Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MX Firewall Rules (Layer3) only applying to LocalLan networks?

Solved
YoinkZ
Here to help
‎Mar 2 2023 4:38 AM
‎Mar 2 2023 4:38 AM

MX Firewall Rules (Layer3) only applying to LocalLan networks?

Hi all,

 

Is it correct that only the Firewall rules applied under the "Site --> Security & SD-WAN --> Firewall --> Layer 3 --> Outbound Rules", that these rules only apply for the local switched network?

I have a lot VLANs with different networks, that is being routed in the MX appliance. So far the rules seems to be working - locally.

BUT, all other rules, where I want to allow or block access to my other Hubs doesn't seem to be working at all.

I need to go to "Security & SD-WAN --> Site-to-Site VPN --> Orginzation-wide-settings --> Site-to-Site outbound firewall (beta)". Is that correct understood?

 

I'm finding it a bit difficult to understand, why it is not located the same place as the other rules, as this seems more logic to me?

 

Thanks 🙂

Labels:
0 Kudos
Subscribe
1 Accepted Solution
GreenMan
Meraki Employee
Meraki Employee
‎Mar 2 2023 4:59 AM
‎Mar 2 2023 4:59 AM

The VPN firewall rules only apply to traffic that will hit the VPN - it's a component of your VPN deployment, hence it being located with the rest of your VPN-related configuration.

View solution in original post

Subscribe
8 Replies 8
GreenMan
Meraki Employee
Meraki Employee
‎Mar 2 2023 4:59 AM
‎Mar 2 2023 4:59 AM

The VPN firewall rules only apply to traffic that will hit the VPN - it's a component of your VPN deployment, hence it being located with the rest of your VPN-related configuration.

Subscribe
In response to GreenMan
YoinkZ
Here to help
‎Mar 2 2023 5:16 AM
‎Mar 2 2023 5:16 AM

Alright thank you. Just needed a confirmation. Even though it is tied together with the VPN-related configuration. Then it still makes more sense to me if this was handled on the specific layer 3 part. It will still be traffic that comes from those "interfaces".

0 Kudos
Subscribe
alemabrahao
Kind of a big deal
Kind of a big deal
‎Mar 2 2023 5:02 AM
‎Mar 2 2023 5:02 AM

It's correct for SD-WAN the rules are defined on Security & SD-WAN > Site-to-Site VPN > Orginzation-wide-settings > Site-to-Site outbound firewall 

 

And Local network on Security & SD-WAN > Firewall > Layer 3 > Outbound Rules.

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Firewall_Rule_Behavior

 

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
YoinkZ
Here to help
‎Mar 2 2023 5:16 AM
‎Mar 2 2023 5:16 AM

Thanks for the documentation. I went through some of it, but it still doesn't made 100% sense. It is probably just a matter of getting used to it coming from another appliance :).

0 Kudos
Subscribe
In response to YoinkZ
alemabrahao
Kind of a big deal
Kind of a big deal
‎Mar 2 2023 5:23 AM
‎Mar 2 2023 5:23 AM

It's how Meraki works. 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to YoinkZ
alemabrahao
Kind of a big deal
Kind of a big deal
‎Mar 2 2023 5:34 AM
‎Mar 2 2023 5:34 AM

Why doesn't it make sense to you? In other firewalls you can work with security zones, so we can interpret them as different zones, at least I think so. The system was programmed to work like this, independently.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
YoinkZ
Here to help
‎Mar 2 2023 5:37 AM
‎Mar 2 2023 5:37 AM

I believe the reason it because I have been used to work with the ASA Firewalls, where most of these rules defined whether you wanted to go to another network locally or if you tried to reach another network via your IPSEC tunnels. 

That's basically it. So now I just have to think different and the fact it is "splitted".
If you ask me in one month, when I have created, changed and deleted rules then I might say it makes a lot of sense 🙂

0 Kudos
Subscribe
YoinkZ
Here to help
‎Mar 2 2023 5:17 AM
‎Mar 2 2023 5:17 AM

And now I clicked accept on the wrong post here. Can I change that :)?

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.