Meraki

Community

Override Layer 7 Firewall Rule Blocking Country - URL exception

bmusselman1
Comes here often
‎Feb 15 2023 8:05 AM
‎Feb 15 2023 8:05 AM

Override Layer 7 Firewall Rule Blocking Country - URL exception

Hello, I would like to whitelist a specific URL in a country we have blocked in our layer 7 firewall rules. Is this possible or does anyone know of a workaround? Meraki support first told me to try a group policy but are now telling me after testing it is not possible.

 

Based on the traffic flow in group policy documentation this seems possible? https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Layer_3_and_7_Firewal...

 

However, after creating a group policy and assigning it to the test machine, adding the URL to the allow list AND creating a layer 3 firewall rule in the group policy to allow the URL IP and FQDN, the website is still being blocked.

 

Thanks!

Labels:
0 Kudos
9 Replies 9
alemabrahao
Kind of a big deal
Kind of a big deal
‎Feb 15 2023 8:10 AM
‎Feb 15 2023 8:10 AM

Group Policy Behavior

By default for MX L3 and L7 firewalls are processed independently, as illustrated above. Note that L3 and L7 rules in a group policy behave as one logical firewall just like an MR, again as illustrated above.  With L3 being processed before L7, meaning that any denied L7 applications (e.g. Netflix) would be allowed if the L3 portion of the rule contained an explicit allow for HTTP/HTTPS.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
alemabrahao
Kind of a big deal
Kind of a big deal
‎Feb 15 2023 8:12 AM
‎Feb 15 2023 8:12 AM

In my opinion, there's no reason why it shouldn't work.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
ww
Kind of a big deal
Kind of a big deal
‎Feb 15 2023 8:33 AM
‎Feb 15 2023 8:33 AM

I think(guessing) the geo part is special because it also checks inbound. The L3 group policy  is stateless so the mx would not keep track of traffic was already allowed outbound https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Firewall_Settings#Geo-IP_Based_F...

0 Kudos
In response to ww
alemabrahao
Kind of a big deal
Kind of a big deal
‎Feb 15 2023 8:55 AM
‎Feb 15 2023 8:55 AM

The strange thing is that nowhere in the documentation mentions any kind of limitation with group policy. So I'm not sure if that is the case.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
bmusselman1
Comes here often
‎Feb 15 2023 8:15 AM
‎Feb 15 2023 8:15 AM

I would have to agree based on the documentation here but unfortunately that doesn't seem to be the case. Wondering if anyone found a workaround for a similar situation

0 Kudos
KenMTS
Comes here often
‎Oct 25 2023 1:42 PM
‎Oct 25 2023 1:42 PM

After reading this thread, sounds like you didn't get it to work. I kind of misread it, and got it to work. We have no layer 3 rules, just layer 7 to block multiple countries. I wanted access to one website in one of those countries. I created a Group Policy just for my computers IP, then created a duplicate layer 7 to block the same countries and verified I did not have access. Then I created a layer 3 Allow rule. I tried to use TCP and the FQDN, but it didn't work. Turns out I need to use the websites actual IP address, and it works fine. We are using an MX64, completely updated. Hope this helps if you never got it to work.

0 Kudos
Warren
Getting noticed
‎Nov 2 2023 5:54 AM
‎Nov 2 2023 5:54 AM

I'm glad you figured out a work around.  From what I had been told, there is no allow layer 7 rule in the underlying fw engine.  We have faced this challenge since adopting Meraki in 2016.  I tried to block everything outside of 2 countries, in the process I broke the internet - as most of the CDN's including cloudflare stopped working.  

0 Kudos
rdominguez
Meraki Employee
Meraki Employee
‎Nov 3 2023 8:54 AM
‎Nov 3 2023 8:54 AM

You are correct, @Warren. At this point in time, there is no "allow" functionality for Layer 7 rules. Due to the limitations of the Layer 7 rules, and their wide geographic scope, using them can be challenging if you're in the situation that @KenMTS was in.

If you only have a subset of devices that need access to these sites, setting up a group policy can help in that situation. You would only need to set up the "Firewall and traffic shaping" option to "Custom network firewall & shaping rules" and set up the same L7 firewall rule but withhold the country in question.

This option would leave the main firewall rules intact but still allow a limited number of PCs to reach those countries that are blocked by the main firewall L7 rules. If you need additional information on group policies, you can use this link to our documentation: 
https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_and_Applying...

0 Kudos
In response to rdominguez
Warren
Getting noticed
‎Nov 3 2023 12:04 PM
‎Nov 3 2023 12:04 PM

I'm aware of that - but the lack of the ability to allow global services like Office365, CloudFlare, etc, while still blocking other countries is a problem.  It was the main reason we looked at other platforms before renewing our Meraki subscription.  The pain of troubleshooting blocked countries (singapore, netherlands, australia) interfering with Office 365 and Microsoft services is less headaches than the configuration of a competitor's product.  

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.