Meraki

Community

Best practice for firewall rules

Solved
TLO3346
Getting noticed
‎Mar 16 2021 9:22 AM
‎Mar 16 2021 9:22 AM

Best practice for firewall rules

If you don't want a vlan to communicate with another VLAN on a site, is it best practice to put the firewall rule in the site firewall or within a group policy and apply that policy on the vlan?

0 Kudos
1 Accepted Solution
KarstenI
Kind of a big deal
Kind of a big deal
‎Mar 16 2021 10:15 AM
‎Mar 16 2021 10:15 AM

I would use the rules on the Firewall-page of the MX. These rule work statefully any return-traffic is automatically allowed. Just remember to also configure your VPN-rules if a VLAN should also be not allowed to communicate through the VPN.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

View solution in original post

2 Replies 2
KarstenI
Kind of a big deal
Kind of a big deal
‎Mar 16 2021 10:15 AM
‎Mar 16 2021 10:15 AM

I would use the rules on the Firewall-page of the MX. These rule work statefully any return-traffic is automatically allowed. Just remember to also configure your VPN-rules if a VLAN should also be not allowed to communicate through the VPN.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
In response to KarstenI
BlakeRichardson
Kind of a big deal
Kind of a big deal
‎Mar 16 2021 11:44 AM
‎Mar 16 2021 11:44 AM

Also get a second person to try and "break" or "Bypass" what you have done so that you get confirmation that what you want to achieve is actually happening.  A second pair of eyes is always very useful with this kind of thing. 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.