Possibility for complementary firewall rulesets

stockster
Here to help

Possibility for complementary firewall rulesets

Hello all,

 

Do you know if there is any possibility that a specific group policy can complement the configured "global" ruleset under "Security" -> "Firewall"?

 

I only see the possibility to either replace, ignore or inherit. This makes no sense to me as Meraki does not offer a possibility to use Active Directory Group Mappings any other way - so if I want to give a specific group additional outbound traffic permission (e.g. SSH or FTP), I would have to essentially configure the entire Firewall ruleset on the group policy again? 

 

Thanks for your feedback guys.

 

Regards,

 

stockster

 

 

3 REPLIES 3
AlexC
Meraki Employee

Hello @stockster,

 

You are correct, it is not possible to add-on to the global network firewall rules using group policies at this time.
To apply additional rules to a group, you would need to create a new group policy and LDAP mapping.

 

We do, however, have dashboard API endpoints for creating group policies that should make this process less painful, depending on how many different group policies you need for this purpose!

 

Hope that answers your question.

 

Cheers

If this was helpful, click the Kudos button below.
Please mark it as a solution if solved your issue so others can benefit from it 🙂

Hi @AlexC

Sorry for the belated reply and thank you very much for answering my question. I think the way Meraki has set this up is a quite unfortunate, but I will see how the API could potentially ease my pain.

 

May I add, I believe the wording you used with "to apply additional rules" is probably a bit unfortunate in this context, as it is in fact not additional but superseded rules for members of this particular group, right?

Regards,

Dario


@stockster wrote:

 

May I add, I believe the wording you used with "to apply additional rules" is probably a bit unfortunate in this context, as it is in fact not additional but superseded rules for members of this particular group, right?


My apologies for the confusing wording there. You are correct, it would be an override in this context. There are instances where multiple policies can be applied, however, doesn't apply in your case here or when using AD mapping (more details here).

 

Thanks for the clarifying question!

If this was helpful, click the Kudos button below.
Please mark it as a solution if solved your issue so others can benefit from it 🙂
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels