Meraki Group Policy and Local Firewall Rules

rndadhdman
Comes here often

Meraki Group Policy and Local Firewall Rules

When we purchased Meraki, we were told that we could create an OT networks. These networks would be blocked from all other networks. This included the remote networks. We were also promised a way to access those networks using an amazing tool called meraki group policy. The sales man told us how it worked was the Local firewalls would be overwritten by the site-to-site firewalls. As he stated, it was Local, Network wide, and then Org. The deployment pre deployment manager agreed with him. He explained that the site-to-site was a network wide item. Thus, working through this logic, we setup local firewall rules to block local traffic. Then we set up site-to-site firewall rules to block traffic between the sites. (mesh). Then we setup the group policies to allow access to the required users. (Vendors). However, this doesn't work as expected. The group policy does not over write the site-to-site. According to two techs the site to site is a org level, which is higher than network wide. This has thrown a wrench my full setup. After speaking with two different support reps, I have been told by the reps that I can setup local firewall rules to block devices on the other side of the vpn. However this isn't work either. I will give you an example of what they have told me.

 

Two cities: LA and Chicago

I placed these firewall rules on the local as explained to me by the support reps.

 

LA: Blocks all traffic on 10.10.100.0/24 (LA OT) going to 10.11.100.0/24 (Chicago Main)

LA: Blocks all traffic on 10.11.100.0/24 (Chicago Main) going to 10.10.100.0/24 (LA OT)

Chicago: Blocks all traffic on 10.10.100.0/24 (LA OT) going to 10.11.100.0/24 (Chicago Main)

Chicago: Blocks all traffic on 10.11.100.0/24 (Chicago Main) going to 10.10.100.0/24 (LA OT)

 

According to the reps, this should prevent all traffic from 10.11.100.0/24 to the 10.10.100.0/24 network and visa versa. However, I can ping from a machine level between the two networks.

 

How can I block traffic from one side of the vpn to another side of the vpn with local firewall rules? Or is there a way to make the Meraki Group Policy overwite the firewall rules somehow?

6 Replies 6
alemabrahao
Kind of a big deal
Kind of a big deal

Considerations for VPN Firewall Rules

When configuring VPN Firewall rules, it is important to remember that traffic should be stopped as close to the originating client device as possible. This cuts down on traffic over the VPN tunnel and will result in the best network performance. Because of this, site-to-site firewall rules are applied only to outgoing traffic. As such, the MX cannot block VPN traffic initiated by non-Meraki peers. 

Note - Site-to-Site Firewall Rules Behavior when Group Policy is Configured

  • If Site to Site Outbound Firewall Rule allows and Group Policy L3 denies, traffic will be denied.

  • If Site to Site Outbound Firewall Rule denies and Group Policy L3 allows, traffic will be denied.

  • If Site to Site Outbound Firewall Rule denies and Group Policy whitelisted preset is configured, traffic will be denied.

    Full doc.

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Firewall_Rule_Behavior

Using Layer 3 Firewall Rules


https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Using_Layer_3_Firewal...





I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
rndadhdman
Comes here often

Yep I read that. So is there a way to setup the firewall rules on local firewalls so that group policy rules will over ride those rules and it block between networks?

ww
Kind of a big deal
Kind of a big deal

Group policy is rules are stateless.

 

So if you apply the rules of a gp to a vlan the traffic should be blocked outgoing

PhilipDAth
Kind of a big deal
Kind of a big deal

Group policy firewall rules will not overwrite the site-to-site VPN rules.  Nothing does.

 

If the vendors are part of your AutoVPN, you will need to add additional rules above the "deny" rules to allow their specific network access to whatever is required.

If they are not part of your AutoVPN, then they can use client VPN to access whatever is required.

rndadhdman
Comes here often

What we are going to do is create a jump box for these secured networks. This way only one point of out/in is happening and it's still restricted down plus meraki GP will also apply with the first noted item (Site to Site Outbound Firewall Rule allows and Group Policy L3 denies, traffic will be denied.) This allows more security and a cleaner setup all over. I may not be able to make everyone happy, but I can make everything much more secure.

PhilipDAth
Kind of a big deal
Kind of a big deal

Excellent solution.  I think this is even superior to the solution you were attempting to do.  🙂

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels