Group Policies and Firewall Rules

Gordon
Getting noticed

Group Policies and Firewall Rules

I have been working with our firewall rules and group policies.   If I understand this correctly if a system is assigned a group policy with a firewall rule in it, the regular firewall rules never get applied.   So I can't for example use group policy to assign a user access to a server and still have all the other rules applied as well.  I assume this is true as the default rule for a group policy is to allow any.  I have looked and I can't find where it really addresses that in the documentation.

3 Replies 3
WD
Here to help

Whilst I have no references to provide as yet, I believe that group policies with firewall rules apply in a hierarchical manner.

WD
Gordon
Getting noticed

That is what I thought at first but then I looked at it again.  The default for layer 3 rules for a group policy is allow any any and you can not remove or disable it.  So that means any processing will stop at that rule.  So in our case we have a number of rules that we want to apply to everyone.  Since there is a default allow any any at the bottom of the group policy rules then all those rules need to be added to each group policy or they never get processed.  To me it would make much more sense to be able to disable the rule and let the processing continue through the normal firewall rules.

WD
Here to help

The default has to permit any remaining traffic to to traverse after all the higher preceding policies have been applied, this permits blocking of restricted packets from policies at higher levels and the remainder to flow.

WD
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels