Security Appliance Layer 7 Firewall Rules

Adam
Kind of a big deal

Security Appliance Layer 7 Firewall Rules

We are using the Security Appliance Layer 7 Firewall Rules to deny traffic to certain countries (ie China, Russia etc).  If there is a website that we need to access that is being hosted in one of those countries is there a way to whitelist that IP or do I have to remove the entire country from the firewall rule?

 

PS I know that country blocking is far from an iron clad security practice.  But part of our layered defense is enabling stupid stuff like this to create as many barriers as possible.  

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
15 REPLIES 15
KB
Here to help

You can try using Geo-IP based traffic blocking.

MilesMeraki
Head in the Cloud

Are you using Advanced Security on the MX? Just configure a whitelist rule for the URL for the website - https://documentation.meraki.com/MX-Z/Content_Filtering_and_Threat_Protection/URL_Blocking_and_White...

 

If not, you can configure a Layer 3 Firewall rule to allow HTTP/HTTPS traffic to the Web page on the MX which will have precedence over the Layer 7 Blocking rule.

 

Refer to this article which outlines the Layer 3 and 7 Firewall processing order on MX and MR devices - https://documentation.meraki.com/MX-Z/Firewall_and_Traffic_Shaping/Layer_3_and_7_Firewall_Processing...

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)
Adam
Kind of a big deal

Content filter whitelist won't work since it is getting blocked by the Layer 7 firewall and not the content filtering.  

 

I'm not sure the Layer 3 allow would work either but I'll test it and report back.  Yes we have Advanced Security license.  Here is what the documentation says. 

 

On the MX, HTTP traffic (TCP port 80) to Facebook.com will be blocked by the L7 firewall, because rule 1 under layer 7 explicitly blocks it, even though the traffic was allowed through the layer 3 firewall.

Layer 3 Rules

Matched - Traffic allowed through L3 firewall
Not processed
Not processed
Layer 7 Rules

Matched - Traffic blocked

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
MilesMeraki
Head in the Cloud

In that example as per the article, it's comparing having Layer 7 Firewall rules configured on your Meraki AP's and a layer 3 Firewall on the MX.

 

If you have Layer 7 and Layer 3 Firewall rules configured on an MX appliance, Layer 3 Firewall rules will take precedence.

 

 

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)
Adam
Kind of a big deal

I'll definitely test this but I'm pretty sure that it is referencing just the MX Layer 7 and Layer 3 rules.  

Capture.PNG

 

Based on the above, if I had a rule at L3 that allows the foreign IP it would flow to the Matching L7 rule which would have a deny for that country and thereby be blocked.  

 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.

In the L7 FW Rules, have you tried having an allow for a specific website in a specific country, and then follow that with a geo-ip deny rule for that same country?  I'd try this quickly but I'm traveling and not in my home lab.  I was thinking creating a L7 FW rule for allowing access to an http host name of something like amazon.be, and then create a 2nd L7 FW rule that denies all traffic to Belgium, and check the results.  Not sure that'll do it though, I'm thinking about the return traffic, and those L7 rules might be deny-only.  Or perhaps configure URL whitelists on the Content Filtering page and see if that takes precedence over the geo-ip L7 rule for that country.  Just thinking out loud, no access right now to test.  Have you checked with Meraki Support to confirm order of operations regarding white/black lists in conjunction with L3 and L7?  Every time I've done geo-ip blocking it was for the entire country, have not had a use case yet to allow specific web sites inside that country.

Adam
Kind of a big deal

That would be the most elegant solution but the Layer 7 firewall rules do not let you create any allow rules.  They are all default only deny.   Seems like we have a strange limitation here where exceptions cannot be made to the Layer 7 rules.  Kind of all or nothing.  Also worth noting that any blocks that occur via Layer 7 firewall rules do not show up in the event logs.  

Capture.PNG

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
MilesMeraki
Head in the Cloud

Hey Adam, so by your reply I assume the Layer 3 allow rule did not work? - If not, I'd get a support case open with support to see if they are aware of a way to get around this.

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)

Hey Adam, did you figure this out? I am having the same problem.
Adam
Kind of a big deal

Sadly I just had to remove two countries from my layer 7 rules since we had legitimate vendor websites we needed to access.  For now there is no whitelist option to selectively override this.  Hopefully Meraki will correct this in a future MX firmware release.  It seems like this issue has come up for members here on numerous occasions.  Maybe @MerakiDave or @RyanB can take a deeper dive into this.  

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
mmmmmmark
Building a reputation

It would be great to be able to block an entire country and yet allow a single host, domain or URL. I've made a wish before for this and i'd make one again if I thought it would help.

It seems like a simple add on features for Meraki to put a Layer 7 option "Permit" in lieu of just "Deny".  Can someone tell me if that is on the RoadMap?  How many have asked for that feature request?

NSGuru
Getting noticed

I second this motion is Meraki doing any dev work on getting a permit setup for Layer 7 rules? 

Cloud Network Engineer | cloudIT
Certified Meraki Networking Associate

Kudo this if it helped! 🙂
holmesjrh
Just browsing

I have not found a way to do this myself.  We also tried to ban all countries except USA then allow facebook.com (with destinations outside of USA) and could not find a way to override the L7 block traffic no to/from USA rule for the facebook.com rule. 


Whitelist Content Filtering url's, L3 rules allowing facebook.com domains, and AMP whitelist allowing their domains were attempted. 

 

We are forced to spend resources on creating VDI's to remote access through citrix type of services located in USA to access facebook.com as those VDI's are not L7 Meraki secured, but the site needing additional protection is L7 firewall secured. 

 

Meraki needs to create a method explicitly allow traffic patterns before deny rules in the L7 firewall set. 

sdombrosky
Conversationalist

+1 to this feature request.  Submitted a wish as well.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels