Firewall Rule Override

Here to help

Firewall Rule Override



I have a customer wanting to change their Sonicwall out for a MX250.  The problem I see is that their Sonicwall is based on zones so some of the rules on the Sonicwall do not have those subnets present on the firewall.  When moving to the MX250 if the subnet doesn't exist on the MX then I cannot add that rule.  In some of these cases there are physically no more addresses in the small subnet that I can use to add anything on the MX.  


At the end of the MX firewall rules I add my DENY ANY ANY and this is where my question comes.  If I did a port forwarding or a 1:1 NAT will those override and pass through the firewall even if those subnets do not match my firewall list or will they still be caught in the DENY ANY ANY rule?

Kind of a big deal

Huh?  You can put any IP address or subnet in a firewall rule, whether it exists on the MX or not.

When trying to add the rules for subnets that do not exist on the MX250 I get the error:


There were errors in saving this configuration:

  • The IP address range x.x.x.x does not apply to any configured local or VPN subnets.




Kind of a big deal

Can you post a screenshot if what you are trying to do?

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.