Meraki

Community

Website being blocked because of country. Can we override that?

Solved
BobHarrison
Here to help
‎Mar 6 2024 9:43 AM
‎Mar 6 2024 9:43 AM

Website being blocked because of country. Can we override that?

We have a website that uses cdnfonts.com for some content. cdnfonts.com is hosted in Spain. We block most countries in the Layer 7 network rules.

Is there anyway to override this block for just this one website? I know we can use a Group Policy to allow Spain for just certain clients, but we would have to recreate all of the Layer 7 rules in that policy because you can't just add one rule to the existing.

The options are:

Use network firewall & shaping rules - This does not allow any changes. The option is greyed out.

Ignore network firewall & shaping rules

Custom network firewall & shaping rules - We would have reeenter ALL of the Layer 7 rules and then allow all of Spain and apply just for selecet clients.

 

Am I missing anything that would allow just this one website?

 

We are using an MX84 firewall. 

 

BobHarrison_0-1709746761812.png

 

 

Labels:
0 Kudos
1 Accepted Solution
alemabrahao
Kind of a big deal
Kind of a big deal
‎Mar 6 2024 9:48 AM
‎Mar 6 2024 9:48 AM

Even if it is released in the layer 3 rule, it may still be blocked in the layer 7 rule.
 
The only way I see is via Group Policy but you would need to override what is configured by default in the MX.
 

On the MX, if traffic matches an allow rule on the L3 firewall, it can still be blocked by an L7 firewall rule.

On the MX, HTTP traffic (TCP port 80) to Facebook.com will be blocked by the L7 firewall, because rule 1 under layer 7 explicitly blocks it, even though the traffic was allowed through the layer 3 firewall.

Layer 3 Rules

  1. Matched - Traffic allowed through L3 firewall
  2. Not processed
  3. Not processed

Layer 7 Rules

  1. Matched - Traffic blocked

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Layer_3_and_7_Firewal...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

4 Replies 4
alemabrahao
Kind of a big deal
Kind of a big deal
‎Mar 6 2024 9:48 AM
‎Mar 6 2024 9:48 AM

Even if it is released in the layer 3 rule, it may still be blocked in the layer 7 rule.
 
The only way I see is via Group Policy but you would need to override what is configured by default in the MX.
 

On the MX, if traffic matches an allow rule on the L3 firewall, it can still be blocked by an L7 firewall rule.

On the MX, HTTP traffic (TCP port 80) to Facebook.com will be blocked by the L7 firewall, because rule 1 under layer 7 explicitly blocks it, even though the traffic was allowed through the layer 3 firewall.

Layer 3 Rules

  1. Matched - Traffic allowed through L3 firewall
  2. Not processed
  3. Not processed

Layer 7 Rules

  1. Matched - Traffic blocked

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Layer_3_and_7_Firewal...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
BobHarrison
Here to help
‎Mar 6 2024 10:02 AM
‎Mar 6 2024 10:02 AM

Thanks for the link.

So the short answer is no. We can't punch a small hole to allow one website from a blocked country, we have to open the door wide open. It would be nice if the MX worked like the MR devices that determine if a site is whitelisted on Layer 3 it bypasses Layer 7 rules.

0 Kudos
dlevasseur
Comes here often
‎Mar 6 2024 9:49 AM
‎Mar 6 2024 9:49 AM

We had this exact same issue.  And no, we couldn't find a way around the country block.

What we did find is that MaxMind had the IP GEO Location wrong.  The local IP block for our cdnfonts was also showing in Spain while all other GEO IP lookups were showing San Francisco.

I would double check the IPs you are resolving with other Geo Location services and if MaxMind seems to be incorrect, open a support ticket asking Meraki to contact MaxMind and get the issue resolved.

Ours took about 3 weeks, but now works properly.

0 Kudos
In response to dlevasseur
alemabrahao
Kind of a big deal
Kind of a big deal
‎Mar 6 2024 9:56 AM
‎Mar 6 2024 9:56 AM

In fact, this would not be an issue, it is the expected behavior as you can see in the documentation.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.