Override Layer 7 Firewall Rule Blocking Country - URL exception

bmusselman1
Comes here often

Override Layer 7 Firewall Rule Blocking Country - URL exception

Hello, I would like to whitelist a specific URL in a country we have blocked in our layer 7 firewall rules. Is this possible or does anyone know of a workaround? Meraki support first told me to try a group policy but are now telling me after testing it is not possible.

 

Based on the traffic flow in group policy documentation this seems possible? https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Layer_3_and_7_Firewal...

 

However, after creating a group policy and assigning it to the test machine, adding the URL to the allow list AND creating a layer 3 firewall rule in the group policy to allow the URL IP and FQDN, the website is still being blocked.

 

Thanks!

9 Replies 9
alemabrahao
Kind of a big deal
Kind of a big deal

Group Policy Behavior

By default for MX L3 and L7 firewalls are processed independently, as illustrated above. Note that L3 and L7 rules in a group policy behave as one logical firewall just like an MR, again as illustrated above.  With L3 being processed before L7, meaning that any denied L7 applications (e.g. Netflix) would be allowed if the L3 portion of the rule contained an explicit allow for HTTP/HTTPS.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
Kind of a big deal

In my opinion, there's no reason why it shouldn't work.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
ww
Kind of a big deal
Kind of a big deal

I think(guessing) the geo part is special because it also checks inbound. The L3 group policy  is stateless so the mx would not keep track of traffic was already allowed outbound https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Firewall_Settings#Geo-IP_Based_F...

alemabrahao
Kind of a big deal
Kind of a big deal

The strange thing is that nowhere in the documentation mentions any kind of limitation with group policy. So I'm not sure if that is the case.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
bmusselman1
Comes here often

I would have to agree based on the documentation here but unfortunately that doesn't seem to be the case. Wondering if anyone found a workaround for a similar situation

KenMTS
Comes here often

After reading this thread, sounds like you didn't get it to work. I kind of misread it, and got it to work. We have no layer 3 rules, just layer 7 to block multiple countries. I wanted access to one website in one of those countries. I created a Group Policy just for my computers IP, then created a duplicate layer 7 to block the same countries and verified I did not have access. Then I created a layer 3 Allow rule. I tried to use TCP and the FQDN, but it didn't work. Turns out I need to use the websites actual IP address, and it works fine. We are using an MX64, completely updated. Hope this helps if you never got it to work.

Warren
Getting noticed

I'm glad you figured out a work around.  From what I had been told, there is no allow layer 7 rule in the underlying fw engine.  We have faced this challenge since adopting Meraki in 2016.  I tried to block everything outside of 2 countries, in the process I broke the internet - as most of the CDN's including cloudflare stopped working.  

rdominguez
Meraki Employee
Meraki Employee

You are correct, @Warren. At this point in time, there is no "allow" functionality for Layer 7 rules. Due to the limitations of the Layer 7 rules, and their wide geographic scope, using them can be challenging if you're in the situation that @KenMTS was in.

If you only have a subset of devices that need access to these sites, setting up a group policy can help in that situation. You would only need to set up the "Firewall and traffic shaping" option to "Custom network firewall & shaping rules" and set up the same L7 firewall rule but withhold the country in question.

This option would leave the main firewall rules intact but still allow a limited number of PCs to reach those countries that are blocked by the main firewall L7 rules. If you need additional information on group policies, you can use this link to our documentation: 
https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_and_Applying...

Warren
Getting noticed

I'm aware of that - but the lack of the ability to allow global services like Office365, CloudFlare, etc, while still blocking other countries is a problem.  It was the main reason we looked at other platforms before renewing our Meraki subscription.  The pain of troubleshooting blocked countries (singapore, netherlands, australia) interfering with Office 365 and Microsoft services is less headaches than the configuration of a competitor's product.  

Get notified when there are additional replies to this discussion.