Home > Wireless LAN > Firewall and Traffic Shaping > Creating a Layer 7 Firewall Rule

Creating a Layer 7 Firewall Rule

Table of contents
No headers

Cisco Meraki MR Access Points and MX Security Appliances provides the ability to create layer 7 firewall rules to deny certain traffic based on traffic type. Where most firewall rules only inspect headers at layer 3 (IP address), 4 (Transport), and 5 (Port), a layer 7 rule inspects the payload of packets to match against known traffic types. To enable a layer 7 firewall rule, follow the steps below:

  1. Select the Dashboard network where the rule is to be configured.
  2. Navigate to Wireless > Configure > Firewall and traffic shaping (or Security appliance > Configure > Firewall on the MX).
  3. (wireless only) Select the SSID the firewall rule will apply to, through the SSID dropdown.
  4. Under Layer 7 firewall rules, click Add a layer 7 firewall rule.
  5. Select an Application to be blocked, using the second drop-down to be more specific if necessary.
  6. Click Save Changes.

 

To remove a Layer 7 firewall rule, click its Delete icon next to the Reorder icon, then click Save Changes.

Layer 3 rules are processed first, followed by layer 7, with the first match taking priority. For more information refer to Layer 3 & 7 Firewall Processing.

Some services, such as Amazon Video, may be included in the traffic shaping applications list but not included in the layer 7 firewall application list. When blocked, these services fail over to a content distribution network (CDN) that may be shared by many content services. Meraki makes every effort to identify services from CDNs, however in some cases the traffic is not distinguishable from other services hosted on the CDN. In cases like these, we recommend that the application be limited to extremely minimal bandwidth usage instead of attempting to block the traffic entirely. 

When splash page authentication is configured, captive portal strength settings take precedence over configured traffic shaping and firewall rules. This means traffic shaping and firewall rules will only apply after Splash page authentication has occurred successfully. If firewall or traffic shaping rules are configured on an SSID, use the "Block all access until sign-on is complete" captive portal strength setting to apply the principle of least privilege to the SSID. This captive portal strength will ensure all traffic is blocked until the desired firewall and traffic shaping rules can be applied. 

You must to post a comment.
Last modified
16:17, 10 Feb 2016

Tags

Classifications

This page has no classifications.

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community