Layer 7 Firewall rule "Allow"

SEANK5
Here to help

Layer 7 Firewall rule "Allow"

We have roughly 1000 MR-33's in one network, with a Template assigned to it. In the Layer 7 firewall rules, we have setup a list of specific sites and applications we want to block, Miscellaneous Video is one of these. 

 

Now we need to be able to allow Video for a specific site to get through, an external CBT. 

 

I'm looking where I put a rule that would supersede the Layer 7 firewall rules, and allow video for this this one site through.

3 Replies 3
NolanHerring
Kind of a big deal

Hmm...not sure if this is possible. Unless my brain is still frozen from my recent trip to Minnesota, the L7 firewall rules operate in the top down approach, with the only option being 'Deny' by default. Group Policies would be the way to get around it but that seems counter to what you really want to do since this is global.

From here:

https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/...

Layer 7 Firewall Rules
Best practice design for Layer 7 rules is to ensure that the category you have selected to block does not fall under the traffic flow for applications you may use. For example, if you choose to block the category for "File Sharing," and you block all options, you may cause a disruption in service for an application such as Microsoft OneDrive. It is best to try and configure Layer 7 rules as granular as possible, to avoid such scenarios.

Nolan Herring | nolanwifi.com
TwitterLinkedIn
Nash
Kind of a big deal

I think @NolanHerring is right here. L7 is only deny, and I believe that's the rules that get hit first. If you're blocking video there, you're not going to be able to override that with an allow.

 

Can you test allowing misc video through on a subset of your APs using a cloned-but-tweaked template? Namely, block everything in the Video category _except_ misc video.

Ibanez1998
Just browsing

Layer 7 rules are Deny only because....   I have no reason why except to say lunacy.  They apply top down so i expect something like...
1 Accept P2P Skype
2 Deny P2P All

This would allow Layer 7 rules to allow Skype and block all other P2P traffic like file sharing networks but for as much money as Meraki costs they apparently just like to have the benefit of touting that they HAVE Layer 7 features but not actually making them useful whatsoever.  Layer 7 isn't really available in this product as far as I can tell because all you can do is block individually so it's pretty much useless... unless you just want to block one thing then, whatever floats your boat.  For all the press Meraki gets about having amazing security I don't see one iota of security in this thing.  I feel like my network is wide open to attacks.  I mean, yeah! There's a SPI firewall.  Whoop-dee-doo.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels