Block a port on WAN IP address on the MX in the firewall?

Kyojuro
Conversationalist

Block a port on WAN IP address on the MX in the firewall?

Is there anyway to block a port for the WAN IP address on the MX in the firewall?

Do I just put it in the layer 3? But isn't layer 3 only for LAN rules?

Can I put in layer 7?

 

Thank you. 

 

 

7 REPLIES 7
ww
Kind of a big deal
Kind of a big deal

What traffic you want to block? Where is it originating from?

The only traffic generated by the mx itself is management tunnel traffic. Or traffic related to options like ips, content filter updates etc

Kyojuro
Conversationalist

I need to block port 500 from all external IPs to the WAN IP address of the MX. 

ww
Kind of a big deal
Kind of a big deal

The mx wont allow any traffic in originating from external  ip's .

If you want to drop it before reaching the mx ip, then another device needs to do that

RaphaelL
Head in the Cloud

Or this : https://community.meraki.com/t5/Security-SD-WAN/Meraki-MX-Inbound-Firewall-Rules/m-p/84204 ?  If I'm understanding this issue correctly

PhilipDAth
Kind of a big deal

As long as you don't have client VPN enabled or any non-Meraki VPNs configured, it will be blocked by default.

 

You don't need to do anything further to achieve this.

BlakeRichardson
Kind of a big deal

By default all incoming traffic to most not just Meraki firewalls is blocked by default. I have yet to see any vendor allow any WAN > LAN traffic by default. 

 

If you want to block port 500 outbound then simply create a rule doing so Security & SD-WAN > Configure > Firewall

 

Screen Shot 2022-01-21 at 7.50.56 AM.png

Meraki CMNO, Ruckus WISE, Sonicwall CSSA, Allied Telesis CASE & CAI
Inderdeep
Kind of a big deal

Every vendor is taking this way to block by default until unless you put the allow rule in place !

Regards
Inderdeep Singh
www.thenetworkdna.com ( Awarded by Cisco IT Blogs award 2020)
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels