It took me a little while to get my head around the behavior of Group Policy Layer 3 Firewall rules. In our case, we migrated from Cisco ISR 4321 + Cisco Catalyst 2960 hardware to MX67/MS120's. In the old setup, the SVI's were defined on the Catalyst and each SVI had an inbound/outbound ACL that had ACE's to only allow the conversations we wanted to allow. We attempted to recreate that with Meraki gear, but with the SVI's defined on the MX67 and the group policies filling in for the ACLs. Note that we also use full-tunnel Site-to-Site VPN between our remotes and our datacenters, which introduces some caveats. In a nutshell:
The group policy Layer 3 Firewall rules do not block traffic inbound to a client in the VLAN, only traffic outbound from a client in the VLAN. Say you have a simple policy applied to VLAN 100 (and the subnet associated with that VLAN is 10.10.20.0/24) that permits SSH to 10.10.10.35 and blocks all other traffic.
Anything on your network is going to be able to send packets to 10.10.20.0/24 clients (and the clients will receive these packets) using whatever protocol/port they want; However, the group policy will block response traffic that doesn't match the permit. You can verify this with a packet capture either from the MX or on the client itself.
While this works to block unwanted conversations, it does not block unwanted packets the way we were used to. We didn't like that packets were getting to clients that shouldn't have been, even if the outbound packets were getting dropped so no real communication occurred. We ended up reworking this to nix the group policy firewall rules entirely, instead using a combination of Layer 3 firewall rules + Site to Site VPN firewall rules.
