Meraki

Ian_Wells

I thought I knew how to create GP but it seems I was mistaken.

I am trying to get my head around the process of the each line. I am trying to create a policy that sits around our SQL servers, it needs to allow domain related traffic, SQL traffic, MFA (out to the web) auth traffic and normal web traffic. I am clearly not following how the rules are applied because as I add rules (like 1433 for SQL) things stop working!

I am after a simpletons view on creating the policies (most don't mention source and destination). When i remove the deny all rule it works which means each of my list items don't do what I expect. Although I am apply this to test at the moment I am hoping to reuse the policy for each of the SQL servers (the requirements for now will be the same for each).

I thought the destination was the server it goes into but that seems not, if i reverse it and say the source is 1433 then that doesn't work either!!!

Please guide me to a good document that makes things clear (a dummies guide) or any help would be gratefully received.

Thanks Ian

alemabrahao

Note: Layer 3 firewall rules are stateless when configured within Meraki Dashboard group policies. Group policy layer 3 firewall rules can be based on protocol, destination IP (or FQDN for MX and Z-series appliances), and port. You can specify a range of ports, such as "1024-400" in group policy layer 3 firewall rules. However, listing individual ports separated by commas, such as "80,443" is not supported.

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Using_Layer_3_Firewal...

You need to create two rules, one specifying port 1433 as the destination and the other as the source.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Ian_Wells

do you have to have it both way for all port (i have to open the DNS, LDAP, Kerberos etc ports as well)

Can it be left one way?

PhilipDAth

Note the bit in red by @alemabrahao . This is a major limitation of group policy firewall rules.

RaphaelL

Where are you applying the GP ? On the vlan(s) of the MX ? Through Radius with a MS ?

Ian_Wells

I am going to apply it direct to the server rather than vlan etc

RaphaelL

So Network-wide -> Clients -> Select your server(s) and apply GP ?

If so , the GP will be applied to outbound traffic.

The flow should be

inbound : source IP source Port ( 1-65535 ) destination IP ( your server ) destination port : 443 or whatever service

outbound : your server source port 443 , destination IP ( the client ) destination port 1-65535

That's why you probably don't need 2 rules per flow, unless I'm mistaken.

Also , why are you not using the L3 firewall on the MX ? The firewall is stateful and much easier to use versus group policies. Are the devices in the same vlan ?

Ian_Wells

The servers are on one of three vLANs in the DC but I also need to control access from endpoints across all sites.

I am using GP because I know no different. This world is new to me so I am just learning the best way to protect internally against things like lateral movement etc.

Ian_Wells

....and I was looking to apply rules to sets of servers like IIS or SQL so their ports would be similar in each group rather than have a GP for each or a blanket approach as i want to keep port availability to a minimum

Meraki

Community

Group Policies (Getting them right!)

Group Policies (Getting them right!)