cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Security Appliance Layer 7 Firewall Rules

Kind of a big deal

Security Appliance Layer 7 Firewall Rules

We are using the Security Appliance Layer 7 Firewall Rules to deny traffic to certain countries (ie China, Russia etc).  If there is a website that we need to access that is being hosted in one of those countries is there a way to whitelist that IP or do I have to remove the entire country from the firewall rule?

 

PS I know that country blocking is far from an iron clad security practice.  But part of our layered defense is enabling stupid stuff like this to create as many barriers as possible.  

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
12 REPLIES 12
Highlighted
KB
Here to help

Re: Security Appliance Layer 7 Firewall Rules

You can try using Geo-IP based traffic blocking.

Head in the Cloud

Re: Security Appliance Layer 7 Firewall Rules

Are you using Advanced Security on the MX? Just configure a whitelist rule for the URL for the website - https://documentation.meraki.com/MX-Z/Content_Filtering_and_Threat_Protection/URL_Blocking_and_White...

 

If not, you can configure a Layer 3 Firewall rule to allow HTTP/HTTPS traffic to the Web page on the MX which will have precedence over the Layer 7 Blocking rule.

 

Refer to this article which outlines the Layer 3 and 7 Firewall processing order on MX and MR devices - https://documentation.meraki.com/MX-Z/Firewall_and_Traffic_Shaping/Layer_3_and_7_Firewall_Processing...

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)
Kind of a big deal

Re: Security Appliance Layer 7 Firewall Rules

Content filter whitelist won't work since it is getting blocked by the Layer 7 firewall and not the content filtering.  

 

I'm not sure the Layer 3 allow would work either but I'll test it and report back.  Yes we have Advanced Security license.  Here is what the documentation says. 

 

On the MX, HTTP traffic (TCP port 80) to Facebook.com will be blocked by the L7 firewall, because rule 1 under layer 7 explicitly blocks it, even though the traffic was allowed through the layer 3 firewall.

Layer 3 Rules

Matched - Traffic allowed through L3 firewall
Not processed
Not processed
Layer 7 Rules

Matched - Traffic blocked

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
Head in the Cloud

Re: Security Appliance Layer 7 Firewall Rules

In that example as per the article, it's comparing having Layer 7 Firewall rules configured on your Meraki AP's and a layer 3 Firewall on the MX.

 

If you have Layer 7 and Layer 3 Firewall rules configured on an MX appliance, Layer 3 Firewall rules will take precedence.

 

 

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)
Kind of a big deal

Re: Security Appliance Layer 7 Firewall Rules

I'll definitely test this but I'm pretty sure that it is referencing just the MX Layer 7 and Layer 3 rules.  

Capture.PNG

 

Based on the above, if I had a rule at L3 that allows the foreign IP it would flow to the Matching L7 rule which would have a deny for that country and thereby be blocked.  

 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
Meraki Employee

Re: Security Appliance Layer 7 Firewall Rules

In the L7 FW Rules, have you tried having an allow for a specific website in a specific country, and then follow that with a geo-ip deny rule for that same country?  I'd try this quickly but I'm traveling and not in my home lab.  I was thinking creating a L7 FW rule for allowing access to an http host name of something like amazon.be, and then create a 2nd L7 FW rule that denies all traffic to Belgium, and check the results.  Not sure that'll do it though, I'm thinking about the return traffic, and those L7 rules might be deny-only.  Or perhaps configure URL whitelists on the Content Filtering page and see if that takes precedence over the geo-ip L7 rule for that country.  Just thinking out loud, no access right now to test.  Have you checked with Meraki Support to confirm order of operations regarding white/black lists in conjunction with L3 and L7?  Every time I've done geo-ip blocking it was for the entire country, have not had a use case yet to allow specific web sites inside that country.

Kind of a big deal

Re: Security Appliance Layer 7 Firewall Rules

That would be the most elegant solution but the Layer 7 firewall rules do not let you create any allow rules.  They are all default only deny.   Seems like we have a strange limitation here where exceptions cannot be made to the Layer 7 rules.  Kind of all or nothing.  Also worth noting that any blocks that occur via Layer 7 firewall rules do not show up in the event logs.  

Capture.PNG

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
Head in the Cloud

Re: Security Appliance Layer 7 Firewall Rules

Hey Adam, so by your reply I assume the Layer 3 allow rule did not work? - If not, I'd get a support case open with support to see if they are aware of a way to get around this.

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)
ZR
New here

Re: Security Appliance Layer 7 Firewall Rules

Hey Adam, did you figure this out? I am having the same problem.
Kind of a big deal

Re: Security Appliance Layer 7 Firewall Rules

Sadly I just had to remove two countries from my layer 7 rules since we had legitimate vendor websites we needed to access.  For now there is no whitelist option to selectively override this.  Hopefully Meraki will correct this in a future MX firmware release.  It seems like this issue has come up for members here on numerous occasions.  Maybe @MerakiDave or @RyanB can take a deeper dive into this.  

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
Building a reputation

Re: Security Appliance Layer 7 Firewall Rules

It would be great to be able to block an entire country and yet allow a single host, domain or URL. I've made a wish before for this and i'd make one again if I thought it would help.

New here

Re: Security Appliance Layer 7 Firewall Rules

It seems like a simple add on features for Meraki to put a Layer 7 option "Permit" in lieu of just "Deny".  Can someone tell me if that is on the RoadMap?  How many have asked for that feature request?

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.