Meraki

Community

Group Policies (Getting them right!)

Ian_Wells
New here
‎Sep 25 2025 2:49 AM
‎Sep 25 2025 2:49 AM

Group Policies (Getting them right!)

I thought I knew how to create GP but it seems I was mistaken. 

 

I am trying to get my head around the process of the each line. I am trying to create a policy that sits around our SQL servers, it needs to allow domain related traffic, SQL traffic, MFA (out to the web) auth traffic and normal web traffic. I am clearly not following how the rules are applied because as I add rules (like 1433 for SQL) things stop working! 

 

I am after a simpletons view on creating the policies (most don't mention source and destination). When i remove the deny all rule it works which means each of my list items don't do what I expect. Although I am apply this to test at the moment I am hoping to reuse the policy for each of the SQL servers (the requirements for now will be the same for each). 

 

I thought the destination was the server it goes into but that seems not, if i reverse it and say the source is 1433 then that doesn't work either!!! 

 

Please guide me to a good document that makes things clear (a dummies guide) or any help would be gratefully received. 

 

Thanks Ian

Labels:
0 Kudos
8 Replies 8
alemabrahao
Kind of a big deal
Kind of a big deal
‎Sep 25 2025 3:48 AM
‎Sep 25 2025 3:48 AM

Note: Layer 3 firewall rules are stateless when configured within Meraki Dashboard group policies. Group policy layer 3 firewall rules can be based on protocol, destination IP (or FQDN for MX and Z-series appliances), and port. You can specify a range of ports, such as "1024-400" in group policy layer 3 firewall rules. However, listing individual ports separated by commas, such as "80,443" is not supported.

 

 

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Using_Layer_3_Firewal...

 

 

You need to create two rules, one specifying port 1433 as the destination and the other as the source.

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
Ian_Wells
New here
‎Sep 25 2025 5:49 AM
‎Sep 25 2025 5:49 AM

do you have to have it both way for all port (i have to open the DNS, LDAP, Kerberos etc ports as well) 

 

Ian_Wells_0-1758804552234.png

 

Can it be left one way?

0 Kudos
In response to alemabrahao
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Sep 25 2025 1:05 PM
‎Sep 25 2025 1:05 PM

Note the bit in red by @alemabrahao .  This is a major limitation of group policy firewall rules.

0 Kudos
RaphaelL
Kind of a big deal
Kind of a big deal
‎Sep 25 2025 4:53 AM
‎Sep 25 2025 4:53 AM

Where are you applying the GP ? On the vlan(s) of the MX ? Through Radius with a MS ?

0 Kudos
In response to RaphaelL
Ian_Wells
New here
‎Sep 25 2025 5:25 AM
‎Sep 25 2025 5:25 AM

I am going to apply it direct to the server rather than vlan etc

0 Kudos
In response to Ian_Wells
RaphaelL
Kind of a big deal
Kind of a big deal
‎Sep 25 2025 7:47 AM
‎Sep 25 2025 7:47 AM

So Network-wide -> Clients -> Select your server(s) and apply GP ?

 

If so , the GP will be applied to outbound traffic.

 

The flow should be 

inbound : source IP  source Port ( 1-65535 ) destination IP ( your server ) destination port : 443 or whatever service

 

outbound : your server source port 443 , destination IP ( the client ) destination port 1-65535 

 

That's why you probably don't need 2 rules per flow, unless I'm mistaken. 

 

 

Also , why are you not using the L3 firewall on the MX ? The firewall is stateful and much easier to use versus group policies. Are the devices in the same vlan ?

In response to RaphaelL
Ian_Wells
New here
‎Sep 25 2025 8:04 AM
‎Sep 25 2025 8:04 AM

The servers are on one of three vLANs in the DC but I also need to control access from endpoints across all sites. 

 

I am using GP because I know no different. This world is new to me so I am just learning the best way to protect internally against things like lateral movement etc.

0 Kudos
In response to RaphaelL
Ian_Wells
New here
‎Sep 25 2025 8:07 AM
‎Sep 25 2025 8:07 AM

....and I was looking to apply rules to sets of servers like IIS or SQL so their ports would be similar in each group rather than have a GP for each or a blanket approach as i want to keep port availability to a minimum

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2026 Cisco Systems, Inc.