Meraki

Community

Best Practice? Implicit Deny

Daniel24
Here to help
8 hours ago
8 hours ago

Best Practice? Implicit Deny

I have just recently switched over to MXs for Firewalls. I assume like most firewalls its recommended to have an implicit deny as your last firewall rule? Trying to plan for any unplanned impact would this impact any connectivity with Meraki switches, AP's, camera's etc from their connection to the cloud. 

Labels:
0 Kudos
5 Replies 5
RWelch
Head in the Cloud
Head in the Cloud
8 hours ago
8 hours ago

Deny.png

By default, the rule already exists.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to RWelch
RWelch
Head in the Cloud
Head in the Cloud
8 hours ago
8 hours ago

MX Firewall Settings 

Using Layer 3 Firewall Rules 

Creating a Layer 7 Firewall Rule 

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to RWelch
DarrenOC
Kind of a big deal
Kind of a big deal
6 hours ago
6 hours ago

That’s the implicit deny inbound rule.

 

By default, outbound everything is allowed.

 

I would suggest that you configure your outbound rules as required with a final Deny Any Any at the end.

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
0 Kudos
Mloraditch
Head in the Cloud
8 hours ago
8 hours ago

If you want a deny deny any on your outbound rules, you would have to program rules allowing your meraki devices to connect before that deny.

This is the documentation for that: https://documentation.meraki.com/General_Administration/Other_Topics/Upstream_Firewall_Rules_for_Clo...

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to Mloraditch
GreenMan
Meraki Employee
Meraki Employee
6 hours ago
6 hours ago

Absolutely correct for anything downstream of the MX;   Meraki switches, access points, cameras etc.  In my experience the MX will permit anything that it relies on itself, by way of comms with Dashboard resources.

As pointed out by others;   by default all traffic is permitted between VLANs by the MX and from inside VLANs outbound towards the Internet.

Note that if you're using VPN / SD-WAN,  the firewall rules that affect in-tunnel outbound traffic are controlled under the Org-wide element of the Security & SD-WAN > Site-to-site VPN configuration.   By default all traffic within these tunnels is permitted, for VLANs which are VPN-enabled.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2025 Cisco Systems, Inc.