Meraki

Community

Firewall rules deleted when VPN subnet changes

Solved
LontzroV
Here to help
‎Dec 8 2023 9:57 AM
‎Dec 8 2023 9:57 AM

Firewall rules deleted when VPN subnet changes

Hey guys,

I'm having a hard time wrapping my mind around this one. I changed the VPN subnet for one of our sites, after which I got a pop-up banner at the top of the dashboard saying: "The settings you requested require confirmation. Please review the following list: * 1 firewall rule will be removed because they longer contain any valid entries." This is weird because the VPN subnet is not referenced in any of the firewall rules. I opted to confirm the changes, assuming since there are no rules specific to this subnet, there wouldn't be any changes. Boy was I wrong. The dashboard flatout deleted a firewall rule and the whole site was cut off from the internet until I was noticed what had happened. I can reproduce this behaviour consistently. Can somebody explain this to me? Why can't I change the VPN subnet without the dashboard deleting an unrelated firewall rule? I'm a bit concerned about this behaviour.

0 Kudos
1 Accepted Solution
In response to LontzroV
ww
Kind of a big deal
Kind of a big deal
‎Dec 9 2023 1:00 AM
‎Dec 9 2023 1:00 AM

Meraki mx cant have a subnet/supernet in the L3 firewall source field that is not configured(matching) any subnet on the mx lan.

 

It would definitely be better if the made it only removes the subnet from the rules when combined with other subnets

View solution in original post

6 Replies 6
alemabrahao
Kind of a big deal
Kind of a big deal
‎Dec 8 2023 10:29 AM
‎Dec 8 2023 10:29 AM

Are you sure there is no related rule? Can you confirm this and share it here?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Brash
Kind of a big deal
Kind of a big deal
‎Dec 8 2023 11:38 AM
‎Dec 8 2023 11:38 AM

I'd raise a support case for this, especially if it's known reproducible steps. It sounds like you're either missing something or there's some buggy behavior going on.

0 Kudos
LontzroV
Here to help
‎Dec 8 2023 2:15 PM
‎Dec 8 2023 2:15 PM

Ok, I may have to eat some humble pie here. I'm back to experimenting with this, but now I only get the above message when there is indeed a rule that references the VPN subnet. Either that suddenly changed or the subnet was indeed referenced in a rule and I repeatedly didn't catch it. However, there is still a lingering issue for me here. Consider this firewall rule: 

LontzroV_0-1702072833930.png

The rule includes the VPN subnet in the list of sources but alongside another network. If I change the VPN subnet, I get the "firewall rule will be removed message", and if I follow through, this rule is deleted. It does not delete the subnet from the rule or update it - it just bins the whole rule. I tried defining the VPN subnet as a CIDR entry as well as via GPO, but the result is the deletion of the firewall, rule even if the deletion wrecks connectivity for other subnets in the process. That seems poorly thought through to me unless I'm missing a piece of the logic here. Especially if the VPN subnet can't be changed without this consequence. Is this expected behaviour? (I know the workaround would be to skim through and pluck the VPN subnet from all firewall rules first and then change it, but this behaviour still doesn't seem like a good process. It doesn't even specify which firewall rule it is going to nix, which would be more helpful at least)

In response to LontzroV
ww
Kind of a big deal
Kind of a big deal
‎Dec 9 2023 1:00 AM
‎Dec 9 2023 1:00 AM

Meraki mx cant have a subnet/supernet in the L3 firewall source field that is not configured(matching) any subnet on the mx lan.

 

It would definitely be better if the made it only removes the subnet from the rules when combined with other subnets

In response to LontzroV
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 9 2023 10:15 AM
‎Dec 9 2023 10:15 AM

It does give you a big warning banner giving you a chance to locate and resolve the issue ...

0 Kudos
In response to PhilipDAth
LontzroV
Here to help
‎Dec 11 2023 8:25 AM
‎Dec 11 2023 8:25 AM

Yeah I get that banner, but it just says "1 firewall rule will be removed", but does not identify it. So am I warned that a firewall rule will be deleted? Sure. But it seems like this wasn't designed well. I presume everything is working as intended though, so I will close the thread. My final comments to Meraki:
1. If there's a warning, please be more specific in that warning (which firewall rule/s?, Source or Dest?, etc)
2. Additional to a more specific warning, it would be great if the dashboard could just edit the rule in question and take out the offending subnet.
Will also submit these thoughts through the dashboard. Thank you everyone!

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.