Meraki

Community

Cellular Failover Ruleset Behavior

bailey_hawker
Here to help
a week ago
a week ago

Cellular Failover Ruleset Behavior

Hi forum,

 

The Meraki KB states that during an event that WAN1 fails & traffic is swung to WAN2, the Cellular Failover firewall ruleset will be "appended" to the Outbound firewall ruleset.

 

Does this mean that the ruleset will be added ABOVE the existing Outbound ruleset or BELOW the existing Outbound ruleset?

 

Our network environment contains a Deny All rule at the bottom of the Outbound ruleset. If the Cellular ruleset is appended to the bottom of the Outbound ruleset, in the event of failover to WAN2, this Deny All rule in the Outbound ruleset would drop any traffic before it ever gets to the Cellular ruleset which makes the whole Cellular failover ruleset useless.

Am I thinking about this right?

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Firewall_Settings

 

Thanks,

0 Kudos
3 Replies 3
DarrenOC
Kind of a big deal
Kind of a big deal
a week ago
a week ago

Hi @bailey_hawker , might be worth you reviewing this post from a while back:

 

https://community.meraki.com/t5/Security-SD-WAN/Restricting-Cellular-data-during-failover-to-busines...

 

Looks like the rules will override what’s currently in place so no need to worry about the deny all at the end

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
RaphaelL
Kind of a big deal
Kind of a big deal
a week ago
a week ago

Hi ,

 

This only means that the traffic allowed by your L3 firewall will also pass through the cellular outbound rules to further limit traffic if needed. 

 

if you don't care about bandwidth , you can leave the default any any in place.

bailey_hawker
Here to help
Sunday
Sunday

Meraki TAC confirmed today that the Cellular rules append to the end of the Outbound ruleset, meaning if you have a Deny All at the bottom of your Outbound ruleset, the cellular ruleset will be effectively useless. 

 

I am also asking them about the secret TAC option that can be enabled on an organization to convert the cellular failover ruleset to instead become the Outbound ruleset for WAN2.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
© 2025 Cisco Systems, Inc.