Imagine a Cisco Meraki network deployed for a US-based business with operations nationwide. There are no overseas offices or data centers. IT has legitimate reasons to interact with India for various outsourced services. The business’s clients are domestic. And yet, chunks of its network bandwidth appear dedicated to traffic with Belarus (to randomly pick on one country).

Assuming there is no legitimate need for your business to have dealings with with Belarus, it’s safe to assume that this traffic is, at best, unofficial, and at worst, malicious. Now, let’s assume that this traffic involves any of the 50+ publicly registered IP ranges for Belarus.

Previously, to block a single country from interacting with a Meraki network, it would’ve been necessary to type every individual country IP address range into separate firewall ACLs. This is no small feat: for example, China has thousands of individual IP ranges allotted to it.

So, we’re thrilled to announce that, with the MX’s new, geography-based IP firewall rules, preventing traffic to or from any individual country is as simple as selecting that country from a drop-down menu in the Meraki dashboard.

How to configure geo-based firewall rules

To enable filtering based on geographic locale, simply navigate to Configure > Firewall in the Meraki dashboard. We’ve updated our familiar Layer 7 firewall rule definition tool to include a country drop-down menu. You have two options when creating a geo-based IP rule: either define the countries you wish to block access to (selectively block), or define the countries you wish to permit access to (selectively allow). For example, you could selectively allow Germany—and only Germany—if you wish to ensure no packets leave German borders. Or, in keeping with our earlier example, you may wish to create a rule to selectively allow both Indian and US traffic—and nothing else.

Screen Shot 2014-07-02 at 11.47.41 AM.png

You can now selectively block or permit traffic between your network and various countries using the MX’s Geo-based IP firewall rules.

Behind the scenes, the MX filters by public IP address blocks assigned to each country, making it easy to enforce geo-based security. These IP ranges are updated monthly, ensuring efficacy.

Border visibility

In addition to being able to restrict or allow traffic based on geography, the MX now provides geographic visibility into traffic flows. Simply navigate to Monitor > Traffic analysis to view where in the world traffic to (or from) your network is arriving from (or destined).

Viewing MX traffic analysis will now show the geography of traffic flow destination.

In sum, geo-based IP firewall rules and border visibility give network admins critical control beyond protocol and application. Many critical security threats today rely on the ability to “phone home” or communicate with servers well beyond the borders—and easy legal reach—of your home country. Protecting your LAN from unsolicited, global traffic may mean the difference between servicing clients and enduring downtime and disruption while rebuilding hacked systems.

Geo-based IP firewall rules are included in our upcoming MX summer update, and will be automatically rolled out to existing Advanced Security customers. For more information about our MX security appliances, check out our website or give us a call!