VMX Block Countries

Netwow
Building a reputation

VMX Block Countries

Have a customer that has several on prem MXs at multiple locations. They also have a VMX100 deployed in Azure. Layer 7 rules for countries is not available on the VMX but it is on the hardware MXs. 

 

Question: What would be the best practice for blocking a particular country from the VMX ?

 

 

6 REPLIES 6
PhilipDAth
Kind of a big deal
Kind of a big deal

>Question: What would be the best practice for blocking a particular country from the VMX ?

 

The VMX is only used for terminating VPNs and nothing else.  People don't usually implement country blocking for VPNs.

 

I am not very confident that country blocking applies to MX on-premise either.

Kamome
Building a reputation

I have both vMX and On-premise MXs, and I can't find L7 rules for countries neither of them. Could you show about that more particular?
Nash
Kind of a big deal


@Kamome wrote:
I have both vMX and On-premise MXs, and I can't find L7 rules for countries neither of them. Could you show about that more particular?

For on-premises MX,

  1. Go to Security Appliance -> Firewall
  2. Scroll to L7 rules. 
  3. Click add rule
  4. Scroll to bottom of drop down box to find countries
  5. You can also update this using the MX l7 Firewall calls in the Dashboard API.

Nash_0-1588944903313.png

 

DarrenOC
Kind of a big deal
Kind of a big deal

@Nash , thanks for that tip. Didn’t know we could do that 

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
Nash
Kind of a big deal

As @Netwow states, you do have to have an adv security license. (But my company ONLY sells MX with adv security.)

 

I'm broadly speaking not a fan of country-based blocking, even though we do it at a few financial customers because it makes their auditors happy. I don't think it's effective in a day and age where anyone can buy a prepaid credit card and spin something up at a cloud provider.

 

I do think it's effective at accidentally breaking things, especially in the case of some of Microsoft's IP space. Or just preventing access to useful things and increasing the risk of shadow IT.

Netwow
Building a reputation

Go to SD WAN>Firewall>Layer 7 > scroll to the very bottom and you should countries. I believe this requires an advanced security license . 

Get notified when there are additional replies to this discussion.