Which ruleset is applied when? Meraki S2S vs CDW

Solved
Bucket
Getting noticed

Which ruleset is applied when? Meraki S2S vs CDW

Hi,

 

I'm trying to understand when the Meraki S2S firewall rules are being used and when the CWD rules are being used. I think its a bit blurry now that hubs are supported.

 

  1. If the only hubs are Secure Connect hubs: Is it only the CDW rules that are being evaluated or are the Meraki S2S rules also being evaluated?
  2. If there is an on-prem MX as hub and it has first priority: Is it CDW or S2S rules that are being evaluted or both?
  3. If there is an on-prem MX as hub and it has first priority: How does Spoke to Spoke traffic behave? Does it still go via secure connect? Is it CDW or S2S rules that are being evaluated or both?

 

Link to the documentation for: https://documentation.meraki.com/CiscoPlusSecureConnect/Cisco__Secure_Connect_Now-_Sites/Meraki_SD-W...

 

1 Accepted Solution
SahandC
Meraki Employee
Meraki Employee

Hi Bucket,

 

With the addition of Secure Connect there are three types of firewall rules.

 

  • MX > Firewall
    • LAN to WAN traffic
    • LAN to LAN traffic
  • MX > Site-to-site VPN > S2S outbound FW
    • LAN to VPN traffic
  • SC > Cloud Firewall (CDFW)
    • Any traffic sent to Secure Connect > Any

 

Which one of these rules is enforced depends on where traffic is sourced and destined to.

 

For example, if I'm a user on subnet-a trying to communicate with subnet-b, and I have rules on both the Meraki MX firewall and Secure Connect firewall, my traffic will hit the Meraki MX first, where I have a rule in place to drop the traffic.

 

Alternatively, if you have a remote access user connecting to the VPNaaS, and have a rule setup to block traffic to both subnet-a & subnet-b, and the user attempts to communicate with hosts on those subnets, they'll be blocked by the Secure Connect firewall. 

 

I've attached an image which expands on this idea to include internet-bound traffic too. Please note, in reality, Meraki MXs configured as a spoke connecting to Secure Connect will have a default route installed in the route table, so you'd need a VPN exclusion rule for attacker.com for it to break out to the WAN and have the Meraki > Firewall policy be applied. I've only done this scenario for presentation purposes.

 

Screenshot 2024-11-11 at 12.47.21 PM.png

 

Blocking traffic closer to the source is recommended, but some organizations may choose to consolidate their rules in Secure Connect for easier management. There are roadmap items coming soon which will allow IT administrators to block traffic closer to the source without the complexity I've outlined above.

 

To address your questions directly:

 

1. Site-to-site outbound firewall rules are still applied. If your Meraki MX is a spoke, a default route is installed in the route table. Unless there is a more specific route in the route table, all traffic will be forwarded to Secure Connect.

 

2. If the traffic is being sourced from behind the MX, then policies on the MX are evaluated first before being forwarded anywhere else, i.e. Secure Connect where you may have additional policies

 

3. Regardless of whether the spokes are communicating through an MX/vMX or Secure Connect, the Site-to-site outbound firewall rules are evaluated first. For the Secure Connect Cloud Firewall policies to be applied, the traffic must relay through Secure Connect.

 

Hopefully this helps.

View solution in original post

3 Replies 3
SahandC
Meraki Employee
Meraki Employee

Hi Bucket,

 

With the addition of Secure Connect there are three types of firewall rules.

 

  • MX > Firewall
    • LAN to WAN traffic
    • LAN to LAN traffic
  • MX > Site-to-site VPN > S2S outbound FW
    • LAN to VPN traffic
  • SC > Cloud Firewall (CDFW)
    • Any traffic sent to Secure Connect > Any

 

Which one of these rules is enforced depends on where traffic is sourced and destined to.

 

For example, if I'm a user on subnet-a trying to communicate with subnet-b, and I have rules on both the Meraki MX firewall and Secure Connect firewall, my traffic will hit the Meraki MX first, where I have a rule in place to drop the traffic.

 

Alternatively, if you have a remote access user connecting to the VPNaaS, and have a rule setup to block traffic to both subnet-a & subnet-b, and the user attempts to communicate with hosts on those subnets, they'll be blocked by the Secure Connect firewall. 

 

I've attached an image which expands on this idea to include internet-bound traffic too. Please note, in reality, Meraki MXs configured as a spoke connecting to Secure Connect will have a default route installed in the route table, so you'd need a VPN exclusion rule for attacker.com for it to break out to the WAN and have the Meraki > Firewall policy be applied. I've only done this scenario for presentation purposes.

 

Screenshot 2024-11-11 at 12.47.21 PM.png

 

Blocking traffic closer to the source is recommended, but some organizations may choose to consolidate their rules in Secure Connect for easier management. There are roadmap items coming soon which will allow IT administrators to block traffic closer to the source without the complexity I've outlined above.

 

To address your questions directly:

 

1. Site-to-site outbound firewall rules are still applied. If your Meraki MX is a spoke, a default route is installed in the route table. Unless there is a more specific route in the route table, all traffic will be forwarded to Secure Connect.

 

2. If the traffic is being sourced from behind the MX, then policies on the MX are evaluated first before being forwarded anywhere else, i.e. Secure Connect where you may have additional policies

 

3. Regardless of whether the spokes are communicating through an MX/vMX or Secure Connect, the Site-to-site outbound firewall rules are evaluated first. For the Secure Connect Cloud Firewall policies to be applied, the traffic must relay through Secure Connect.

 

Hopefully this helps.

Bucket
Getting noticed

Thank you!

 

So its basically always S2S rules and if the traffic goes via the secure connect hubs then CDFW rules are checked. 

SahandC
Meraki Employee
Meraki Employee

The regular MX FW are processed if the traffic is going to be forwarded out of a LAN/WAN interface (i.e. inter/intra-VLAN traffic, or internet-bound traffic). 

 

The S2S rules are processed if the traffic is going to be forwarded over a VPN interface. If the traffic is forwarded over a VPN interface to Secure Connect, the traffic is then also assessed against the Secure Connect FW rules.

Get notified when there are additional replies to this discussion.