Meraki

Community

Why are layer 7 rules not logged in the event log?

Stealth_Network
Getting noticed
‎Nov 19 2019 9:47 AM
‎Nov 19 2019 9:47 AM

Why are layer 7 rules not logged in the event log?

So had a really tough issue to figure out, when a client doing SQL queries from Branch to Hub. THe issue was the first authentication failed, but then the DB would hold creds in it and it would work afterward. Had this at all branches to 2 SQL servers in the hub.

 

Meraki said nothing is being logged so it's not them, but if I whilelisted the client it worked. I create a custom policy to try to figure out where is was being block, when I just added in an any any rule (and using all the other MX defaults) it worked.

 

Then I took out the P2P rule and country blocks from the MX and it worked. I then added back the country blocks and it still worked. When I added back the P2P it failed. So now I had the problem. In speaking with support my questions were why isn't this block in the logs, and what ports/protocols are the P2P blocks using.

 

Answers - Layer 7 blocks are not logged and we don't know the ports/protocols P2P uses as we just get the feeds.

 

My other questions is when I created the Policy I only allowed the firewall features permit any any so the layer 7 rules still should have kicked in and blocked P2P, but they didn't . So now I think there are some bugs going on here, but why not log any blocks?

9 Replies 9
jdsilva
Kind of a big deal
‎Nov 19 2019 9:57 AM
‎Nov 19 2019 9:57 AM

Hey @Stealth_Network ,

 

None of the firewall rules are logged to the Event log. It's relly not practical to stream what could be literally millions of hits per minute like that. I kow the L3 firewall rules logging is available via Syslog. Have you checked to see if the L7 rules are logged there as well?

http://blog.brokennetwork.ca | @jdsilva
0 Kudos
In response to jdsilva
Stealth_Network
Getting noticed
‎Nov 19 2019 9:59 AM
‎Nov 19 2019 9:59 AM

Good point, I will test, but I think if you block specific things like P2P you should be able to log them locally.

0 Kudos
In response to Stealth_Network
BlakeRichardson
Kind of a big deal
Kind of a big deal
‎Nov 19 2019 11:30 AM
‎Nov 19 2019 11:30 AM

@Stealth_Network  I'm am guessing you have never set a piece of network equipments log to inform or debug. The log is literally filled with every single connection thats opened, reset, rejected as well as a ton of other information.

 

Its not really practical to log firewall traffic, yes some vendors allow you to get quite granular i.e. only log dropped traffic but I have found its not really worth the hassle of setting it up.  

 

I understand where you are coming from and maybe having some form of customisable packet monitor wouldbe useful. I know Sonicwall has a feature that allows you to monitor this sort of information. 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
In response to BlakeRichardson
Stealth_Network
Getting noticed
‎Nov 19 2019 11:46 AM
‎Nov 19 2019 11:46 AM

I work on ASA's and FTD's daily...

0 Kudos
In response to Stealth_Network
BlakeRichardson
Kind of a big deal
Kind of a big deal
‎Nov 19 2019 11:50 AM
‎Nov 19 2019 11:50 AM

@Stealth_Network I apologise if my tone sounded harsh with my last commment it wasn;t meant to sound that way. What I was trying to simply say was trawling thorugh log files isn't fun and a packet monitor would be a much nicer way of finding out what is being blocked.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
In response to BlakeRichardson
Stealth_Network
Getting noticed
‎Nov 19 2019 11:51 AM
‎Nov 19 2019 11:51 AM

No problem, the packet capture did not give us any results. It was iteration after iteration to find that it was thinking Encrypted P2P was being used (Falsely).

 

The biggest challenge was Meraki claiming they are not blocking anything. I had to demonstrate they were. A log of the block would have helped.

0 Kudos
In response to Stealth_Network
ChrisC83
Meraki Employee
Meraki Employee
‎Nov 21 2019 2:57 PM
‎Nov 21 2019 2:57 PM

@Stealth_Network 

 

I think you may need to contact the support since they may have more visibility on which sessions are affected by the firewall rules on the Meraki device. 

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
0 Kudos
In response to ChrisC83
Stealth_Network
Getting noticed
‎Nov 21 2019 2:59 PM
‎Nov 21 2019 2:59 PM

Thanks Chris, but it was support that notified me they aren't being logged - at all

0 Kudos
In response to Stealth_Network
Stealth_Network
Getting noticed
‎Mar 3 2020 10:43 AM
‎Mar 3 2020 10:43 AM

More of the same today....

 

Client said certain Sharepoint sites are not getting through. I know that MS uses Akamai as a CDN so (due to the customer using extensive country blocks), I am guessing that the egress site changes every once in while to a country on the block list. After further testing I found out the firewall rules don't take precedence over the country block list (Is there a chart showing the order of filtering/blocking?). We setup a Group profile and tested bypassing all the country and FW rules and we can get through.

 

Again nothing in the log files to indicate where (and what) is blocking it.

 

I know this is going to be more of an issue as vendors (Microsoft in this case) move to CDN's, it will render the country block useless (except for a few counties), so it would be nice to be able to turn on specific logging when required.

 

Just a heads up for those dong firewall list, content lists and country blocks.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.