Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Better to combine multiple firewall rules in one rule, or make them all separate?

Announcer
Getting noticed
‎Nov 24 2023 9:56 AM
‎Nov 24 2023 9:56 AM

Better to combine multiple firewall rules in one rule, or make them all separate?

If I have 2 subnets that need port 80 and 5000 open to subnet 3, is it better to create one firewall rule for each or combine them?

allow--TCP, subnet1, subenet 2, source port any, destination subnet 3, destination port 80, 5000.

 

OR

 

allow--TCP, subnet1, source port any, destination subnet 3, destination port 80.

allow--TCP, subnet1, source port any, destination subnet 3, destination port 5000.

allow--TCP, subnet2, source port any, destination subnet 3, destination port 80.

allow--TCP, subnet2, source port any, destination subnet 3, destination port 5000.

 

Does it make a difference to Meraki or the speed of process?

thanks!

Labels:
0 Kudos
Subscribe
5 Replies 5
alemabrahao
Kind of a big deal
Kind of a big deal
‎Nov 24 2023 10:01 AM
‎Nov 24 2023 10:01 AM

I wouldn't say for processing reasons, but I personally (when possible) prefer to create a single rule if the objective is the same, this makes the configuration much "clear".

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Subscribe
Badr-eddine
Getting noticed
‎Nov 24 2023 10:11 AM
‎Nov 24 2023 10:11 AM

Hello,

 

Regarding your query, here's a breakdown:

 

  • Option 1 is recommended If your priority is simplicity and your use case is straightforward, and it provides a more streamlined approach with fewer rules.
  • Option 2 is recommended if you require more granular control over different subnets and ports or if your security policy necessitates distinct treatment for each combination. It allows for a more detailed and specific rule set tailored to specific scenarios.

 

The optimal choice depends on the specific security policies and requirements of your network. Please let me know if this information addresses your question.

0 Kudos
Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Nov 26 2023 11:40 AM
‎Nov 26 2023 11:40 AM

I do both.

 

The benefit of option 1 is the firewall rule base in the GUI is more concise.

 

The benefit of option 2 is you can see the individual rule hits to see if traffic is flowing.

Subscribe
BlakeRichardson
Kind of a big deal
Kind of a big deal
‎Nov 26 2023 2:41 PM
‎Nov 26 2023 2:41 PM

Option 2 for me as mentioned by Philip that it makes logs much easier and quicker to read. 

btr.net.nz
Subscribe
Announcer
Getting noticed
‎Nov 27 2023 8:28 AM
‎Nov 27 2023 8:28 AM

Thank you all for the input all.  I imagine option 2 would make the the list in the firewall quite large, but maybe easier to manage and decipher.

Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.