Opening Ports for Static Route

SOLVED
Kyojuro
Conversationalist

Opening Ports for Static Route

We currently have static route in the MX250 in place at Addressing and VLANs. We want to setup firewall rules that specify which ports these routes can access both in bound and outbound. How can we set this up in Firewall? I know that Meraki is setup to deny all inbound connection unless allowed by outbound. Is it common practice to deny all outbound connections in the firewall and only allow wanted outbound connections? 

1 ACCEPTED SOLUTION
Brash
A model citizen

Chances are you can configure just about all of this in the firewall on the MX250.

 

Outbound rules can be set with the applicable source/destination subnets & ports to allow/deny.
Or you can add an explicit deny all as the last configurable rule.

The rest depends on your topology:
 - Whether the static route is for a WAN port or LAN port or S2S VPN?
 - Is your MX setup for NAT or No-NAT?




Is it common practice to deny all outbound connections in the firewall and only allow wanted outbound connections? 

It really depends on your use case, traffic flows and security you're putting in place.
For example blocking all outbound except for specific allowed rules is a common firewall technique. However for many SMB's it is too much overhead to implement and maintain the rules. Therefore the trade-off may be that they leave the allow any-any rule for an arguably less secure but easier to manage environment.

View solution in original post

1 REPLY 1
Brash
A model citizen

Chances are you can configure just about all of this in the firewall on the MX250.

 

Outbound rules can be set with the applicable source/destination subnets & ports to allow/deny.
Or you can add an explicit deny all as the last configurable rule.

The rest depends on your topology:
 - Whether the static route is for a WAN port or LAN port or S2S VPN?
 - Is your MX setup for NAT or No-NAT?




Is it common practice to deny all outbound connections in the firewall and only allow wanted outbound connections? 

It really depends on your use case, traffic flows and security you're putting in place.
For example blocking all outbound except for specific allowed rules is a common firewall technique. However for many SMB's it is too much overhead to implement and maintain the rules. Therefore the trade-off may be that they leave the allow any-any rule for an arguably less secure but easier to manage environment.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels