Why are layer 7 rules not logged in the event log?

Stealth_Network
Getting noticed

Why are layer 7 rules not logged in the event log?

So had a really tough issue to figure out, when a client doing SQL queries from Branch to Hub. THe issue was the first authentication failed, but then the DB would hold creds in it and it would work afterward. Had this at all branches to 2 SQL servers in the hub.

 

Meraki said nothing is being logged so it's not them, but if I whilelisted the client it worked. I create a custom policy to try to figure out where is was being block, when I just added in an any any rule (and using all the other MX defaults) it worked.

 

Then I took out the P2P rule and country blocks from the MX and it worked. I then added back the country blocks and it still worked. When I added back the P2P it failed. So now I had the problem. In speaking with support my questions were why isn't this block in the logs, and what ports/protocols are the P2P blocks using.

 

Answers - Layer 7 blocks are not logged and we don't know the ports/protocols P2P uses as we just get the feeds.

 

My other questions is when I created the Policy I only allowed the firewall features permit any any so the layer 7 rules still should have kicked in and blocked P2P, but they didn't . So now I think there are some bugs going on here, but why not log any blocks?

9 Replies 9
jdsilva
Kind of a big deal

Hey @Stealth_Network ,

 

None of the firewall rules are logged to the Event log. It's relly not practical to stream what could be literally millions of hits per minute like that. I kow the L3 firewall rules logging is available via Syslog. Have you checked to see if the L7 rules are logged there as well?

Stealth_Network
Getting noticed

Good point, I will test, but I think if you block specific things like P2P you should be able to log them locally.

BlakeRichardson
Kind of a big deal
Kind of a big deal

@Stealth_Network  I'm am guessing you have never set a piece of network equipments log to inform or debug. The log is literally filled with every single connection thats opened, reset, rejected as well as a ton of other information.

 

Its not really practical to log firewall traffic, yes some vendors allow you to get quite granular i.e. only log dropped traffic but I have found its not really worth the hassle of setting it up.  

 

I understand where you are coming from and maybe having some form of customisable packet monitor wouldbe useful. I know Sonicwall has a feature that allows you to monitor this sort of information. 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Stealth_Network
Getting noticed

I work on ASA's and FTD's daily...

BlakeRichardson
Kind of a big deal
Kind of a big deal

@Stealth_Network I apologise if my tone sounded harsh with my last commment it wasn;t meant to sound that way. What I was trying to simply say was trawling thorugh log files isn't fun and a packet monitor would be a much nicer way of finding out what is being blocked.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Stealth_Network
Getting noticed

No problem, the packet capture did not give us any results. It was iteration after iteration to find that it was thinking Encrypted P2P was being used (Falsely).

 

The biggest challenge was Meraki claiming they are not blocking anything. I had to demonstrate they were. A log of the block would have helped.

ChrisC83
Meraki Employee
Meraki Employee

@Stealth_Network 

 

I think you may need to contact the support since they may have more visibility on which sessions are affected by the firewall rules on the Meraki device. 

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
Stealth_Network
Getting noticed

Thanks Chris, but it was support that notified me they aren't being logged - at all

Stealth_Network
Getting noticed

More of the same today....

 

Client said certain Sharepoint sites are not getting through. I know that MS uses Akamai as a CDN so (due to the customer using extensive country blocks), I am guessing that the egress site changes every once in while to a country on the block list. After further testing I found out the firewall rules don't take precedence over the country block list (Is there a chart showing the order of filtering/blocking?). We setup a Group profile and tested bypassing all the country and FW rules and we can get through.

 

Again nothing in the log files to indicate where (and what) is blocking it.

 

I know this is going to be more of an issue as vendors (Microsoft in this case) move to CDN's, it will render the country block useless (except for a few counties), so it would be nice to be able to turn on specific logging when required.

 

Just a heads up for those dong firewall list, content lists and country blocks.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels