Meraki

Community

MX450 add services & ports to restrict traffic

Jayt
Here to help
yesterday
yesterday

MX450 add services & ports to restrict traffic

Hi

Setting up a new MX450 to replace a Fortigate.  I need to allow 1 VLAN to talk to another VLAN only communicating on a specific set of ports & services.  Fortinet allows to make service objects with the ports then assign to a service group. Then on the policies I can assign the traffic to only use that service group.  I'm not seeing this on the MX. I called into support & the answer wasn't too good from them. Basically was told can't do that.

I'm told I have to use individual firewall rules for each port & each service from X VLAN to X VLAN.  This seems way too convoluted & will make the FW rules a mess.  I need to add 11 services with the specific ports.

Is there a work around or an easier way to do this?

 

Thanks

 

Labels:
0 Kudos
12 Replies 12
alemabrahao
Kind of a big deal
Kind of a big deal
yesterday
yesterday

Yes, you can create objects and then create a group of objects.

alemabrahao_0-1761743827365.pngalemabrahao_1-1761743872518.pngalemabrahao_2-1761743982012.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Jayt
Here to help
yesterday
yesterday

These are for server ports & services.  Example DNS, NTP, SQL, etc & then their associated ports. And have some custom software ports that need to be opened to the VLAN.

0 Kudos
In response to Jayt
alemabrahao
Kind of a big deal
Kind of a big deal
yesterday
yesterday

This is the only way; you can specify the ports and separate them with a comma, as I did.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to Jayt
RaphaelL
Kind of a big deal
Kind of a big deal
yesterday
yesterday

This was teased a long time ago , but never released. This might be coming with the "new" "Security" tab from the dashboard.

0 Kudos
In response to RaphaelL
alemabrahao
Kind of a big deal
Kind of a big deal
yesterday
yesterday

Yes, it's the same tab where Policy Objects are created.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
MarcP
Kind of a big deal
yesterday
yesterday

Just send a pic where you typed in the Ports @Jayt asked for, thats it, included where. Then you got the solution for him 🙂

0 Kudos
In response to MarcP
alemabrahao
Kind of a big deal
Kind of a big deal
yesterday
yesterday

In the Layer 3 rules, this was already implied to me 😉

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Jayt
Here to help
yesterday
yesterday

So the layer 3 rules are where I need to create these for each port?

Examples
Allow server to server TCP server1 6001 Server2 6001
Allow server to server UDP  server1 6001 Server2 6001
0 Kudos
In response to Jayt
alemabrahao
Kind of a big deal
Kind of a big deal
yesterday
yesterday

No, As you can see in the images I sent, you can separate the ports by commas and create objects for the IP or name of your servers. But, for UDP and TCP you need to create separate rules.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Jayt
Here to help
yesterday
yesterday

Ok so I can do....

Allow server to server TCP server1 6001, 80, 443 Server2 6001, 80, 443
Allow server to server UDP  server1 6001, 80, 443 Server2 6001, 80, 443
??
0 Kudos
In response to Jayt
alemabrahao
Kind of a big deal
Kind of a big deal
yesterday
yesterday

Yes.

 

alemabrahao_0-1761755652450.pngalemabrahao_1-1761755749539.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Jayt
Here to help
8 hours ago
8 hours ago

Ok, thank you, I'll need to test next week to see if that all works.  I added all 11 of these & the NAT side.

 

 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.