Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Layer 7 Firewall rule "Allow"

SEANK5
Here to help
‎Feb 3 2020 12:26 PM
‎Feb 3 2020 12:26 PM

Layer 7 Firewall rule "Allow"

We have roughly 1000 MR-33's in one network, with a Template assigned to it. In the Layer 7 firewall rules, we have setup a list of specific sites and applications we want to block, Miscellaneous Video is one of these. 

 

Now we need to be able to allow Video for a specific site to get through, an external CBT. 

 

I'm looking where I put a rule that would supersede the Layer 7 firewall rules, and allow video for this this one site through.

0 Kudos
Subscribe
2 Replies 2
NolanHerring
Kind of a big deal
‎Feb 3 2020 12:48 PM
‎Feb 3 2020 12:48 PM

Hmm...not sure if this is possible. Unless my brain is still frozen from my recent trip to Minnesota, the L7 firewall rules operate in the top down approach, with the only option being 'Deny' by default. Group Policies would be the way to get around it but that seems counter to what you really want to do since this is global.

From here:

https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/...

Layer 7 Firewall Rules
Best practice design for Layer 7 rules is to ensure that the category you have selected to block does not fall under the traffic flow for applications you may use. For example, if you choose to block the category for "File Sharing," and you block all options, you may cause a disruption in service for an application such as Microsoft OneDrive. It is best to try and configure Layer 7 rules as granular as possible, to avoid such scenarios.

Nolan Herring | nolanwifi.com
TwitterLinkedIn
Subscribe
Nash
Kind of a big deal
‎Feb 3 2020 1:35 PM
‎Feb 3 2020 1:35 PM

I think @NolanHerring is right here. L7 is only deny, and I believe that's the rules that get hit first. If you're blocking video there, you're not going to be able to override that with an allow.

 

Can you test allowing misc video through on a subset of your APs using a cloned-but-tweaked template? Namely, block everything in the Video category _except_ misc video.

Windows 10 Client VPN scripts: Makes life better!
0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.