Trying to determine if the built-in Layer 3 firewall at Security & SD-Wan > Firewall would be preferable to Umbrella's firewall offering, I set up some rules to do some testing. I created a bunch of TCP allow ports for standard stuff like http and https and a blanket deny at the bottom of the Output rules section (Inbound just has one Default deny/deny any/any rule). Once I saved the configuration I did some testing on several machines on our LAN only to discover that nothing was being blocked as expected. However, a few minutes later, I started getting complaints from users connected via Secure Client/Any Connect that they couldn't reach any of our internal http/s services or SMB shares. Turns out I forgot to add 53 for DNS. Once added, their connections started working again.
However, this told me that for some reason, the firewall rules were only applying to connections coming through the VPN. This is especially strange because the documentation says that the layer 3 firewall rules will NOT affect VPN:
We are using Hub and Spoke with only 1 spoke but I've been only testing with AnyConnect so far.
A) Does anyone know why it would be better to use Umbrella for our firewall stuff? We don't have any DMZ or public-facing services, just want the extra security of being able to block all outbound traffic and selectively let through only what is necessary. The challenge with Umbrella is it needs to be set up via tunnel which I'm afraid would impact our users negatively (we need all traffic including Spoke SD-Wan, AnyConnect, and LAN to always come from the same WAN IP) if it was tunneling traffic away from or obscuring out WAN IP address (need to maintain cookies for users or else they would face MFA prompts all day when trying to do their work).
B) Am I missing or miss-configuring or missunderstanding how the built-in Meraki layer 3 outbound firewall should be working? Why would the firewall be blocking outbound connections coming from the AnyConnect Secure Client but not connections coming from the LAN itself?