cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Any feature difference between MR and MX's layer 7 firewall?

New here

Any feature difference between MR and MX's layer 7 firewall?

We need to block the traffic by layer 7 FW, however I found both MR and MX support it, is that any feature difference between two products? if they share the same feature set on layer 7 FW, can I just use traditional router + MR AP?

7 REPLIES 7
Kind of a big deal

Re: Any feature difference between MR and MX's layer 7 firewall?

See the following link:

 

https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/Layer_3_and_7_Firewall_Processing_O...

 

Traffic Blocked by Layer 7 Rule

The MR access point and MX security appliance differ slightly in their processing of L7 firewall rules after the L3 firewall. On the MR, if traffic matches an allow rule on the L3 firewall, that traffic will bypass the L7 firewall altogether. On the MX, if traffic matches an allow rule on the L3 firewall, it can still be blocked by an L7 firewall rule.

 

On the MX, HTTP traffic (TCP port 80) to Facebook.com will be blocked by the L7 firewall, because rule 1 under layer 7 explicitly blocks it, even though the traffic was allowed through the layer 3 firewall.

Layer 3 Rules

  1. Matched - Traffic allowed through L3 firewall
  2. Not processed
  3. Not processed

Layer 7 Rules

  1. Matched - Traffic blocked

 

On the MR, HTTP traffic (TCP port 80) to Facebook.com will be allowed through the firewall, because rule 1 under layer 3 explicitly allows it.

Layer 3 Rules

  1. Matched - Traffic allowed through L3 firewall
  2. Not processed
  3. Not processed

Layer 7 Rules

  1. Not processed because traffic was already allowed

 

 

11111.JPG

Nolan Herring | nolanwifi.com
TwitterLinkedIn
New here

Re: Any feature difference between MR and MX's layer 7 firewall?

Hey Nolan, thanks.

Is there any feature that MX supports but MR doesn't? 

Kind of a big deal

Re: Any feature difference between MR and MX's layer 7 firewall?

When comparing directly just L7, not really. MX though has many more other features like content filtering, IPS etc etc.
Nolan Herring | nolanwifi.com
TwitterLinkedIn
Kind of a big deal ww
Kind of a big deal

Re: Any feature difference between MR and MX's layer 7 firewall?

you can block countries with the L7 firewall in the MX when you have the security license.

Meraki Employee

Re: Any feature difference between MR and MX's layer 7 firewall?

In terms of policy application, there should be no difference between an MX and an MR, however as mentioned by @ww, you will get to restrict the traffic going to/coming from certain countries when you have adv sec license. 

 

I would still prefer to have an MX to do all the cool stuff like content filtering, AMP/IDS to keep you more secure which a router can't do but if you are only looking for layer 7 policy application, then yes, you will do just fine with an MR and a router.

 

Cheers!

 

Raj

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it
Building a reputation

Re: Any feature difference between MR and MX's layer 7 firewall?

Follow up question:

If the traffic on the MR is allowed through the allow any rule, does it still fail to process the L7 rules?

Or does it have to be an explicit match on a custom rule?


I couldn't imagine the L7 rules ever getting hit like that if even the implicit would allow all traffic.

Highlighted
Meraki Employee

Re: Any feature difference between MR and MX's layer 7 firewall?

Hi,

 

Firewall rules on MR Series Access Points and MX Series Security Appliances are processed in a top down fashion, with Layer 3 rules being processed, followed by Layer 7 rules. Unless traffic is explicitly blocked by at least one rule, it will be allowed through by a default allow all rule. 

 

Please find the below-mentioned document, This explains how the rules will be processed on MXs and MRs respectively.

 

https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/Layer_3_and_7_Firewall_Processing_O...

 

Cheers!

 

Raj

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.