Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Meraki MX and Umbrella Firewall Policy

Simone
Conversationalist
‎Dec 16 2019 3:17 AM
‎Dec 16 2019 3:17 AM

Meraki MX and Umbrella Firewall Policy

Hi,

I'm going to integrate our MX appliance with Umbrella DNS.

The MX handle Layer 3 for some of our network.

1 - Does the clients can keep to use Google DNS or other internal DNS and get protected by Umbrella? (I imagine that in case of internal DNS obviously I need to reach the MX so client and DNS server need to be on different subnet)

 

From documentation I saw that I need to create a group policy with "custom network firewall & shaping rules" in order to enable Umbrella protection.

So, if I have a network handled by MX with firewall rules created under "Security & SD-WAN" and I apply the group policy to this subnet:

2 - Does the group policy custom firewall rules have priority so no traffic is denied? (because under group policy the default is allow any any)
3 - Do i need to migrate the firewall rules that I have on "Security & SD-WAN" under the group policy?

4 - In the last case I read that the group policy firewall rules are stateless so do I need to create rules for return traffic?

 

Thank you in advance


Hope my questions are clear

 

Simone

0 Kudos
Subscribe
3 Replies 3
BrechtSchamp
Kind of a big deal
‎Dec 16 2019 4:24 AM
‎Dec 16 2019 4:24 AM

As far as I understand the inner workings of group policies and the Umbrella integration:

  1. The MX intercepts all DNS requests, so your clients should be able to continue using Google DNS. In order to intercept it, it should indeed be on the path to the DNS server.
  2. When you create group policies that define custom firewall rules, these will override the firewall rules specified under Security & SD-WAN. The order of the firewall rules in the group policies matters. If you deny something first, the default allow rules will not undo that. Note that L3 rules in group policies are stateless. So yes, if you don't add any firewall rules in the custom firewall rules section everything will be allowed.
  3. Yes.
  4. Yes, for L3 firewall rules.

 

Subscribe
In response to BrechtSchamp
Simone
Conversationalist
‎Dec 17 2019 12:14 AM
‎Dec 17 2019 12:14 AM

Hi @BrechtSchamp thanks for reply.

Do you know why we need to use custom firewall rules in order to enable umbrella policies?

Why we can't continue to use regural firewall policies?

 

 

 

0 Kudos
Subscribe
In response to Simone
BrechtSchamp
Kind of a big deal
‎Dec 17 2019 2:00 AM
‎Dec 17 2019 2:00 AM

On MR, you can do it per SSID too.

 

I'm not sure why Meraki chose to do it this way. Maybe the idea was just to provide the fine-grained version first and add the same functionality for the network-wide firewall later. Keep in mind that the functionality is quite new and might evolve still.

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.