Meraki

Community

Where can I find if a site is being blocked by Layer 7 country blocking?

Solved
Will1
New here
‎Mar 29 2018 11:29 AM
‎Mar 29 2018 11:29 AM

Where can I find if a site is being blocked by Layer 7 country blocking?

I have enabled Layer 7 blocking of all traffic that is NOT from/to United States, United Kingdom, Canada, Mexico because we do no business outside these countries.  However, I've found that users on local internet cannot access Netflix occasionally on our Guest WiFi. 

 

Is there any logging to see if site access is being denied by this layer 7 rule?

0 Kudos
1 Accepted Solution
In response to mmmmmmark
Adam
Kind of a big deal
‎Mar 30 2018 6:36 AM
‎Mar 30 2018 6:36 AM

It is definitely not logged.  I've worked with support on this and it drives me crazy that it doesn't get logged somewhere.  Makes troubleshooting a lot more difficult.  Equally silly is that you can't whitelist an IP to avoid it from being blocked by the Layer 7 country firewall.  So if you have a website that you need to get to that is in a country you have blocked.  You have to unblock that whole country.

 

Note:  I know country blocking is not an iron clad security practice.  Layered defense my friends. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.

View solution in original post

9 Replies 9
mmmmmmark
Building a reputation
‎Mar 29 2018 11:49 AM
‎Mar 29 2018 11:49 AM

I don't think there's any logging but you could do a packet capture to see what's happening as well.

0 Kudos
In response to mmmmmmark
Will1
New here
‎Mar 29 2018 11:57 AM
‎Mar 29 2018 11:57 AM

Thanks.  I turned off the rule then looked at traffic analysis for Netflix application and found that it reaches out to Ireland for some cases.  I allowed Ireland in the country list and that fixed it this time.  I was just hoping there was a event viewer that I was missing that showed the layer 7 blocking.  That would be a nice filter to see.

0 Kudos
In response to Will1
mmmmmmark
Building a reputation
‎Mar 29 2018 12:16 PM
‎Mar 29 2018 12:16 PM

I hear the tax situation in Ireland is beneficial 😉

 

Glad you got it sorted out!

0 Kudos
In response to mmmmmmark
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 29 2018 12:47 PM
‎Mar 29 2018 12:47 PM

It might be visible under:

Security Appliance/Security Centre/Events

 

Screenshot from 2018-03-30 08-47-22.png

0 Kudos
In response to PhilipDAth
mmmmmmark
Building a reputation
‎Mar 29 2018 12:54 PM
‎Mar 29 2018 12:54 PM

@PhilipDAthwrote:

It might be visible under:

Security Appliance/Security Centre/Events

 

Screenshot from 2018-03-30 08-47-22.png

No dice unfortunately. I navigated to the government of Brazil website about 2 hours ago as we block Brazil and I just checked the events and the most recent one is from March 25th. I guess that's a good thing, haha.

0 Kudos
In response to mmmmmmark
Adam
Kind of a big deal
‎Mar 30 2018 6:36 AM
‎Mar 30 2018 6:36 AM

It is definitely not logged.  I've worked with support on this and it drives me crazy that it doesn't get logged somewhere.  Makes troubleshooting a lot more difficult.  Equally silly is that you can't whitelist an IP to avoid it from being blocked by the Layer 7 country firewall.  So if you have a website that you need to get to that is in a country you have blocked.  You have to unblock that whole country.

 

Note:  I know country blocking is not an iron clad security practice.  Layered defense my friends. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
In response to Adam
mmmmmmark
Building a reputation
‎Jun 14 2018 11:49 AM
‎Jun 14 2018 11:49 AM

And this is another wish. It would be nice if the end user got some kind of splash screen if they tried going to a website hosted in a country that's blocked. Instead they think there's a problem with "the internet".

In response to mmmmmmark
Adam
Kind of a big deal
‎Jun 14 2018 6:21 PM
‎Jun 14 2018 6:21 PM

@mmmmmmark wrote:

And this is another wish. It would be nice if the end user got some kind of splash screen if they tried going to a website hosted in a country that's blocked. Instead they think there's a problem with "the internet".

Agreed right now they get no message and, worst yet, it doesn't even get logged in the event log for us to identify. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
0 Kudos
In response to Adam
ProTech
Conversationalist
‎Jun 19 2018 6:04 AM
‎Jun 19 2018 6:04 AM

Yea, I lost so much time in the past trying to track down websites that wouldn't load for clients due to country blocking that I've all but disabled it across all my clients.  It's just not worth the trouble presently.

 

It needs a end-user splash page, event logging, and a way to bypass single domains/IP's vs. having to open the entire country. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.