Where can I find if a site is being blocked by Layer 7 country blocking?

Solved
Will1
New here

Where can I find if a site is being blocked by Layer 7 country blocking?

I have enabled Layer 7 blocking of all traffic that is NOT from/to United States, United Kingdom, Canada, Mexico because we do no business outside these countries.  However, I've found that users on local internet cannot access Netflix occasionally on our Guest WiFi. 

 

Is there any logging to see if site access is being denied by this layer 7 rule?

1 Accepted Solution
Adam
Kind of a big deal

It is definitely not logged.  I've worked with support on this and it drives me crazy that it doesn't get logged somewhere.  Makes troubleshooting a lot more difficult.  Equally silly is that you can't whitelist an IP to avoid it from being blocked by the Layer 7 country firewall.  So if you have a website that you need to get to that is in a country you have blocked.  You have to unblock that whole country.

 

Note:  I know country blocking is not an iron clad security practice.  Layered defense my friends. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.

View solution in original post

9 Replies 9
mmmmmmark
Building a reputation

I don't think there's any logging but you could do a packet capture to see what's happening as well.

Will1
New here

Thanks.  I turned off the rule then looked at traffic analysis for Netflix application and found that it reaches out to Ireland for some cases.  I allowed Ireland in the country list and that fixed it this time.  I was just hoping there was a event viewer that I was missing that showed the layer 7 blocking.  That would be a nice filter to see.

mmmmmmark
Building a reputation

I hear the tax situation in Ireland is beneficial 😉

 

Glad you got it sorted out!

PhilipDAth
Kind of a big deal
Kind of a big deal

It might be visible under:

Security Appliance/Security Centre/Events

 

Screenshot from 2018-03-30 08-47-22.png

mmmmmmark
Building a reputation


@PhilipDAthwrote:

It might be visible under:

Security Appliance/Security Centre/Events

 

Screenshot from 2018-03-30 08-47-22.png


No dice unfortunately. I navigated to the government of Brazil website about 2 hours ago as we block Brazil and I just checked the events and the most recent one is from March 25th. I guess that's a good thing, haha.

Adam
Kind of a big deal

It is definitely not logged.  I've worked with support on this and it drives me crazy that it doesn't get logged somewhere.  Makes troubleshooting a lot more difficult.  Equally silly is that you can't whitelist an IP to avoid it from being blocked by the Layer 7 country firewall.  So if you have a website that you need to get to that is in a country you have blocked.  You have to unblock that whole country.

 

Note:  I know country blocking is not an iron clad security practice.  Layered defense my friends. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
mmmmmmark
Building a reputation

And this is another wish. It would be nice if the end user got some kind of splash screen if they tried going to a website hosted in a country that's blocked. Instead they think there's a problem with "the internet".

Adam
Kind of a big deal


@mmmmmmark wrote:

And this is another wish. It would be nice if the end user got some kind of splash screen if they tried going to a website hosted in a country that's blocked. Instead they think there's a problem with "the internet".


Agreed right now they get no message and, worst yet, it doesn't even get logged in the event log for us to identify. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
ProTech
Conversationalist

Yea, I lost so much time in the past trying to track down websites that wouldn't load for clients due to country blocking that I've all but disabled it across all my clients.  It's just not worth the trouble presently.

 

It needs a end-user splash page, event logging, and a way to bypass single domains/IP's vs. having to open the entire country. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels