an official Meraki documentation is explain this weird behaviour (stateless instead of stateful) ?

Many thanks

RaphaelL
Kind of a big deal
Kind of a big deal

I tried to find a packet flow chart from Meraki without any success.  You might need to open a ticket to get the confirmation / info needed for that I'm afraid.

BlakeRichardson
Kind of a big deal
Kind of a big deal

I'm not sure why Meraki does it this way but there must be a reason behind it, I have to admit it's not helpful when making changes and wanting to confirm those changes are working. 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels