Configure MX Layer7 Geo-location Restriction and Troubleshoot in Meraki

Available Languages

Download Options

  • PDF     (140.2 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (165.0 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (203.6 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:February 13, 2023
Document ID:220219

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to configure the MX layer 7 Firewall rule and troubleshoot for the same in the Meraki MX appliance.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • Understand basic Meraki Software-Defined Wide Area Network (SD-WAN) solution
    • Understand basic Meraki MX appliance product overview

    Components Used

    This document is not restricted to specific software and hardware versions.

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Configure Layer 7 Geo-location Restriction

    1. Log in to the Meraki dashboard.

    2. Navigate to the device or the HUB MX where you want to apply your Layer 7 firewall rule.

    3. Navigate to Security > SD-WAN > Configure > Firewall.

    Meraki Firewall Settings

    4. Navigate to the Layer 7 rule where you can apply Deny rule for countries with traffic to/from and Not to/from as per the requirement.

    Option to select Layer7 Rule

    5. Here, you have two options to choose where you can restrict the traffic from different geolocation-selected countries. You can add policies for multiple countries also in the same rule.

    Option to select Layer7 Rule1

    Option to select Layer7 Rule2

    Verify and Troubleshoot

    1. You need to verify the problematic application IP and the domain location they are hosted and users in the Meraki network are not able to use the services for that application.

    For that, you can search in any IP locator available over the Internet and then you need to compare the same with the geo IP service that Meraki utilizes through the MaxMind website as mentioned in the link; https://www.maxmind.com/en/geoip-demo.

    2. Also, you have to verify the Meraki MX layer 7 rule that is defined with the hosted country name and allowed traffic.

    Here, you must ensure the hosted country location is correctly defined in maxmind.com as Meraki only uses the location service mentioned here.

    MaxMind Dashboard

    3. Sometimes MaxMind reflects a wrong update of the hosted location of a particular IP and in that case, you have to contact the Cisco Meraki Support team and need to get this corrected from MaxMind.

    4. In such cases as a quick workaround, you can define the location which reflects in maxmind.com to the Meraki MX layer7 FW rules on a temporary basis. 

    Related Information

    Revision History

    Revision Publish Date Comments
    2.0
    13-Feb-2023
    Initial Release
    1.0
    12-Feb-2023
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Rachna Sinha
      Cisco CMS Engineer
    • Prasannajit Mohanty
      Cisco CMS Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco