Thanks a lot Sir. The process of creating a DMZ or seperate network is rather clear to me.

My question is: why are packets being blocked by the Group Policy rules bound to the egress-VLAN even if the connection is already allowed the ingress interface?

An explanation from the documentation:

Based on the rules shown below, traffic originating from any host on the 10.0.0.0/8 network that is destined for web server 192.168.1.254 on TCP port 80 is allowed. When the local host communicates with a service on a remote host, it normally picks an ephemeral source port and sends traffic to the port used by the service on the remote host. This is why the source port in this rule is set to "Any." Because there is an implicit allow rule processed last and we want to perform a "Deny" action on all other outbound traffic from hosts on the 10.0.0.0/8 network and the web server, a deny all rule is required. This rule needs to be evaluated right after rule 1. Because the firewall is stateful, replies from the web server to hosts on the 10.0.0.0/8 network are allowed the bypass the deny rule due to the connection is already being established. The deny will rule which is processed second will match all other traffic besides traffic to the web server.

Note: Cisco Meraki firewalls implement an inherent Allow All rule which can't be modified and is the last rule processed. Firewall rules are processed from the top down.

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

I‘m hearing you loud and clear sir, that‘s what I‘d expect from every stateful device.

Seems I didn‘t make it clear enough: you‘re referring to the „global“ ruleset only!

Regarding your example: if you‘d now add a Group Policy for the VLAN the device 192.168.1.254 resides on that denies traffic to 10.0.0.0/8, communication will fail although you‘re allowing it from the global ruleset.

That‘s the part (special to the Meraki world) I‘m struggling with. Everything else is completely basic stuff...

I think I may have an answer. In your group policy, are you overriding your global firewall rules? If so, you'll need to recreate your global rules on the group policy.

When you override the firewall rules on a group policy vs the general firewall, I believe the group policy rules become the only rules that affect devices affected by that group policy.

@Nash: exactly, thank you!

In a nutshell, the setup looks like this:

1) Clients from 192.168.10.0/24 will access servers within the DMZ (192.168.100.0/24)

2) Global ruleset looks like this: allow TCP 192.168.10.0/24 any to 192.168.100.0/24 22,80,443

3) Group Policy bound to the DMZ VLAN permits everything except RFC1918 networks

Accessing the DMZ servers, I see everything going through to the server. The MX will block the returning packets from the server to the client. That‘s what I would expect a stateful firewall not to do. Only if I add allow rules back from server to client in the Group Policy (where of course no destination port can be configured because of the random client source port) I‘m able to make communication happening.

What‘s the use of Group Policies then when you have to reflect access in both places? Especially if you can‘t clearly define the rule „backwards“?

Guess I‘m just using the MX platform „wrongly“ or am expecting it to do more than it‘s able to deliver. Just would like to understand if my approach is simply too stupid or if I‘m getting things completely wrong. From what I can see, flows are not being handled in a stateful manner though.

Perhaps I made my point clear enough now, really hope to be enlightened. 🙂

Thank you so much @Adam2104! Looks like we ran into the same trouble. That explains the things I see.

Thanks for the explanation!  I've run into the same issues and this explains a lot.

Do you know if Group Policy rules will also override site-to-site vpn firewall rules?