MX250 - Blocking several incoming IP address

DunJer622
Building a reputation

MX250 - Blocking several incoming IP address

Greetings,

 

I've just moved over to an MX250 as our core firewall.  I'm looking to see if there is a better way to block incoming IP addresses aside from individual L7 rules denying IP/32?  I get a lot of attempts against our Exchange Server, as it is public facing.  I'd like to take the daily list of IPs and enter them all together, versus separate line items.  With my SonicWALL, I simply created a group called Risk Address and added IPs to it.  Since incoming from Risk Address was blocked, any added to that group was automatically blocked.  Within Threat Protection, I do have Intrusion Detection at Detection and Balanced, as I wanted to get a feel for how it was working.  I did see one topic in the community, but it appeared that the answer actually was blocking outgoing to the IPs, not incoming.

 

Any assistance would be greatly appreciated.

 

Thank you,

 

Jeremy

6 Replies 6
BrechtSchamp
Kind of a big deal

You can actually specify a list of IP addresses and ranges in the remote IPs field of port forwarding and 1-to-1 NAT.

ea362741-ecad-466e-8963-840985d702e3

 

More info here:

https://documentation.meraki.com/MX/NAT_and_Port_Forwarding/Blocking_Inbound_Traffic_on_MX_Security_...

 

Apart from that I think the L7 and L3 firewall are for outgoing connections, but I read conflicting info so I'd have to test to be sure. Perhaps someone will comment on that point.

NolanHerring
Kind of a big deal

The MX (or any FW for that matter) will always block inbound traffic, unless initiated from outbound traffic from within the network. Not sure if it would help but you could do the L7 countries option and block countries.

Otherwise, L7 is the only way I know to specifically block an incoming public IP and I don't think there is a fast way to implement this. I don't seen anything API side that would help.

This older thread here might be of use:
https://community.meraki.com/t5/Security-SD-WAN/Inbound-Firewall-Rules-please/td-p/28653

Nolan Herring | nolanwifi.com
TwitterLinkedIn
PhilipDAth
Kind of a big deal
Kind of a big deal

I tend to use Content Filtering for doing the automated blocking.  You could use categories like:

Bot Nets

Malware Sites

Confirmed SPAM Sources

These are dynamically updating lists.

 

Better yet .... move to Office 365 and get rid of the problem all together. 🙂

BrechtSchamp
Kind of a big deal


@PhilipDAth wrote:

I tend to use Content Filtering for doing the automated blocking.  You could use categories like:

Bot Nets

Malware Sites

Confirmed SPAM Sources

These are dynamically updating lists.

 

Better yet .... move to Office 365 and get rid of the problem all together. 🙂


@PhilipDAth does that apply to incoming connections over port forwarding/1-to-1 NAT too? I was wondering about that.

PhilipDAth
Kind of a big deal
Kind of a big deal

Now that you say that - I'm not 100% sure.

 

I have a customer that only has servers behind an MX in a DC.  The servers seldom make outbound connections.  I am mostly using 1:1 NAT.

 

Their security centre shows a heap of activity.

 

Screenshot from 2019-01-30 22-23-40.png

PhilipDAth
Kind of a big deal
Kind of a big deal

Specifically, these are mostly web servers.  They just listen for inbound http/https connections.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels