We have a website that uses cdnfonts.com for some content. cdnfonts.com is hosted in Spain. We block most countries in the Layer 7 network rules.
Is there anyway to override this block for just this one website? I know we can use a Group Policy to allow Spain for just certain clients, but we would have to recreate all of the Layer 7 rules in that policy because you can't just add one rule to the existing.
The options are:
Use network firewall & shaping rules - This does not allow any changes. The option is greyed out.
Ignore network firewall & shaping rules
Custom network firewall & shaping rules - We would have reeenter ALL of the Layer 7 rules and then allow all of Spain and apply just for selecet clients.
Am I missing anything that would allow just this one website?
We are using an MX84 firewall.
Solved! Go to solution.
On the MX, if traffic matches an allow rule on the L3 firewall, it can still be blocked by an L7 firewall rule.
On the MX, HTTP traffic (TCP port 80) to Facebook.com will be blocked by the L7 firewall, because rule 1 under layer 7 explicitly blocks it, even though the traffic was allowed through the layer 3 firewall.
Layer 3 Rules
Layer 7 Rules
On the MX, if traffic matches an allow rule on the L3 firewall, it can still be blocked by an L7 firewall rule.
On the MX, HTTP traffic (TCP port 80) to Facebook.com will be blocked by the L7 firewall, because rule 1 under layer 7 explicitly blocks it, even though the traffic was allowed through the layer 3 firewall.
Layer 3 Rules
Layer 7 Rules
Thanks for the link.
So the short answer is no. We can't punch a small hole to allow one website from a blocked country, we have to open the door wide open. It would be nice if the MX worked like the MR devices that determine if a site is whitelisted on Layer 3 it bypasses Layer 7 rules.
We had this exact same issue. And no, we couldn't find a way around the country block.
What we did find is that MaxMind had the IP GEO Location wrong. The local IP block for our cdnfonts was also showing in Spain while all other GEO IP lookups were showing San Francisco.
I would double check the IPs you are resolving with other Geo Location services and if MaxMind seems to be incorrect, open a support ticket asking Meraki to contact MaxMind and get the issue resolved.
Ours took about 3 weeks, but now works properly.
In fact, this would not be an issue, it is the expected behavior as you can see in the documentation.