Meraki MX and Umbrella Firewall Policy


Meraki MX and Umbrella Firewall Policy


I'm going to integrate our MX appliance with Umbrella DNS.

The MX handle Layer 3 for some of our network.

1 - Does the clients can keep to use Google DNS or other internal DNS and get protected by Umbrella? (I imagine that in case of internal DNS obviously I need to reach the MX so client and DNS server need to be on different subnet)


From documentation I saw that I need to create a group policy with "custom network firewall & shaping rules" in order to enable Umbrella protection.

So, if I have a network handled by MX with firewall rules created under "Security & SD-WAN" and I apply the group policy to this subnet:

2 - Does the group policy custom firewall rules have priority so no traffic is denied? (because under group policy the default is allow any any)
3 - Do i need to migrate the firewall rules that I have on "Security & SD-WAN" under the group policy?

4 - In the last case I read that the group policy firewall rules are stateless so do I need to create rules for return traffic?


Thank you in advance

Hope my questions are clear



3 Replies 3
Kind of a big deal

As far as I understand the inner workings of group policies and the Umbrella integration:

  1. The MX intercepts all DNS requests, so your clients should be able to continue using Google DNS. In order to intercept it, it should indeed be on the path to the DNS server.
  2. When you create group policies that define custom firewall rules, these will override the firewall rules specified under Security & SD-WAN. The order of the firewall rules in the group policies matters. If you deny something first, the default allow rules will not undo that. Note that L3 rules in group policies are stateless. So yes, if you don't add any firewall rules in the custom firewall rules section everything will be allowed.
  3. Yes.
  4. Yes, for L3 firewall rules.


Hi @BrechtSchamp thanks for reply.

Do you know why we need to use custom firewall rules in order to enable umbrella policies?

Why we can't continue to use regural firewall policies?




Kind of a big deal

On MR, you can do it per SSID too.


I'm not sure why Meraki chose to do it this way. Maybe the idea was just to provide the fine-grained version first and add the same functionality for the network-wide firewall later. Keep in mind that the functionality is quite new and might evolve still.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.