Firewall(s) order of operations.

SOLVED
Toby
Getting noticed

Firewall(s) order of operations.

I've tried looking at the documentation but I couldn't find anything regarding this.

 

 

The question is regarding how MX devices process firewall rules. There are two sections which can apply rules, under "Site-to-site VPN" and then under "Firewall".

 

I'm wondering about order of operations in how the traffic is subjected to the two different types of firewall rules.

As an example take the following, a host residing behind a spoke in meraki auto-vpn wants to access https on a host located on the hub network. As far as I gather the vpn firewall rules will be subject for the host traffic when entering the vpn tunnel on the spoke. When traffic arrives at the hub MX will the "regular" firewall rules on the hub MX also be ran against the traffic?

 

Or take another example, we have a host on the hub MX which wants to talk to another host behind a non-meraki VPN peer. Will the "regular" firewall rules be ran against the traffic first and following that the vpn firewall rules?

1 ACCEPTED SOLUTION
jdsilva
Kind of a big deal


@Toby wrote:

I've tried looking at the documentation but I couldn't find anything regarding this.

 

 

The question is regarding how MX devices process firewall rules. There are two sections which can apply rules, under "Site-to-site VPN" and then under "Firewall".

 

I'm wondering about order of operations in how the traffic is subjected to the two different types of firewall rules.

As an example take the following, a host residing behind a spoke in meraki auto-vpn wants to access https on a host located on the hub network. As far as I gather the vpn firewall rules will be subject for the host traffic when entering the vpn tunnel on the spoke. When traffic arrives at the hub MX will the "regular" firewall rules on the hub MX also be ran against the traffic?

 

The VPN rules will be applied at the spoke as the traffic is VPN traffic. The L3 rules at the hub will not be applied because 1) the traffic is "inbound" and those rules only apply to "outbound" traffic, and 2) the MX doesn't support inbound filtering of VPN traffic whatsoever, so not even the inbound VPN section will be applied (unfixed UI bug). 

 

 

 

 

 

Or take another example, we have a host on the hub MX which wants to talk to another host behind a non-meraki VPN peer. Will the "regular" firewall rules be ran against the traffic first and following that the vpn firewall rules?


L3 firewall rules are never applied against VPN traffic. 

View solution in original post

1 REPLY 1
jdsilva
Kind of a big deal


@Toby wrote:

I've tried looking at the documentation but I couldn't find anything regarding this.

 

 

The question is regarding how MX devices process firewall rules. There are two sections which can apply rules, under "Site-to-site VPN" and then under "Firewall".

 

I'm wondering about order of operations in how the traffic is subjected to the two different types of firewall rules.

As an example take the following, a host residing behind a spoke in meraki auto-vpn wants to access https on a host located on the hub network. As far as I gather the vpn firewall rules will be subject for the host traffic when entering the vpn tunnel on the spoke. When traffic arrives at the hub MX will the "regular" firewall rules on the hub MX also be ran against the traffic?

 

The VPN rules will be applied at the spoke as the traffic is VPN traffic. The L3 rules at the hub will not be applied because 1) the traffic is "inbound" and those rules only apply to "outbound" traffic, and 2) the MX doesn't support inbound filtering of VPN traffic whatsoever, so not even the inbound VPN section will be applied (unfixed UI bug). 

 

 

 

 

 

Or take another example, we have a host on the hub MX which wants to talk to another host behind a non-meraki VPN peer. Will the "regular" firewall rules be ran against the traffic first and following that the vpn firewall rules?


L3 firewall rules are never applied against VPN traffic. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels