As previously mentioned, the MX line of security appliances is capable of L3 stateful access control in addition to more advanced inspection and filtering. Alongside the standard Layer 3 IP-based access control lists, which support both IP- and FQDN-based rules as well as policy object groups, MX security appliances also offer industry-leading application-based firewall services for more advanced control and filtering of network traffic.
The Meraki platform leverages its capability to directly integrate with established Cisco technologies to include the powerful Cisco Network Based Application Recognition (NBAR) technology in Meraki devices. This allows for the creation of powerful Layer 7 firewall rules (see Figure 5-1) that can be tied to more than 1,500 different web applications to allow for more granular and enhanced application-based filtering than ever before.
Figure 5-1 Example Layer 7 Firewall Configuration
In addition to the NBAR-powered application-based Layer 7 firewall rules, the Dashboard also offers the ability to configure geolocation-based Layer 7 rules to deny traffic to/from (or NOT to/from) specified countries based on geolocated IPs. This ability provides a simple and easy-to-configure method of tightly restricting traffic to or from unwanted destinations without requiring a large manual ruleset or other outside integration.
Additionally, as with nearly all edge firewalls, MX devices are able to be configured with inbound forwarding rules for port forwarding, 1:1, or 1-Many NAT.
HTTP Content Filtering (TALOS)
Alongside the L3/L7-based filtering, MX security appliances offer the ability to implement HTTP content filtering that utilizes Cisco TALOS Intelligence for URL classification. By utilizing Cisco Talos Intelligence, Meraki helps to ensure that URL classifications are as up to date as possible while offering a wide variety of content categories to choose from, allowing your filtering configuration to be tailored to the specific needs of any deployment. Figure 5-2 shows the Dashboard view of the Content Filtering page, which you can access via Security & SD-WAN > Content Filtering. This feature also allows for a more consistent configuration across Cisco platforms, simplifying your deployment planning.
Figure 5-2 Content Filtering Configuration Page on the Dashboard The Content Filtering page is designed to make URL lookups and blocking easily and quickly configurable. By integrating URL lookups with Cisco TALOS directly into the Content Filtering page, the Dashboard makes it easy to look up individual URLs and determine the TALOS threat rating as well as the categorization of that URL.