We need to block the traffic by layer 7 FW, however I found both MR and MX support it, is that any feature difference between two products? if they share the same feature set on layer 7 FW, can I just use traditional router + MR AP?
See the following link:
The MR access point and MX security appliance differ slightly in their processing of L7 firewall rules after the L3 firewall. On the MR, if traffic matches an allow rule on the L3 firewall, that traffic will bypass the L7 firewall altogether. On the MX, if traffic matches an allow rule on the L3 firewall, it can still be blocked by an L7 firewall rule.
On the MX, HTTP traffic (TCP port 80) to Facebook.com will be blocked by the L7 firewall, because rule 1 under layer 7 explicitly blocks it, even though the traffic was allowed through the layer 3 firewall.
Layer 3 Rules
Layer 7 Rules
On the MR, HTTP traffic (TCP port 80) to Facebook.com will be allowed through the firewall, because rule 1 under layer 3 explicitly allows it.
Layer 3 Rules
Layer 7 Rules
you can block countries with the L7 firewall in the MX when you have the security license.
In terms of policy application, there should be no difference between an MX and an MR, however as mentioned by @ww, you will get to restrict the traffic going to/coming from certain countries when you have adv sec license.
I would still prefer to have an MX to do all the cool stuff like content filtering, AMP/IDS to keep you more secure which a router can't do but if you are only looking for layer 7 policy application, then yes, you will do just fine with an MR and a router.
Follow up question:
If the traffic on the MR is allowed through the allow any rule, does it still fail to process the L7 rules?
Or does it have to be an explicit match on a custom rule?
I couldn't imagine the L7 rules ever getting hit like that if even the implicit would allow all traffic.
Firewall rules on MR Series Access Points and MX Series Security Appliances are processed in a top down fashion, with Layer 3 rules being processed, followed by Layer 7 rules. Unless traffic is explicitly blocked by at least one rule, it will be allowed through by a default allow all rule.
Please find the below-mentioned document, This explains how the rules will be processed on MXs and MRs respectively.
Hello @Raj66, I have seen different behavior on traffic treatment (L3-L7 firewalling, traffic shaping, etc.) when using combined network MX-MR vs. separated MX network and MR network under the same organization. Is there any reason for that? Seems that having the networks separated is more effective in terms of the application of the policies seemlesly across all users (wireless or wired).