Cisco Meraki MR Access Points and MX Security Appliances provides the ability to create layer 7 firewall rules to deny certain traffic based on traffic type. Where most firewall rules only inspect headers at layer 3 (IP address), 4 (Transport), and 5 (Port), a layer 7 rule inspects the payload of packets to match against known traffic types. To enable a layer 7 firewall rule, follow the steps below:
To remove a Layer 7 firewall rule, click its Delete icon next to the Reorder icon, then click Save Changes.
Layer 3 rules are processed first, followed by layer 7, with the first match taking priority. For more information refer to Layer 3 & 7 Firewall Processing.
Some services, such as Amazon Video, may be included in the traffic shaping applications list but not included in the layer 7 firewall application list. When blocked, these services fail over to a content distribution network (CDN) that may be shared by many content services. Meraki makes every effort to identify services from CDNs, however in some cases the traffic is not distinguishable from other services hosted on the CDN. In cases like these, we recommend that the application be limited to extremely minimal bandwidth usage instead of attempting to block the traffic entirely.