Meraki

Scother · ‎Aug 15 2018

hi,

can anyone help me to figure out why the below rule is not working?

below is my scenario. from host x.x.x.y i can still ping host x.x.z.z

Scother · ‎Aug 16 2018

i also try Deny ICMP but still not working. what works for is create a group policy and define the L3 rules in the group policy then apply the group policy to the x.x.z.0 subnet. the rules that i define in the group policy is the same rules i define in the firewall configuration, but in firewall configuration those rules are not working.

View solution in original post

MerakiDave · ‎Aug 15 2018

Have you run packet captures on the MX, on both WAN and LAN sides, to confirm what packets are ingressing/egressing the MX? Assuming the MX is in NAT mode, and not VPN/Passthrough mode in which case it's just a bump in the wire? And just for troubleshooting, instead of ANY protocol, try specifying ICMP to see if that changes the behavior and if so, open a case to investigate. Also, depending on FW version you might be able to toggle on inbound FW logging on the firewall config page.

BrandonS · ‎Aug 15 2018

When the rule is applied it won't affect current network flows immediately. You might just want to reboot the clients or refresh their network settings and test again.

- Ex community all-star (⌐⊙_⊙)

Scother · ‎Aug 15 2018

both hosts are connected to MX LAN ports and the VLANs for the hosts are defined locally in the MX.

BrandonS · ‎Aug 15 2018

That shouldn't matter. How about adding the reverse rule too?

- Ex community all-star (⌐⊙_⊙)

BrandonS · ‎Aug 15 2018

And make sure to reboot or reset network settings when testing. If you are just running ping and expecting it to stop within moments of applying the changes it won't.

- Ex community all-star (⌐⊙_⊙)

Scother · ‎Aug 15 2018

reset network setting on both hosts, test again, rule still not working

Scother · ‎Aug 15 2018

add reverse rule but still not working

BrandonS · ‎Aug 15 2018

Well, back to MerakiDave's suggestion, I guess.. Look at a LAN side packet capture and see what is happening. If it is not right, call support and show them.

- Ex community all-star (⌐⊙_⊙)

PhilipDAth · ‎Aug 16 2018

Any chance their is a permit rule above this that might be allowing it?

PhilipDAth · ‎Aug 16 2018

There are no hits on your rule. Double check for any typo's in the IP addresses, and for any permit rules above the deny which might be permitting the traffic.

Adam · ‎Aug 16 2018

Agreed that x.x.z.z should be source and the other as destination. Also make sure the computers you are testing from are not whitelisted. Lastly see if you can test something other than ping if it has any other services. And for testing's sake try setting the Deny Any to Deny ICMP. For some reason, I seem to remember that 'Any' possibly doesn't include ICMP but I could be remembering that incorrectly.

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.

Scother · ‎Aug 16 2018

i also try Deny ICMP but still not working. what works for is create a group policy and define the L3 rules in the group policy then apply the group policy to the x.x.z.0 subnet. the rules that i define in the group policy is the same rules i define in the firewall configuration, but in firewall configuration those rules are not working.

Meraki

Community

MX100 L3 rule not working

MX100 L3 rule not working

L3 Rule for RDP Gateway

Export Meraki Firewall L3 Rules

MX100 Replacement

Create l3 firewall Rules?

Network Appliance L3 Firewall Rules