Meraki Layer 7 Firewall is based on Best Effort

Solved
CCO
Here to help

Meraki Layer 7 Firewall is based on Best Effort

Hello Meraki Community,

I have been told that the Meraki Layer 7 Firewall solution available in Meraki MR AP dashboard is based on best effort, as it is not able to block certain traffics even if they have been defined within the Layer 7 firewall rules Application list.
I'm surprised because despite the traffic has been recognized as a wellknown defined application, it cant' be blocked ...

It seems to be very unuseful, do you have such kind of experiences ?

Regards,

 

1 Accepted Solution
CCO
Here to help

Hello All,

 

For the ones who have been interested by this case, here is finally the outcomes of my investigations and actions.

 

The firmware upgrade did not help to improve the behavior, I mean, I continued to observe Netflix traffic despite the Layer 7 firewall rule.

 

I captured some traffic logs and confirmed that the dest IP addresses were registered for Netflix infrastructure.

I applied Layer 3 firewall rules denying those destination IP addresses.

Finally, this was successful.

1 month later, only some few kB are now reported against Netflix while I had GB before.

 

Here is the full list of IPs summarized and denied:

CCO_0-1579083069459.png

 

Thanks again to have shared experience and for the brainstorming.

Regards.

 

View solution in original post

15 Replies 15
ww
Kind of a big deal
Kind of a big deal

There  is a limited  app  list and not always clear what traffic it hits.., but you can specify ip, port etc. yourself. 

 

Can you give a example ?

CCO
Here to help

In fact, the traffic I want to block is defined in the list (Netflix). But despite, a rule is set (Deny), I continue to see Netflix traffic to run over the SSID.

This is the point, I know that Netflix traffic can flow through CDN, but in my case, the traffic is detected as it is flagged Netflix in the usage, butu despite this it is ot blocked ! How it is possible ? Because the Layer 7 Firewall is not working ... the response recieved is the object of my message (Meraki Layer 7 Firewall is based on Best Effort)... the reasosn why I would be interested to see if someone encountered this kind of behaviour ?

 

NolanHerring
Kind of a big deal

Blocking Netflix works for me. Do you have any group-policies by chance that are overriding that rule?
You will still technically see 'some' data when users attempt to access, but video's won't play. If you are seeing like 100MB and over then most likely Netflix is actually playing the video. Also it might not kick in until a new flow is initiated (if you just enabled it)
Nolan Herring | nolanwifi.com
TwitterLinkedIn
CCO
Here to help

Hi Nolan,

Thanks for your reply.

That's my problem ... The SSID is a guest one, so no group-policies applied.

The rule is set since several months.

I receive regularly the monthly report and "oh surprise!" some GB of data against Netflix are reported ...

Opened a case .. the answer is "Meraki Layer 7 Firewall is based on Best Effort"... 

Something I do not understand, if Meraki detect/report the Netflix traffic and a rule is set at Deny, it should be blocked, no brain ... but it is not working.

 

MerakiGeoff
Meraki Employee
Meraki Employee

Hi there,

 

Since you mentioned this is for your guest SSID, are you using a click-through splash page with it? If so, there is an option on Wireless > Configure > Access control > Captive portal strength. It is either "Allow non-HTTP traffic prior to sign-on" or "Block all access until sign-on is complete". If you selected "Allow non-HTTP traffic prior to sign-on", clients will most likely not hit the splash page and thus not be subject to any of your firewall rules. Most of the Internet is HTTPS (aka "non-HTTP"), so guests will simply bypass the splash if that option is selected. The better and more secure option is to use "Block all access until sign-on is complete".

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
CCO
Here to help

Hello "Geoff",

Thanks for your highlight. In my case, I set the captive portal strength to "Block all access until sign-on is complete".

By the way, a colleague of me tried in a LAB, to check if Netflix can be blocked with a Layer 7 firewall rulle set with "Deny Netflix" ... It does not work, he reach Netflix and have some fun ...

I am now convinced the security through Meraki AP is not at the level we can expect it should be.

Regards,

MerakiGeoff
Meraki Employee
Meraki Employee

Hi,

 

Which model MR and what firmware are you running? I am not able to reproduce that with my MR26 on 26.6 with a sign-on splash, "Block all access until sign-on is complete", and a layer 7 rule to block Netflix. On my Android phone, I can open the app but not search anything. On my laptop, netflix.com never loads.

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
CCO
Here to help

Interesting...

I have MR33 Access Points, software is MR25.11.

Regards,

SLR
Building a reputation

 I had this issue with Twitch but then I was able to find the below information and it worked properly. Maybe for you it would be the same process? 

 

Twitch.TVTwitch's main websiteOnline68 ms
API.Twitch.TVTwitch's external endpoint for data retrievalOnline57 ms
TMI.Twitch.TVChat user lists (if this is down, mod status may also be broken)
CCO
Here to help

Hi SLR,

Thanks for your post. Do you mean you set dedicated Layer 7 firewall rules against those URLs ?

 

SLR
Building a reputation

Correct. 🙂
CCO
Here to help

OK.

Based on the previous post of Geoff, I will try first to upgrade to the latest software version available for MR33 (25.14).

Then, if no improvement observed, I will run a trace investigation session to capture the flow and then apply URL rules.

I will see the outcomes.

Thanks to both for the experience sharing.

CCO
Here to help

Hello All,

 

For the ones who have been interested by this case, here is finally the outcomes of my investigations and actions.

 

The firmware upgrade did not help to improve the behavior, I mean, I continued to observe Netflix traffic despite the Layer 7 firewall rule.

 

I captured some traffic logs and confirmed that the dest IP addresses were registered for Netflix infrastructure.

I applied Layer 3 firewall rules denying those destination IP addresses.

Finally, this was successful.

1 month later, only some few kB are now reported against Netflix while I had GB before.

 

Here is the full list of IPs summarized and denied:

CCO_0-1579083069459.png

 

Thanks again to have shared experience and for the brainstorming.

Regards.

 

randhall
Getting noticed

FWIW, I noted traffic shaping was broken in a similar way and support reported:

 

"It's possible that we're encountering a known-issue involving client bandwidth limits not being enforced correctly when the client roams with 802.11r enabled on the SSID, this issue is resolved in MR 26.x"

CCO
Here to help

Hello Randhall,

 

Many thanks for the update !

I'm currently checking what were the improvements in MR26.x and I see interesting things, such as:

- Bug fixe in MR26.1: Facebook app not blocked by Layer 7 firewall rules (All MRs)

 

"My" current version is MR25.14, but the next available Stable candidate is MR26.6.1.

I will check this.

Regards.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels