Another week, another answer. First up, apologies if the wording wasn't of the question wasn't quite clear - Although it looks like most of you managed anyway!! This time we were looking for... B. L3 allow/deny > L3 implicit allow > L7 deny The MX begins by checking if there is a matching Layer 3 (L3) rule - if so, it will make the appropriate decision based on the allow/deny parameters, else the MX will fall back on its L3 implicit allow rule. After this, the MX will check for any Layer 7 (L7) rule matches. If there is then the MX will discard the traffic/packet. The wording of 'Layer 7 Deny' might have caught a few off guard - It was included because on the MX, if traffic matches an allow rule on the L3 firewall, it can still be blocked by an L7 firewall rule. The same cannot be said for our MR access points, which will bypass the L7 firewall altogether if traffic matches an allow rule on the L3 firewall. As before more info here: https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Layer_3_and_7_Firewall_Processing_Order
... View more