Trying to determine if the built-in Layer 3 firewall at Security & SD-Wan > Firewall would be preferable to Umbrella's firewall offering, I set up some rules to do some testing. I created a bunch of TCP allow ports for standard stuff like http and https and a blanket deny at the bottom of the Output rules section (Inbound just has one Default deny/deny any/any rule). Once I saved the configuration I did some testing on several machines on our LAN only to discover that nothing was being blocked as expected. However, a few minutes later, I started getting complaints from users connected via Secure Client/Any Connect that they couldn't reach any of our internal http/s services or SMB shares. Turns out I forgot to add 53 for DNS. Once added, their connections started working again.
However, this told me that for some reason, the firewall rules were only applying to connections coming through the VPN. This is especially strange because the documentation says that the layer 3 firewall rules will NOT affect VPN:
We are using Hub and Spoke with only 1 spoke but I've been only testing with AnyConnect so far.
A) Does anyone know why it would be better to use Umbrella for our firewall stuff? We don't have any DMZ or public-facing services, just want the extra security of being able to block all outbound traffic and selectively let through only what is necessary. The challenge with Umbrella is it needs to be set up via tunnel which I'm afraid would impact our users negatively (we need all traffic including Spoke SD-Wan, AnyConnect, and LAN to always come from the same WAN IP) if it was tunneling traffic away from or obscuring out WAN IP address (need to maintain cookies for users or else they would face MFA prompts all day when trying to do their work).
B) Am I missing or miss-configuring or missunderstanding how the built-in Meraki layer 3 outbound firewall should be working? Why would the firewall be blocking outbound connections coming from the AnyConnect Secure Client but not connections coming from the LAN itself?
Is your Default route set to pass traffic to Umbrella via a tunnel?
(worth clarifying what mean by Umbrella too - are we talking SIG or Secure Connect?)
Bear in mind too that, depending on the MX firmware and what traffic is involved, deny might take a little while to kick in.
Thanks for the reply.
No, the tunnel is currently off because of the concerns mentioned re: losing WAN IP consistency hence I'm testing the built-in Meraki firewall stuff to see if it would work in place.
We have the full Umbrella suite so we do have Umbrella SIG Advantage and are using DLP and IPS protection, but the Umbrella firewall stuff is not active beyond that (0 hits in the last 30 days).
Not sure what you mean by SIG or Secure Connect...as mentioned, the Meraki firewall rules are applying to users that are VPN'ing in via AnyConnect Secure Connect Client, but are not affecting users on the LAN or SD-Wan.
I have had the rules set for a few hours now and still am experiencing the same thing--LAN/SD-Wan are not being affected by any of the firewall rules (e.g. I have a http service out on the web on a non-standard port that I can reach fine from the LAN/SD-Wan, but if I VPN into the HUB with Cisco Secure Client, while connected, I cannot reach said service).
Umbrella SIG is Secure Internet Gateway, more info here: Learn about our Secure Internet Gateway (SIG) - Cisco Umbrella
I'm thinking you are using the traditional integration with the MX?
It's really difficult to be able to help here without visibility of your Dashboard. Basically I'd call Meraki Support on the phone and work through a case with them - firewall rules should apply to all users connected via a VLAN having that MX as their Default Gateway - assuming said traffic is routed, rather than bridged.
Contact details via ? > Get help & cases in the Dashboard - then click the MX tile and follow either Call support team or Call me now, bottom right
IF you have multiple VLANs at your site - or tunnels that go somewhere other than SIG - the MX can provide protection related to those flows that never hit SIG. You need tunnels to SIG (or some other central breakout) because of the apparent need to use a common source IP. I would certainly be pushing your SaaS providers as to why they still insist on this though, TBH. But - by funnelling everything through SIG, you also get a more common approach to security, all managed in one place and applied 'near you' (your Cisco DC, wherever you are). Cloud security such as SIG also offers greater scalability than a small appliance - particularly useful for intensive processes, such as TLS decryption.
You might also want to progress on from SIG to Cisco Secure Connect, which is effectively SIG in the Meraki Dashboard, but with added capability for centralised secure remote access also using that common policy - no need to choose any particular MX to point AnyConnect client at...