Block a port on WAN IP address on the MX in the firewall?

Kyojuro
Here to help

Block a port on WAN IP address on the MX in the firewall?

Is there anyway to block a port for the WAN IP address on the MX in the firewall?

Do I just put it in the layer 3? But isn't layer 3 only for LAN rules?

Can I put in layer 7?

 

Thank you. 

 

 

7 Replies 7
ww
Kind of a big deal
Kind of a big deal

What traffic you want to block? Where is it originating from?

The only traffic generated by the mx itself is management tunnel traffic. Or traffic related to options like ips, content filter updates etc

Kyojuro
Here to help

I need to block port 500 from all external IPs to the WAN IP address of the MX. 

ww
Kind of a big deal
Kind of a big deal

The mx wont allow any traffic in originating from external  ip's .

If you want to drop it before reaching the mx ip, then another device needs to do that

RaphaelL
Kind of a big deal
Kind of a big deal

Or this : https://community.meraki.com/t5/Security-SD-WAN/Meraki-MX-Inbound-Firewall-Rules/m-p/84204 ?  If I'm understanding this issue correctly

PhilipDAth
Kind of a big deal
Kind of a big deal

As long as you don't have client VPN enabled or any non-Meraki VPNs configured, it will be blocked by default.

 

You don't need to do anything further to achieve this.

BlakeRichardson
Kind of a big deal
Kind of a big deal

By default all incoming traffic to most not just Meraki firewalls is blocked by default. I have yet to see any vendor allow any WAN > LAN traffic by default. 

 

If you want to block port 500 outbound then simply create a rule doing so Security & SD-WAN > Configure > Firewall

 

Screen Shot 2022-01-21 at 7.50.56 AM.png

Inderdeep
Kind of a big deal
Kind of a big deal

Every vendor is taking this way to block by default until unless you put the allow rule in place !

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels