Meraki

Community

Feature request - Extend functionality and support for L7 application firewalling

ga123456
Here to help
‎Jan 6 2026 1:56 PM
‎Jan 6 2026 1:56 PM

Feature request - Extend functionality and support for L7 application firewalling

Are there any plans to improve the L7 firewalling functionality at all? For context I've got a few customers that prefer having implicit denies and only allowing certain traffic e.g. SASE client and then and some local-breakout services such as MS Teams etc. 

 

Having the flexibility to do something similar to the L3 firewalling ruleset where you can either accept/deny traffic rather than just Deny as well as filter based on source. Similar to the FTDs and other FW vendors.

 

The source-based filtering is partly possible via group policies however it's still deny-only and the L3 firewalling under group policy is very limited (no object support) so then you've got your L3 policies under the general MX Firewall policy and L7 policies under group policy which is pretty inconvenient from a support/network management perspective.  

 

Also having access to the full NBAR pack would be beneficial. Protocol Pack 59.0.0 - Protocols: 0-9, A [Support] - Cisco. 

Being able to have full application control similar to Fortinet's ISDB and Palo Alto's App-ID functionality. Even with the API it is a pain to manage currently using L3 firewalling policies as we have to create hundreds of policy objects and policy groups for the different FQDNs and subnets which are subject to change.   

 

 

Labels:
6 Replies 6
Tony-Sydney-AU
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
a month ago
a month ago

Hi @ga123456 ,

 

Thanks for bringing this up. You raised very good points and MX could definitely offer these functionalities.

 

I believe We can get these new features available faster if We make separate a feature request (FR) per item using the Give your Feedback button.

 

To that end, I propose We follow this template below for each FR when doing this feature request. Doing this would improve the chances of moving your FR ahead.

 

  • FR-1

Feature Request Title: Implicit DENY in L7 rules

Use-Case detail: Current L7 rules have and implicit ALLOW; i.e.: if you dont add a deny, then it's allowed.  "Deny" based. It would be useful to have the ability to create "Allow" (Accept) rules for specific L7 applications while maintaining an Implicit Deny at the end of the ruleset. This allows for a "Whitelisting" security posture (e.g., block everything except MS Teams and SASE traffic).

 

  • FR-2

Feature Request Title: Unified Policy Management & Source-Based Filtering

Use-Case detail: Currently, Source-based filtering is splited between General Firewall policies (L3) and Group Policies (L7), which is cumbersome to manage. It would be a better UX if We integrate source-based filtering directly into the L7 ruleset. This would allow administrators to define who (source IP/User) can access what (L7 Application) in a single, unified policy view rather than jumping between different menus.

 

  • FR-3

Feature Request Title: Object-Based Management

Use-Case detail: At this stage, We lack object support in Group Policies which forces us to manually enter FQDNs and subnets. It would be better to Support Network Objects and Groups in a single Instead of manually updating hundreds of IPs/FQDNs, the user wants to update one "Object" that automatically updates all associated firewall rules.

 

  • FR-4

Feature Request Title: Deep Packet Inspection (NBAR) Integration

Use-Case detail: Full access to the Cisco NBAR (Network Based Application Recognition) Protocol Packs (specificallyProtocol Pack 59.0.0 - Protocols: 0-9, A [Support] - Cisco). This would provide much more granular application identification than what is currently available.

 

  • FR-5

Feature Request Title: Automated FQDN/Service Handling

Use-Case detail: A feature similar to "Dynamic Objects" or "Service Tags" (like Fortinet’s ISDB). The firewall should automatically stay updated with the changing IP ranges and FQDNs of common cloud services (like Microsoft 365 or AWS) so the admin doesn't have to manage them via the API or manual L3 rules.

 


These are all really good FR you proposed. Hope all of them become available.

 

Feel free to post anytime if you have further FR or maybe questions / concerns.

 

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
In response to Tony-Sydney-AU
ga123456
Here to help
2 weeks ago
2 weeks ago

Thanks Tony, I have submitted these via the Give your feedback button. My only issue with that button is that you don't really get any sort of acknowledgement (request/ticket #) to track if the feedback has been received and reviewed. 

Hosting something here on the Community page would be great, somewhere where we can all see feature requests and if it's something someone has already requested we could give Kudos rather than doubling up on sending feedback/requests. This would also help Meraki prioritise requests based on Kudos/demand for those features. 

0 Kudos
GIdenJoe
Kind of a big deal
Kind of a big deal
4 weeks ago
4 weeks ago

For me the most annoying thing is that due to the setup to make everything too "simple" we have too many hard coupled configurations.

It would be so handy to be able to attach L7 rules to individual L3/4 rules instead of always applying them globally.  The best example of this is if you want to block some countries like China, but then some elektrician comes with a few camera's that just have to be able to talk to Chinese IP's to work.  Then you have to open bidirection communcation to China for EVERYTHING.

Similar problem in the IPsec VPN configuration where local networks are tied to the AutoVPN local networks which shouldn't be the same.

TyShawn
Head in the Cloud
4 weeks ago
4 weeks ago

I agree with the request and it feels like people that work on a FMC/FTD is asking for that level of control.. BTH I do miss having it when I work in Meraki.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
CharlenaLois
New here
2 weeks ago
2 weeks ago

Le pare-feu de couche 7 est utile, mais son modèle de blocage uniquement rend difficile la création de politiques claires et sécurisées. Disposer d'actions d'autorisation et de blocage, comme pour les règles de couche 3, offrirait un contrôle bien plus précis. Le filtrage basé sur la source au niveau de la couche 7 simplifierait également la conception, évitant ainsi de disperser la logique entre les stratégies de groupe et les règles globales. La gestion des règles de couche 3 et 7 à différents endroits est indéniablement complexe d'un point de vue opérationnel. Une couverture NBAR plus étendue et une véritable connaissance des applications seraient très bénéfiques. Actuellement, le système fonctionne, mais il paraît limité par rapport à d'autres pare-feu d'entreprise.

0 Kudos
In response to CharlenaLois
Tony-Sydney-AU
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
a week ago
a week ago

<French>

Bonjour @CharlenaLois , je m'excuse de ne pas parler français. Notre communauté ne dispose pas actuellement d'une section française. C'est pourquoi j'ai traduit et ajouté votre commentaire ici. Cela permettra à un plus grand nombre de personnes de profiter de votre point de vue.

Au fait, vos remarques sont très pertinentes. N'hésitez pas à partager vos idées en utilisant le bouton « Donner votre avis » de votre tableau de bord.

Chacun peut soumettre une demande de fonctionnalité en se rendant en bas à droite de son tableau de bord Meraki et en envoyant sa demande via le bouton « Donner votre avis ».

Une fois votre demande de fonctionnalité envoyée via le bouton « Donner votre avis », notre équipe interne l'examinera et la fonctionnalité souhaitée sera implémentée ultérieurement. Veuillez noter qu'aucun délai de mise en œuvre ne peut être indiqué pour le moment.

</French>

<English>

Hello, I apologize because I don't speak french. We don't have a french section in our community at the moment. Therefore, I proactively translated and added your comment here. Doing this would allow more people to benefit from your insight.

By the way, very good points. Please share your throughts using the give your feedback button in your dashboard.

Everyone can make a feature request by going to the bottom right-hand corner of your Meraki Dashboard and sending the request through the "Give Feedback".

Once you sent your Feature Request using the "Give Feedback" bubble, our Internal Team will process your suggestion and eventually you'll have your feature in the future. Please note that there will be no estimated time to implement such feature.

</English>

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2026 Cisco Systems, Inc.