Meraki

Community

MX Group Policy vs L3 Firewall Rule

BIZ
Comes here often
‎Oct 15 2020 2:37 AM
‎Oct 15 2020 2:37 AM

MX Group Policy vs L3 Firewall Rule

Hi Everyone,

 

Do GP L3 rules work with L3 FW rules? I mean, do they work in a hierarchical model or it's always one or another?

 

For example, user accesses http scenario:

1. HTTP traffic -> GP L3 rules, if not blocked -> MX L3 rule, if not blocked -> Internet

 

If this is not possible, what would be the best way to permit a special port for a group of people based on AD group, provided a company wide policy already there on MX.

 

Thanks.

0 Kudos
2 Replies 2
bmehta
Meraki Alumni (Retired)
Meraki Alumni (Retired)
‎Oct 15 2020 8:14 AM
‎Oct 15 2020 8:14 AM

Group policy has 3 options 
-To follow the network default Firewall and Shaping rules 
-Ignore network default  Firewall and Shaping rules
-Custom Firewall and Shaping Rules

Appending the default rules for L3 is not possible. However, it is possible to append URL and blocked website categories on group policies.

The best way to permit a special port according to me would be set to custom rules for firewall and add all default rules with an additional rule as needed.

PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 15 2020 10:32 AM
‎Oct 15 2020 10:32 AM

One special note is that L3 firewall rules are stateful - group policy firewall rules are not.  This doesn't usually have an impact unless you have a pair of interfaces on them both with group policy applied and suddenly they can't talk to each other without grief.

0 Kudos
li.common.scroll-to.top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.