We have 2 firewalls (1 sonicwall and 1 MX Meraki) and we have tried configuring port forwarding rules for some of our web servers on each firewalls. However the port forwarding rules on the Meraki MX do not work but they do work on the sonicwall.
I'm wondering how will the traffic know to which firewall to go to get to the destination web server?
https://documentation.meraki.com/MX/NAT_and_Port_Forwarding/Port_Forwarding_and_NAT_Rules_on_the_MX
I don't quite understand, do you have two firewalls one behind the other? So your double NATing or have I misread?
Port forwarding is very simple and I have found it just works. I've found port forwarding on Sonicwall more difficult unless you use the wizard.
They will both respond with their own MAC address to the ARP query for the public IP address. It is likely to result in things breaking.
I’m with @BlakeRichardson on this one. Port forwarding on the MXs simply works. We’ve not long replaced a customers firewall infrastructure from Sonicwall to Meraki with no issues.
Sorry no, not one behind the other. They are parallel to each other.
I'm not saying port forwarding does not work on Meraki however in this scenario could there be any issues?
Are both firewalls using their own IP addresses for the port forwarding? You can not forward ports of the same IP on different devices,
I may be wrong, but I think @hmc250000 has the Sonicwall and MX in parallel. In guessing you have public IP x.y.z.1 assigned to the Sonicwall and x.y.z.2 assigned to the MX, no problem with this.
If the LAN side of each firewall is completely different then you should be able to port forward on both firewalls to separate subnets internally.
However, I believe you have both connected to the same LAN and the Sonicwall's LAN interface is the default gateway, this means everything works there. The MXs LAN interface is in the same internal subnet so inbound packets will get to your internal devices, but the return packets will come out through the Sonicwall leading to them being dropped (as they don't correspond to an incoming connection on that device).
If you want to have both, I think you have to separate out the LANs, unless someone else knows a better solution...?
Yes, it is working fine on the sonicwall however. And fyi it is because of the limitations of the site to site VPNs between Meraki and non Meraki peers that we still have the sonicwall on our network.
Aren't the Meraki MX's doing stateful inspection? I believe that keeps track of incoming and outgoing sessions something like that.