vMX Inbound Rules and Template

swifty
Getting noticed

vMX Inbound Rules and Template

I've got a few vMXs I want to apply the same - inbound & outbound - f-w rules to.

 

💡I'll use templates.

The usual vMX Firewall configuration page, has Inbound and Outbound rules sections.

 

The template once bound to a vMX network, only has outbound rules.

Can anyone explain this ?

 

I'm also thinking of using mfw.py for the API from https://www.ifm.net.nz/cookbooks/mfw.html

 

Obviously the rules I send via .csv will be directional i.e. src. or dest. will live 'inside [Azure]' or 'outside [SD-WAN]'.

If I add rules that are inbound will they;

a) Get added to the inbound section

b) Get ignored

?

 

Ian

2 Replies 2
PhilipDAth
Kind of a big deal
Kind of a big deal

It's not common to use inbound firewall rules on Meraki.  Are you using NO-NAT or something else that makes this feature usable?

 

swifty
Getting noticed

Hi Philip

Thanks for the reply.
After discussion w our Meraki SE, it was explained the one-armed vMX has the public IP as the 'outside' and the internal Azure NIC as the 'inside' interfaces - and rules can be applied much like any other firewall i.e. looking at the perspective of inbound & outbound.
As we are replacing an incumbent Juniper firewall, which has ingress & egress policies we are replicating those. The customer is security conscious of their Azure environment and wants to control ingress to it, and control access out form it (presumably being used as an attack plane into the rest of their SD-WAN environment.)

My comment was really around the template missing the inbound section, whereas when you don't bind the network to  a template you can specify inbound and outbound rules. 

Ian 😀

Get notified when there are additional replies to this discussion.