Meraki

bailey_hawker

Hi forum,

The Meraki KB states that during an event that WAN1 fails & traffic is swung to WAN2, the Cellular Failover firewall ruleset will be "appended" to the Outbound firewall ruleset.

Does this mean that the ruleset will be added ABOVE the existing Outbound ruleset or BELOW the existing Outbound ruleset?

Our network environment contains a Deny All rule at the bottom of the Outbound ruleset. If the Cellular ruleset is appended to the bottom of the Outbound ruleset, in the event of failover to WAN2, this Deny All rule in the Outbound ruleset would drop any traffic before it ever gets to the Cellular ruleset which makes the whole Cellular failover ruleset useless.

Am I thinking about this right?

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Firewall_Settings

Thanks,

DarrenOC

Hi @bailey_hawker , might be worth you reviewing this post from a while back:

https://community.meraki.com/t5/Security-SD-WAN/Restricting-Cellular-data-during-failover-to-busines...

Looks like the rules will override what’s currently in place so no need to worry about the deny all at the end

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.

RaphaelL

Hi ,

This only means that the traffic allowed by your L3 firewall will also pass through the cellular outbound rules to further limit traffic if needed.

if you don't care about bandwidth , you can leave the default any any in place.

Meraki

Community

Cellular Failover Ruleset Behavior

Cellular Failover Ruleset Behavior