System Manager Firewall Rules; Confusion / 3rd Line Assistance Required

PeterJames
Head in the Cloud

System Manager Firewall Rules; Confusion / 3rd Line Assistance Required

Hi All,

 

I am trying to piece together a basic and Cisco Rule list I can share with customers. We have had feedback and feel that the Firewall rules are not very clear. The main problem is that they are bundled together.

 

I hope this post will assist those who may feel the same.

 

Stage 1 - Barebones

 

AIM: This is to get the iOS device activated, DEP Profile downloaded, time automatically set.

 

https://documentation.meraki.com/SM/Other_Topics/Systems_Manager_Firewall_Rules

https://support.apple.com/en-us/HT210060#apns

 

From Apple, this should be:

TCP 80, TCP 443, TCP 2197, TCP 5223, UDP 123 for 17.0.0.0/8 (Class A block that Apple own).

 

However, Meraki included an additional 2195-2196 which I cannot see mentioned by Apple. Is this required?

 

Additionally, why does ios.meraki.com on TCP 443 need to be an end-point?

 

 

Now on to the Cisco rules;

 

*** Before this section you would set your VLAN->WAN

 

set srcaddr "XXXXXXX"  - Customer Subnet
set dstaddr "all" - Include Everything for a moment (Lazy, but far easier)
set action accept
set schedule "always"
set service "Meraki-Services"

next
end

edit "Meraki-Services"

set member "HTTP" "HTTPS" "TCP-2197" "TCP-5223" UDP-123"

This is what I have got. Can someone at Cisco Meraki confirm this would work?

 

*** Obviously at the end you need to copy your temp in to your main file

 

 

Stage 2 - Barebones + iOS SM App

 

*Place holder; This would be the bare minimum to get the iOS Device setup and the SM App communicating.

 

Thank you,

Peter James

0 REPLIES 0
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels