topic Re: ECMS Practice Question - April 2nd in Cloud Networking Platform

ECMS Practice Question - April 2nd

DavidLowe — Fri, 02 Apr 2021 14:13:34 GMT

Hello again! Another simple-'ish' question for you all.

As always, comment below with what you think is the correct answer and remember: If you like the question or the ECMS questions initiative, leave us some kudos.

See you in a week with the correct answer!

ECMS practice question

Select the correct firewall rule processing order for the MX security appliance:

A.) L3 allow/deny > L3 implicit deny > L7 deny

B.) L3 allow/deny > L3 implicit allow > L7 deny

C.) L3 allow/deny > L7 deny > L3 default deny

D.) L7 deny > L3 allow/deny > L3 implicit allow

P.S. We will be sharing new practice questions weekly! If you'd like to receive updates when we do, click the "ECMS Practice" label below and then "Subscribe”

Here you can find previous questions

Re: ECMS Practice Question - April 2nd

Karsten Iwen — Fri, 02 Apr 2021 14:30:02 GMT

I really had to scratch my head to understand what the provided answers mean, but:

Spoiler

- We can rule out A.) and C.) as there is no implicit or default deny.
- It can not be D.) as the L3 rules are processed first

The Answer has to be B.)

But I still have no idea how to consistently map this answer to the documented processing flow:
https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Layer_3_and_7_Firewall_Processing_Order#MX_Processing_Flow_Diagram

- We can rule out A.) and C.) as there is no implicit or default deny.- It can not be D.) as the L3 rules are processed firstThe Answer has to be B.)But I still have no idea how to consistently map this answer to the documented processing flow:https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Layer_3_and_7_Firewall_Processing_Order#MX_Processing_Flow_Diagram

Re: ECMS Practice Question - April 2nd

MerakiGnome — Fri, 02 Apr 2021 15:08:26 GMT

i don’t like that implicit Allow that the MXs ship with. I understand it helps with getting these devices up and running quickly but people should be removing and setting to an implicit Deny All

Re: ECMS Practice Question - April 2nd

inderdeepsingh1 — Fri, 02 Apr 2021 15:17:49 GMT

I am confused between option A and B. but as expert @DarrenOC @Karsten Iwen says B, so it should be B of course 🙂

Re: ECMS Practice Question - April 2nd

Karsten Iwen — Sat, 03 Apr 2021 07:38:50 GMT

@inderdeepsingh1 wrote:
I am confused between option A and B. but as expert @DarrenOC @Karsten Iwen says B, so it should be B of course 🙂

This approach will not help you in the real exam ... 😉

Re: ECMS Practice Question - April 2nd

andburne — Sat, 03 Apr 2021 10:38:40 GMT

Spoiler

or not to

Spoiler

that answers the question.

Re: ECMS Practice Question - April 2nd

briangallagh@gmail.com — Wed, 07 Apr 2021 12:43:00 GMT

I'll go with B

Looking at the Firewall rules, Layer 3 processing comes first and the MX ships with a default L3 Implicit Allow. When a rule is added, it is added as either an L3 Allow or Deny, depending on the policy and is inserted above the default. So L3 Allow/Deny is processed first, then L3 implicit allow. L7 Firewall rules are only created with Deny as the policy option.

Re: ECMS Practice Question - April 2nd

DavidLowe — Fri, 09 Apr 2021 16:24:54 GMT

Another week, another answer.

First up, apologies if the wording wasn't of the question wasn't quite clear - Although it looks like most of you managed anyway!!

This time we were looking for...

B. L3 allow/deny > L3 implicit allow > L7 deny

The MX begins by checking if there is a matching Layer 3 (L3) rule - if so, it will make the appropriate decision based on the allow/deny parameters, else the MX will fall back on its L3 implicit allow rule. After this, the MX will check for any Layer 7 (L7) rule matches. If there is then the MX will discard the traffic/packet.

The wording of 'Layer 7 Deny' might have caught a few off guard - It was included because on the MX, if traffic matches an allow rule on the L3 firewall, it can still be blocked by an L7 firewall rule. The same cannot be said for our MR access points, which will bypass the L7 firewall altogether if traffic matches an allow rule on the L3 firewall.

As before more info here:

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Layer_3_and_7_Firewall_Processing_Order

Re: ECMS Practice Question - April 2nd

inderdeepsingh1 — Fri, 09 Apr 2021 16:31:00 GMT

@DavidLowe Thanks for the explanation !

Re: ECMS Practice Question - April 2nd

GreenMan — Fri, 09 Apr 2021 17:43:29 GMT

Just one thing to add to this; there's only an implicit allow if the packet is received on a LAN interface. If it's on a WAN / Internet port (with no matching outbound session), it hits an implicit deny - of course!