System Manager Firewall Rules; Confusion / 3rd Line Assistance Required

PeterJames
Head in the Cloud

System Manager Firewall Rules; Confusion / 3rd Line Assistance Required

Hi All,

 

I am trying to piece together a basic and Cisco Rule list I can share with customers. We have had feedback and feel that the Firewall rules are not very clear. The main problem is that they are bundled together.

 

I hope this post will assist those who may feel the same.

 

Stage 1 - Barebones

 

AIM: This is to get the iOS device activated, DEP Profile downloaded, time automatically set.

 

https://documentation.meraki.com/SM/Other_Topics/Systems_Manager_Firewall_Rules

https://support.apple.com/en-us/HT210060#apns

 

From Apple, this should be:

TCP 80, TCP 443, TCP 2197, TCP 5223, UDP 123 for 17.0.0.0/8 (Class A block that Apple own).

 

However, Meraki included an additional 2195-2196 which I cannot see mentioned by Apple. Is this required?

 

Additionally, why does ios.meraki.com on TCP 443 need to be an end-point?

 

 

Now on to the Cisco rules;

 

*** Before this section you would set your VLAN->WAN

 

set srcaddr "XXXXXXX"  - Customer Subnet
set dstaddr "all" - Include Everything for a moment (Lazy, but far easier)
set action accept
set schedule "always"
set service "Meraki-Services"

next
end

edit "Meraki-Services"

set member "HTTP" "HTTPS" "TCP-2197" "TCP-5223" UDP-123"

This is what I have got. Can someone at Cisco Meraki confirm this would work?

 

*** Obviously at the end you need to copy your temp in to your main file

 

 

Stage 2 - Barebones + iOS SM App

 

*Place holder; This would be the bare minimum to get the iOS Device setup and the SM App communicating.

 

Thank you,

Peter James

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels