Hi All, I’m planning a deployment of multiple MXs where I need to apply a common set of firewall rules to the auto-vpn. Can this be achieved via templates?
Solved! Go to solution.
Hi , yes I'm 99% sure.
These firewall rules will apply to all MX networks in the organization that participate in site-to-site VPN (both AutoVPN and Non-Meraki).
Also if you scroll a bit higher on the S2S page you will see :
I'm assuming OP wants to modify VPN Site-to-Site rules
Definitely yes. See this link.
Hi ,
No Yes but since VPN firewall rules are org-wide. https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Firewall_Rule_Behavior
See example below
Are you sure about this? It's a template example?
And the documentation you sent does not explicitly say what you are stating.
Hi , yes I'm 99% sure.
These firewall rules will apply to all MX networks in the organization that participate in site-to-site VPN (both AutoVPN and Non-Meraki).
Also if you scroll a bit higher on the S2S page you will see :
I'm assuming OP wants to modify VPN Site-to-Site rules
Yes, but that doesn't mean I can't apply it via template, right? that's actually the way we do it today and it works very well.
Yes probably , but the goal from templates is to have unified configurations between all child networks binded to that template.
Template A and B can't have different Site-to-Site VPN rules is what I tried to explain (which wasn't very clear I have to admit haha )
Sorry bout the confusion.
No no no, everything is fine, it's just to try to make everything clearer. 😊
@RaphaelL is correct, VPN S2S rules are not set in a template. Yes, you can see and edit the S2S rules when in a template network, but that's still simply an org wide section visible in any network or template.
Yes, I know, there was just a little confusion, which we have now resolved. 😉
Ok this escalated 🤣.
So Site-to-Site VPN firewall rules are org wide? What if I want to implement the opposite where I want one site to have additional rules, is that possible?
Create a rule(s) that only have source or destinations of the specific site you want additional rules applied to. The ruleset still lives in the org wide section.
Example, if you wanted to deny traffic from Spoke 1 to Spoke 2, but allow Spoke 1 to Spokes 3 and beyond just create a rule that denies Spoke 1 to Spoke 2. Traffic to anything besides Spoke 2 would still be permitted.
Gotcha, so it’s just one big table of rules that’s org wide.
Thanks for all the input so far BTW guys most helpful.