MX firewall rules

Solved
HiroNg
Conversationalist

MX firewall rules

I have a firewall rule configuring on top to deny tcp from any 10.0.0.0/8 to management vlan. however, a remote site with 10.x.x.x still able to open the management server via https. 

 

Can this be bug? 

 

Thank you. 

1 Accepted Solution
BrechtSchamp
Kind of a big deal

Indeed. The Site-to-site VPN traffic isn't affected by the "regular" firewall, only by the site-to-site firewall. It's documented:

Outbound rules

Here you can configure permit or deny Access Control List (ACL) statements to determine what traffic is allowed between VLANs or out from the LAN to the Internet. These ACL statements can be based on protocol, source IP address and port, and destination IP address and port. These rules do not apply to VPN traffic. To configure firewall rules that affect traffic between VPN peers, please refer to Site-to-site VPN Settings.

 

Source: https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Firewall_Settings

View solution in original post

12 Replies 12
sebas
Getting noticed

hi, 

 

could you post some more info, like how things are connected and what your setup is ?

Nash
Kind of a big deal

Do you have a site-to-site VPN setup with the remote site? If so, you need to put the block rule on the site-to-site VPN firewall. Is that where you have this rule?

 

Please do remember that this will only block outbound traffic. The remote end would still be able to try to initiate a connection, but the site-to-site VPN will kill the response.

 

Please see: https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Firewall_Rule_Behavior

HiroNg
Conversationalist

Hi Nash, 

 

Yes, I have Site to Site VPN setup to a number of remote sites. 

 

The firewall rules setup are under Security & SDWAN-Firewall there to deny tcp 10.0.0.0/8 to my current site management vlan. 

 

However my remote sites still allow to RDP and web to current site management vlan. 

 

Thank you. 

 

Nash
Kind of a big deal

Oh I see, okay.

 

Is your management network participating in the VPN? Does it need to be accessible by any remote sites?

HiroNg
Conversationalist

Hi Nash, 

 

These are server and non-meraki switch management subnet and it did participate in VPN. 

My target is to allow several HUB subnet to manage the local management server, and deny tcp 10.0.0.0/8 to access this management. So other remote sites cannot access into the management subnet. 

 

I saw there are site-to-site outbound firewall and site-to-site inbound firewall. 

 

How should i do in this situation? 

 

Thank you. 

 

 

HiroNg
Conversationalist

 

I have these 2 rules under Security & SD-WAN under firewall already, but it didn't take effect. 

My target is to allow several HUB subnet to manage the local management subnet, and deny tcp 10.0.0.0/8 to access this local management. So other remote sites cannot access into the management subnet server. 

 

I have another rules under firewall to block local LAN subnet to access local management, it work perfectly in Security & SD-WAN under firewall. 

 

Thank you. 

 

 

 

BrechtSchamp
Kind of a big deal


@HiroNg wrote:

Hi Nash, 

 

These are server and non-meraki switch management subnet and it did participate in VPN. 

My target is to allow several HUB subnet to manage the local management server, and deny tcp 10.0.0.0/8 to access this management. So other remote sites cannot access into the management subnet. 

 

I saw there are site-to-site outbound firewall and site-to-site inbound firewall. 

 

How should i do in this situation? 

 

Thank you. 

 

 


Only use the site-to-site outbound firewall rules. The inbound site-to-site firewall rules are not applied, see the note here

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Firewall_Rule_Behavior#Note_-_...: Note that there is currently a section for inbound firewall rules displayed in the Meraki dashboard. However, inbound firewall rules cannot be configured, and this is an error which will be resolved in a future dashboard update. Any rules saved in this field will not be preserved and will have no effect.

 

If I understand your question correctly, you should setup the site-to-site outbound firewall with 10.0.0.0/8 as a source address and the management VLAN subnet as destination. That should work. However note that RDP may also use UDP instead of TCP. In that case it would circumvent your TCP rule.

HiroNg
Conversationalist

Hi Nash,

 

i read the URL you sent, it did mentioned  

 

(This rule will never be applied as the source subnet is not a LAN subnet on the MX:)

 

if i put deny tcp 10.0.0.0/8 as source and local management as destination, it will not work right?

 

Thank you.

BrechtSchamp
Kind of a big deal


@HiroNg wrote:

Hi Nash,

 

i read the URL you sent, it did mentioned  

 

(This rule will never be applied as the source subnet is not a LAN subnet on the MX:)

 

if i put deny tcp 10.0.0.0/8 as source and local management as destination, it will not work right?

 

Thank you.


That comment relates to a 3rd party VPN tunnel where the subnet defined as the source is indeed not local to any of the MX's so the rule would be ignored. If I followed correctly, in your case it's autoVPN between MX's in a hub-and-spoke setup. The source subnet would be the local subnet on your branch so that is "local" to your branch MX. So it should work.

HiroNg
Conversationalist

I added, it is working. remote site cannot access to local management subnet now, only certain authorize hub subnet can access management subnet. 

 

I thinking, i have added the rules in Security & SD-WAN --> Firewall, why it didn't function as it is. So the firewall rules doesn't function for site-to-site VPN? 

 

Thank you. 

 

Regards,

Collin Ng

 

 

 

BrechtSchamp
Kind of a big deal

Indeed. The Site-to-site VPN traffic isn't affected by the "regular" firewall, only by the site-to-site firewall. It's documented:

Outbound rules

Here you can configure permit or deny Access Control List (ACL) statements to determine what traffic is allowed between VLANs or out from the LAN to the Internet. These ACL statements can be based on protocol, source IP address and port, and destination IP address and port. These rules do not apply to VPN traffic. To configure firewall rules that affect traffic between VPN peers, please refer to Site-to-site VPN Settings.

 

Source: https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Firewall_Settings

HiroNg
Conversationalist

Hi Nash, 

 

Got it. It should solve my issue now. 

 

Thank you. 

 

Get notified when there are additional replies to this discussion.