cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Where can I find if a site is being blocked by Layer 7 country blocking?

SOLVED
New here

Where can I find if a site is being blocked by Layer 7 country blocking?

I have enabled Layer 7 blocking of all traffic that is NOT from/to United States, United Kingdom, Canada, Mexico because we do no business outside these countries.  However, I've found that users on local internet cannot access Netflix occasionally on our Guest WiFi. 

 

Is there any logging to see if site access is being denied by this layer 7 rule?

1 ACCEPTED SOLUTION

Accepted Solutions
Kind of a big deal

Re: Where can I find if a site is being blocked by Layer 7 country blocking?

It is definitely not logged.  I've worked with support on this and it drives me crazy that it doesn't get logged somewhere.  Makes troubleshooting a lot more difficult.  Equally silly is that you can't whitelist an IP to avoid it from being blocked by the Layer 7 country firewall.  So if you have a website that you need to get to that is in a country you have blocked.  You have to unblock that whole country.

 

Note:  I know country blocking is not an iron clad security practice.  Layered defense my friends. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
9 REPLIES 9
Building a reputation

Re: Where can I find if a site is being blocked by Layer 7 country blocking?

I don't think there's any logging but you could do a packet capture to see what's happening as well.

Highlighted
New here

Re: Where can I find if a site is being blocked by Layer 7 country blocking?

Thanks.  I turned off the rule then looked at traffic analysis for Netflix application and found that it reaches out to Ireland for some cases.  I allowed Ireland in the country list and that fixed it this time.  I was just hoping there was a event viewer that I was missing that showed the layer 7 blocking.  That would be a nice filter to see.

Building a reputation

Re: Where can I find if a site is being blocked by Layer 7 country blocking?

I hear the tax situation in Ireland is beneficial 😉

 

Glad you got it sorted out!

Kind of a big deal

Re: Where can I find if a site is being blocked by Layer 7 country blocking?

It might be visible under:

Security Appliance/Security Centre/Events

 

Screenshot from 2018-03-30 08-47-22.png

Building a reputation

Re: Where can I find if a site is being blocked by Layer 7 country blocking?


@PhilipDAthwrote:

It might be visible under:

Security Appliance/Security Centre/Events

 

Screenshot from 2018-03-30 08-47-22.png


No dice unfortunately. I navigated to the government of Brazil website about 2 hours ago as we block Brazil and I just checked the events and the most recent one is from March 25th. I guess that's a good thing, haha.

Kind of a big deal

Re: Where can I find if a site is being blocked by Layer 7 country blocking?

It is definitely not logged.  I've worked with support on this and it drives me crazy that it doesn't get logged somewhere.  Makes troubleshooting a lot more difficult.  Equally silly is that you can't whitelist an IP to avoid it from being blocked by the Layer 7 country firewall.  So if you have a website that you need to get to that is in a country you have blocked.  You have to unblock that whole country.

 

Note:  I know country blocking is not an iron clad security practice.  Layered defense my friends. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
Building a reputation

Re: Where can I find if a site is being blocked by Layer 7 country blocking?

And this is another wish. It would be nice if the end user got some kind of splash screen if they tried going to a website hosted in a country that's blocked. Instead they think there's a problem with "the internet".

Kind of a big deal

Re: Where can I find if a site is being blocked by Layer 7 country blocking?


@mmmmmmark wrote:

And this is another wish. It would be nice if the end user got some kind of splash screen if they tried going to a website hosted in a country that's blocked. Instead they think there's a problem with "the internet".


Agreed right now they get no message and, worst yet, it doesn't even get logged in the event log for us to identify. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
Conversationalist

Re: Where can I find if a site is being blocked by Layer 7 country blocking?

Yea, I lost so much time in the past trying to track down websites that wouldn't load for clients due to country blocking that I've all but disabled it across all my clients.  It's just not worth the trouble presently.

 

It needs a end-user splash page, event logging, and a way to bypass single domains/IP's vs. having to open the entire country. 

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.