Skip to main content

 

Cisco Meraki Documentation

Layer 3 and 7 Firewall Processing Order

Firewall rules on MR Series Access Points and MX Series Security Appliances are processed in a top down fashion, with Layer 3 rules being processed, followed by Layer 7 rules. Unless traffic is explicitly blocked by at least one rule, it will be allowed through by a default allow all rule. 

Other MX filtering features, like Content Filtering, operate independently of Layer 3 and Layer 7 firewall rules. If traffic is allowed through one feature but denied on another, the traffic will still be denied.

Layer 3 rules configured on the firewall page of the Security Appliance settings are stateful while Layer 7 rules are stateless.  Additionally, Layer 3 and Layer 7 rules configured on both the group policy firewall and wireless firewall settings are stateless. 

 Firewall rules, of any type, apply only to traffic which traverses through the firewall device. This means that firewall rules do not apply to traffic originating from (such as LDAP binds) or terminating at (such as client VPN) the firewall device.  Additionally, MX VLAN interfaces and the MX WAN IP addresses, themselves, are not considered in Allow or Deny rules.

 

Learn more with these free online training courses on the Meraki Learning Hub:

Sign in with your Cisco SSO or create a free account to start training.

Reference L3 and L7 Rules

For the examples to follow, the Layer 3 (L3) and Layer 7 (L7) firewall rules shown below will be used, with a Security Appliance network used for reference.

2017-08-02 08_30_57-Firewall Configuration - Meraki Dashboard.png

2017-07-25 08_37_12-Firewall Configuration - Meraki Dashboard.png

 

Traffic Allowed by Default

By default, outbound traffic will be allowed through the firewall unless explicitly blocked by at least one L3 or L7 rule. In this example, SSH (TCP port 22) traffic will be allowed through the firewall because there are no configured L3 or L7 rules that act upon it.

Layer 3 Rules

  1. No Match
  2. No Match
  3. No Match

Layer 7 Rules

  1. No Match

Traffic Blocked by Layer 3 Rule

In this example, SMTP traffic (TCP port 25) will be blocked by the L3 firewall, because rule 3 under layer 3 explicitly blocks it. Layer 7 rules would be ignored because the traffic has already been blocked.

Layer 3 Rules

  1. No Match
  2. No Match
  3. Matched - Traffic blocked

Layer 7 Rules

  1. Not processed because traffic was already blocked

 

Traffic Blocked by Layer 7 Rule

The MR access point and MX security appliance differ slightly in their processing of L7 firewall rules after the L3 firewall. On the MR, if traffic matches an allow rule on the L3 firewall, that traffic will bypass the L7 firewall altogether.

On MR, default L3 rules do not act as a bypass for L7 rules. Only allow custom rules will bypass L7 rules. 

On the MX, if traffic matches an allow rule on the L3 firewall, it can still be blocked by an L7 firewall rule.

On the MX, HTTP traffic (TCP port 80) to Facebook.com will be blocked by the L7 firewall, because rule 1 under layer 7 explicitly blocks it, even though the traffic was allowed through the layer 3 firewall.

Layer 3 Rules

  1. Matched - Traffic allowed through L3 firewall
  2. Not processed
  3. Not processed

Layer 7 Rules

  1. Matched - Traffic blocked

 

On the MR, HTTP traffic (TCP port 80) to Facebook.com will be allowed through the firewall, because rule 1 under layer 3 explicitly allows it.

Layer 3 Rules

  1. Matched - Traffic allowed through L3 firewall
  2. Not processed
  3. Not processed

Layer 7 Rules

  1. Not processed because traffic was already allowed

 

MX Processing Flow Diagram
MXL3L7.png

When utilizing Group Policy for L3 and L7 firewall rules, they will be processed the same as illustrated above.

MR Processing Flow Diagram

MRL3L7.png