L3 firewall vs group-policy L3 firewal

SOLVED
peto
Getting noticed

L3 firewall vs group-policy L3 firewal

Hi,

my question is simple. I found out that the global L3 firewall is statefull, but is the L3 firewall under the group-policy stateful? Because from my test it doesn't seem to be so.

thank you

1 ACCEPTED SOLUTION
jdsilva
Kind of a big deal

No. GP L3 firewall rules are not stateful.

View solution in original post

8 REPLIES 8
jdsilva
Kind of a big deal

No. GP L3 firewall rules are not stateful.

peto
Getting noticed

well, this complicates everything for me 🙂

but thank you for clarification

 

GIdenJoe
Kind of a big deal
Kind of a big deal

Are you kidding me?
I hope this is not the case because that would be plain silly.

Applying a group policy that has L3 rules only enforces rules at the MX or MR depending what is closest to you, and those devices do it stateful, so why do you think it would be stateless, that makes absolutely no sense and that would break alot of designs.

jdsilva
Kind of a big deal

I think it's stateless because I've tested it out in my lab and proven that it is stateless.

GIdenJoe
Kind of a big deal
Kind of a big deal

Then please share how you set up your test and what TCP/UDP port you explicitly allowed outbound in a group policy that didn't allow return traffic.

peto
Getting noticed

Well, same result in my lab as well


@jdsilva wrote:

I think it's stateless because I've tested it out in my lab and proven that it is stateless.


 

jdsilva
Kind of a big deal

@GIdenJoe Sorry, busy afternoon over here. I'll try and get the details up in the next day or two. 

KarbonX1
Getting noticed

This thread is old, but figured I would post here anyways since it was in question.
https://documentation.meraki.com/zGeneral_Administration/Tools_and_Troubleshooting/Troubleshooting_G...
Confirms it is in fact stateless (and is stupid IMHO)
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels