Meraki

Community

Feature request - Extend functionality and support for L7 application firewalling

ga123456
Here to help
Tuesday
Tuesday

Feature request - Extend functionality and support for L7 application firewalling

Are there any plans to improve the L7 firewalling functionality at all? For context I've got a few customers that prefer having implicit denies and only allowing certain traffic e.g. SASE client and then and some local-breakout services such as MS Teams etc. 

 

Having the flexibility to do something similar to the L3 firewalling ruleset where you can either accept/deny traffic rather than just Deny as well as filter based on source. Similar to the FTDs and other FW vendors.

 

The source-based filtering is partly possible via group policies however it's still deny-only and the L3 firewalling under group policy is very limited (no object support) so then you've got your L3 policies under the general MX Firewall policy and L7 policies under group policy which is pretty inconvenient from a support/network management perspective.  

 

Also having access to the full NBAR pack would be beneficial. Protocol Pack 59.0.0 - Protocols: 0-9, A [Support] - Cisco. 

Being able to have full application control similar to Fortinet's ISDB and Palo Alto's App-ID functionality. Even with the API it is a pain to manage currently using L3 firewalling policies as we have to create hundreds of policy objects and policy groups for the different FQDNs and subnets which are subject to change.   

 

 

Labels:
1 Reply 1
Tony-Sydney-AU
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
yesterday
yesterday

Hi @ga123456 ,

 

Thanks for bringing this up. You raised very good points and MX could definitely offer these functionalities.

 

I believe We can get these new features available faster if We make separate a feature request (FR) per item using the Give your Feedback button.

 

To that end, I propose We follow this template below for each FR when doing this feature request. Doing this would improve the chances of moving your FR ahead.

 

  • FR-1

Feature Request Title: Implicit DENY in L7 rules

Use-Case detail: Current L7 rules have and implicit ALLOW; i.e.: if you dont add a deny, then it's allowed.  "Deny" based. It would be useful to have the ability to create "Allow" (Accept) rules for specific L7 applications while maintaining an Implicit Deny at the end of the ruleset. This allows for a "Whitelisting" security posture (e.g., block everything except MS Teams and SASE traffic).

 

  • FR-2

Feature Request Title: Unified Policy Management & Source-Based Filtering

Use-Case detail: Currently, Source-based filtering is splited between General Firewall policies (L3) and Group Policies (L7), which is cumbersome to manage. It would be a better UX if We integrate source-based filtering directly into the L7 ruleset. This would allow administrators to define who (source IP/User) can access what (L7 Application) in a single, unified policy view rather than jumping between different menus.

 

  • FR-3

Feature Request Title: Object-Based Management

Use-Case detail: At this stage, We lack object support in Group Policies which forces us to manually enter FQDNs and subnets. It would be better to Support Network Objects and Groups in a single Instead of manually updating hundreds of IPs/FQDNs, the user wants to update one "Object" that automatically updates all associated firewall rules.

 

  • FR-4

Feature Request Title: Deep Packet Inspection (NBAR) Integration

Use-Case detail: Full access to the Cisco NBAR (Network Based Application Recognition) Protocol Packs (specificallyProtocol Pack 59.0.0 - Protocols: 0-9, A [Support] - Cisco). This would provide much more granular application identification than what is currently available.

 

  • FR-5

Feature Request Title: Automated FQDN/Service Handling

Use-Case detail: A feature similar to "Dynamic Objects" or "Service Tags" (like Fortinet’s ISDB). The firewall should automatically stay updated with the changing IP ranges and FQDNs of common cloud services (like Microsoft 365 or AWS) so the admin doesn't have to manage them via the API or manual L3 rules.

 


These are all really good FR you proposed. Hope all of them become available.

 

Feel free to post anytime if you have further FR or maybe questions / concerns.

 

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2026 Cisco Systems, Inc.