We are using the Security Appliance Layer 7 Firewall Rules to deny traffic to certain countries (ie China, Russia etc). If there is a website that we need to access that is being hosted in one of those countries is there a way to whitelist that IP or do I have to remove the entire country from the firewall rule?
PS I know that country blocking is far from an iron clad security practice. But part of our layered defense is enabling stupid stuff like this to create as many barriers as possible.
You can try using Geo-IP based traffic blocking.
Are you using Advanced Security on the MX? Just configure a whitelist rule for the URL for the website - https://documentation.meraki.com/MX-Z/Content_Filtering_and_Threat_Protection/URL_Blocking_and_White...
If not, you can configure a Layer 3 Firewall rule to allow HTTP/HTTPS traffic to the Web page on the MX which will have precedence over the Layer 7 Blocking rule.
Refer to this article which outlines the Layer 3 and 7 Firewall processing order on MX and MR devices - https://documentation.meraki.com/MX-Z/Firewall_and_Traffic_Shaping/Layer_3_and_7_Firewall_Processing...
Content filter whitelist won't work since it is getting blocked by the Layer 7 firewall and not the content filtering.
I'm not sure the Layer 3 allow would work either but I'll test it and report back. Yes we have Advanced Security license. Here is what the documentation says.
On the MX, HTTP traffic (TCP port 80) to Facebook.com will be blocked by the L7 firewall, because rule 1 under layer 7 explicitly blocks it, even though the traffic was allowed through the layer 3 firewall.
Layer 3 Rules
Matched - Traffic allowed through L3 firewall
Not processed
Not processed
Layer 7 Rules
Matched - Traffic blocked
In that example as per the article, it's comparing having Layer 7 Firewall rules configured on your Meraki AP's and a layer 3 Firewall on the MX.
If you have Layer 7 and Layer 3 Firewall rules configured on an MX appliance, Layer 3 Firewall rules will take precedence.
I'll definitely test this but I'm pretty sure that it is referencing just the MX Layer 7 and Layer 3 rules.
Based on the above, if I had a rule at L3 that allows the foreign IP it would flow to the Matching L7 rule which would have a deny for that country and thereby be blocked.
In the L7 FW Rules, have you tried having an allow for a specific website in a specific country, and then follow that with a geo-ip deny rule for that same country? I'd try this quickly but I'm traveling and not in my home lab. I was thinking creating a L7 FW rule for allowing access to an http host name of something like amazon.be, and then create a 2nd L7 FW rule that denies all traffic to Belgium, and check the results. Not sure that'll do it though, I'm thinking about the return traffic, and those L7 rules might be deny-only. Or perhaps configure URL whitelists on the Content Filtering page and see if that takes precedence over the geo-ip L7 rule for that country. Just thinking out loud, no access right now to test. Have you checked with Meraki Support to confirm order of operations regarding white/black lists in conjunction with L3 and L7? Every time I've done geo-ip blocking it was for the entire country, have not had a use case yet to allow specific web sites inside that country.
That would be the most elegant solution but the Layer 7 firewall rules do not let you create any allow rules. They are all default only deny. Seems like we have a strange limitation here where exceptions cannot be made to the Layer 7 rules. Kind of all or nothing. Also worth noting that any blocks that occur via Layer 7 firewall rules do not show up in the event logs.
Hey Adam, so by your reply I assume the Layer 3 allow rule did not work? - If not, I'd get a support case open with support to see if they are aware of a way to get around this.
Sadly I just had to remove two countries from my layer 7 rules since we had legitimate vendor websites we needed to access. For now there is no whitelist option to selectively override this. Hopefully Meraki will correct this in a future MX firmware release. It seems like this issue has come up for members here on numerous occasions. Maybe @MerakiDave or @RyanB can take a deeper dive into this.
It would be great to be able to block an entire country and yet allow a single host, domain or URL. I've made a wish before for this and i'd make one again if I thought it would help.
It seems like a simple add on features for Meraki to put a Layer 7 option "Permit" in lieu of just "Deny". Can someone tell me if that is on the RoadMap? How many have asked for that feature request?
I second this motion is Meraki doing any dev work on getting a permit setup for Layer 7 rules?
I have not found a way to do this myself. We also tried to ban all countries except USA then allow facebook.com (with destinations outside of USA) and could not find a way to override the L7 block traffic no to/from USA rule for the facebook.com rule.
Whitelist Content Filtering url's, L3 rules allowing facebook.com domains, and AMP whitelist allowing their domains were attempted.
We are forced to spend resources on creating VDI's to remote access through citrix type of services located in USA to access facebook.com as those VDI's are not L7 Meraki secured, but the site needing additional protection is L7 firewall secured.
Meraki needs to create a method explicitly allow traffic patterns before deny rules in the L7 firewall set.
+1 to this feature request. Submitted a wish as well.