Client Policy / Access

mhadley
Just browsing

Client Policy / Access

Hello All

I have a Z3 in hand for testing and working out the details for a larger work from home device roll out. What I would like to accomplish is whitelisting devices we provide employees and block access to other all other devices users might try to connect to their Z3. In an attempt to accomplish this I added a L3 firewall rule to the Z3's firewall settings to deny any any traffic outbound. In testing I connected a client to the Z3 with it receiving the "normal" client policy and I was still able to join the device and move around other subnet's on our LAN and reach the internet. Any ideas why this client is still getting access? Thanks

2 REPLIES 2
Seshu
Meraki Employee
Meraki Employee

Hello @mhadley 

 

Assuming that you have the Z3 configured for VPN full tunnel to one of your Hub MXs, the traffic from the Users would not be hitting L3 firewall rules on the MX as it will traverse VPN due to full tunnel. That is probably why the users are able to access other IPs on your LAN. For traffic across VPN, go ahead and configure the Outbound VPN Firewall rules in the Security & SD WAN -> Site to Site VPN page. Please configure the rules keeping in mind that the S2S VPN rules are applicable Organization Wide. So, please configure the Deny for specific Source subnets inorder to avoid any unexpected issues. 

 

Please let me know if you have any further questions. I will be glad to assist you.

 

Regards,

Meraki Team

 

Thank you Seshu for the information. You are correct the device is configured in full tunnel mode so it makes sense that its not crossing the firewall. I had the traffic flow visualized incorrectly, thinking all traffic would cross the L3 firewall. I was trying to find a way to lock down the LAN ports without having to configure 802.1x authentication. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels