Any feature difference between MR and MX's layer 7 firewall?

Tomi3
New here

Any feature difference between MR and MX's layer 7 firewall?

We need to block the traffic by layer 7 FW, however I found both MR and MX support it, is that any feature difference between two products? if they share the same feature set on layer 7 FW, can I just use traditional router + MR AP?

9 REPLIES 9
NolanHerring
Kind of a big deal

See the following link:

 

https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/Layer_3_and_7_Firewall_Processing_O...

 

Traffic Blocked by Layer 7 Rule

The MR access point and MX security appliance differ slightly in their processing of L7 firewall rules after the L3 firewall. On the MR, if traffic matches an allow rule on the L3 firewall, that traffic will bypass the L7 firewall altogether. On the MX, if traffic matches an allow rule on the L3 firewall, it can still be blocked by an L7 firewall rule.

 

On the MX, HTTP traffic (TCP port 80) to Facebook.com will be blocked by the L7 firewall, because rule 1 under layer 7 explicitly blocks it, even though the traffic was allowed through the layer 3 firewall.

Layer 3 Rules

  1. Matched - Traffic allowed through L3 firewall
  2. Not processed
  3. Not processed

Layer 7 Rules

  1. Matched - Traffic blocked

 

On the MR, HTTP traffic (TCP port 80) to Facebook.com will be allowed through the firewall, because rule 1 under layer 3 explicitly allows it.

Layer 3 Rules

  1. Matched - Traffic allowed through L3 firewall
  2. Not processed
  3. Not processed

Layer 7 Rules

  1. Not processed because traffic was already allowed

 

 

11111.JPG

Nolan Herring | nolanwifi.com
TwitterLinkedIn

Hey Nolan, thanks.

Is there any feature that MX supports but MR doesn't? 

NolanHerring
Kind of a big deal

When comparing directly just L7, not really. MX though has many more other features like content filtering, IPS etc etc.
Nolan Herring | nolanwifi.com
TwitterLinkedIn
ww
Kind of a big deal
Kind of a big deal

you can block countries with the L7 firewall in the MX when you have the security license.

Raj66
Meraki Employee
Meraki Employee

In terms of policy application, there should be no difference between an MX and an MR, however as mentioned by @ww, you will get to restrict the traffic going to/coming from certain countries when you have adv sec license. 

 

I would still prefer to have an MX to do all the cool stuff like content filtering, AMP/IDS to keep you more secure which a router can't do but if you are only looking for layer 7 policy application, then yes, you will do just fine with an MR and a router.

 

Cheers!

 

Raj

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it
GIdenJoe
Kind of a big deal
Kind of a big deal

Follow up question:

If the traffic on the MR is allowed through the allow any rule, does it still fail to process the L7 rules?

Or does it have to be an explicit match on a custom rule?


I couldn't imagine the L7 rules ever getting hit like that if even the implicit would allow all traffic.

Raj66
Meraki Employee
Meraki Employee

Hi,

 

Firewall rules on MR Series Access Points and MX Series Security Appliances are processed in a top down fashion, with Layer 3 rules being processed, followed by Layer 7 rules. Unless traffic is explicitly blocked by at least one rule, it will be allowed through by a default allow all rule. 

 

Please find the below-mentioned document, This explains how the rules will be processed on MXs and MRs respectively.

 

https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/Layer_3_and_7_Firewall_Processing_O...

 

Cheers!

 

Raj

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it

Hello @Raj66, I have seen different behavior on traffic treatment (L3-L7 firewalling, traffic shaping, etc.) when using combined network MX-MR vs. separated MX network and MR network under the same organization. Is there any reason for that? Seems that having the networks separated is more effective in terms of the application of the policies seemlesly across all users (wireless or wired).

airbonethree
New here

The MR access point and MX security appliance differ slightly in their processing of L7 firewall rules after the L3 firewall. On the MR, if traffic matches an allow rule on the L3 firewall, that traffic will bypass the L7 firewall altogether. On the MX, if traffic matches an allow rule on the L3 firewall, it can still be blocked by an L7 firewall rule. bitlife pc jiofi.local.html



Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels