Thanks for the reply. 

No, the tunnel is currently off because of the concerns mentioned re: losing WAN IP consistency hence I'm testing the built-in Meraki firewall stuff to see if it would work in place. 

We have the full Umbrella suite so we do have Umbrella SIG Advantage and are using DLP and IPS protection, but the Umbrella firewall stuff is not active beyond that (0 hits in the last 30 days). 

Not sure what you mean by SIG or Secure Connect...as mentioned, the Meraki firewall rules are applying to users that are VPN'ing in via AnyConnect Secure Connect Client, but are not affecting users on the LAN or SD-Wan. 

I have had the rules set for a few hours now and still am experiencing the same thing--LAN/SD-Wan are not being affected by any of the firewall rules (e.g. I have a http service out on the web on a non-standard port that I can reach fine from the LAN/SD-Wan, but if I VPN into the HUB with Cisco Secure Client, while connected, I cannot reach said service).

Umbrella SIG is Secure Internet Gateway, more info here: Learn about our Secure Internet Gateway (SIG) - Cisco Umbrella

I'm thinking you are using the traditional integration with the MX?

We are Paying for Umbrella SIG Advantage. https://documentation.meraki.com/MX/Site-to-site_VPN/MX_and_Umbrella_SIG_IPSec_Tunnel but it is not configured as mentioned because we need to keep static IP addresses. We were going to test this functionality, but never did get that far (AT&T will just stop replying to tickets and it's been 9 months of torture trying to get them to help get this all working). From what I read in that article, it seems like it indeed will change our Public IP which is something we can't do. (Technically it is partially configured, they created the tunnel but it is not established or up and running).

That said, I do have Intelligent Proxy and SSL decryption enabled on all of our policies and all Secure Clients have Umbrella installed and enabled. As far as I understand, though, the firewall policies in Umbrella won't have any affect without the Tunnel up and running hence the all are registering 0 hits over the last 30 days). 

I was kind of hoping that in the interim I could use the built-in Meraki firewall rules to at least get some cover for an upcoming audit, but it only seems to be applying to the SD-Wan users and users connecting via Secure Client, the rest of the users on the LAN aren't affected by these settings as far as I can tell (tested by trying to get to an external http service I have running on an unconventional port out on DigitalOcean; I can reach it fine on the LAN despite there being no "allow" rule for this port but when connected via Secure Client and or on the SD-Wan network, I cannot access the site indeed). 

Unfortunately, we are leasing everything through AT&T so that is where I'm supposed to get support (they haven't been very helpful to put it mildly). I have had other Meraki Employees here seem to be able to get in and view our setup before, can you not? 

Thanks for the excellent and thorough reply. 

Unfortunately, we purchased Meraki/Umbrella through AT&T so I don't have full admin access to stuff. Additionally, they have be absolutely abysmal with help getting things set up. It's been almost a year, and still things are not functioning correctly and it's quite expensive. I just wish expensive enough to get a lawyer to see if we could get out of the contract. This is why I'm trying to learn/do this stuff myself (the whole point was to offload this kind of work so that I could focus on other things and be assured that things are configured correctly). 

---

@GreenMan wrote:

I would certainly be pushing your SaaS providers as to why they still insist on this though, TBH. 

---

This isn't due to SaaS providers, we work in Financial Services which requires us to log in to many financial accounts on behalf of our clients. We get initial permissions and things set up and then try our hardest to keep things running without having to keep bothering our clients. If we are constantly losing our MFA tokens etc. we would be having to bother them constantly or at least every time we tried to log in and the user appeared to be coming from a new/different WAN IP address. We are a service business so keeping our clients happy is key hence we try to consolidate all of our traffic (and have been for years) partly for this reason. The other as you mentioned is it makes it easier to consolidate monitoring and security management.

I wish I understood enough what the differences are in what we are using vs what you mentioned. I do have Intelligent Proxy and SSL decryption enabled on our policies and we are using Cisco Secure Connect and Umbrella is active and enabled on all of the clients. I don't understand, though, how this fits in with the firewall configuration. It looks like you may be referring to where a tunnel is set up and traffic is tunneled offsite to SIG as explained here: https://documentation.meraki.com/MX/Site-to-site_VPN/MX_and_Umbrella_SIG_IPSec_Tunnel This seems to confirm that it does indeed change the WAN IP address so not sure how/if this could work for us. 

Again, still curious as to if the built-in firewall could at least offer us some protection in the interim, but for whatever reason it still appears to be only affecting users who are connecting via VPN and/or the SD-Wan users.