Solved: ECMS Practice Question - April 2nd

DavidLowe · ‎04-02-2021

Hello again! Another simple-'ish' question for you all.

As always, comment below with what you think is the correct answer and remember: If you like the question or the ECMS questions initiative, leave us some kudos.

See you in a week with the correct answer!

ECMS practice question

Select the correct firewall rule processing order for the MX security appliance:

A.) L3 allow/deny > L3 implicit deny > L7 deny

B.) L3 allow/deny > L3 implicit allow > L7 deny

C.) L3 allow/deny > L7 deny > L3 default deny

D.) L7 deny > L3 allow/deny > L3 implicit allow

P.S. We will be sharing new practice questions weekly! If you'd like to receive updates when we do, click the "ECMS Practice" label below and then "Subscribe”

Here you can find previous questions

DavidLowe · ‎04-09-2021

Another week, another answer.

First up, apologies if the wording wasn't of the question wasn't quite clear - Although it looks like most of you managed anyway!!

This time we were looking for...

B. L3 allow/deny > L3 implicit allow > L7 deny

The MX begins by checking if there is a matching Layer 3 (L3) rule - if so, it will make the appropriate decision based on the allow/deny parameters, else the MX will fall back on its L3 implicit allow rule. After this, the MX will check for any Layer 7 (L7) rule matches. If there is then the MX will discard the traffic/packet.

The wording of 'Layer 7 Deny' might have caught a few off guard - It was included because on the MX, if traffic matches an allow rule on the L3 firewall, it can still be blocked by an L7 firewall rule. The same cannot be said for our MR access points, which will bypass the L7 firewall altogether if traffic matches an allow rule on the L3 firewall.

As before more info here:

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Layer_3_and_7_Firewall_Processing_Order

View solution in original post

Karsten Iwen · ‎04-02-2021

I really had to scratch my head to understand what the provided answers mean, but:

Spoiler

- We can rule out A.) and C.) as there is no implicit or default deny.
- It can not be D.) as the L3 rules are processed first

The Answer has to be B.)

But I still have no idea how to consistently map this answer to the documented processing flow:
https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Layer_3_and_7_Firewall_Processing_Order#MX_Processing_Flow_Diagram

- We can rule out A.) and C.) as there is no implicit or default deny.- It can not be D.) as the L3 rules are processed firstThe Answer has to be B.)But I still have no idea how to consistently map this answer to the documented processing flow:https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Layer_3_and_7_Firewall_Processing_Order#MX_Processing_Flow_Diagram

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

MerakiGnome · ‎04-02-2021

B

i don’t like that implicit Allow that the MXs ship with. I understand it helps with getting these devices up and running quickly but people should be removing and setting to an implicit Deny All

Darren OConnor
https://www.linkedin.com/in/darrenoconnor

inderdeepsingh1 · ‎04-02-2021

I am confused between option A and B. but as expert @DarrenOC @Karsten Iwen says B, so it should be B of course 🙂

Cisco Awarded Blogs 2020/2021 https://www.thenetworkdna.com/

Karsten Iwen · ‎04-03-2021

@inderdeepsingh1 wrote:
I am confused between option A and B. but as expert @DarrenOC @Karsten Iwen says B, so it should be B of course 🙂

This approach will not help you in the real exam ... 😉

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

andburne · ‎04-03-2021

To

Spoiler

B

or not to

Spoiler

B

that answers the question.

briangallagh@gmail.com · ‎04-07-2021

I'll go with B

Looking at the Firewall rules, Layer 3 processing comes first and the MX ships with a default L3 Implicit Allow. When a rule is added, it is added as either an L3 Allow or Deny, depending on the policy and is inserted above the default. So L3 Allow/Deny is processed first, then L3 implicit allow. L7 Firewall rules are only created with Deny as the policy option.

DavidLowe · ‎04-09-2021

Another week, another answer.

First up, apologies if the wording wasn't of the question wasn't quite clear - Although it looks like most of you managed anyway!!

This time we were looking for...

B. L3 allow/deny > L3 implicit allow > L7 deny

The MX begins by checking if there is a matching Layer 3 (L3) rule - if so, it will make the appropriate decision based on the allow/deny parameters, else the MX will fall back on its L3 implicit allow rule. After this, the MX will check for any Layer 7 (L7) rule matches. If there is then the MX will discard the traffic/packet.

The wording of 'Layer 7 Deny' might have caught a few off guard - It was included because on the MX, if traffic matches an allow rule on the L3 firewall, it can still be blocked by an L7 firewall rule. The same cannot be said for our MR access points, which will bypass the L7 firewall altogether if traffic matches an allow rule on the L3 firewall.

As before more info here:

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Layer_3_and_7_Firewall_Processing_Order

inderdeepsingh1 · ‎04-09-2021

@DavidLowe Thanks for the explanation !

Cisco Awarded Blogs 2020/2021 https://www.thenetworkdna.com/

GreenMan · ‎04-09-2021

Just one thing to add to this; there's only an implicit allow if the packet is received on a LAN interface. If it's on a WAN / Internet port (with no matching outbound session), it hits an implicit deny - of course!