Suggestions or Best Practices for using L3 FW rules along side GP L3 Rules?

Solved
cmiarshvac
Getting noticed

Suggestions or Best Practices for using L3 FW rules along side GP L3 Rules?

Before I jump in an create a big mess, I wanted to ask the Community if there are some best practices for using an MX's L3 firewall rules (of which I have many) in conjunction with some Group Policy Layer 3 Rules. 

 

For the most part, I can keep them separated and clean by using the Group Policies how they were intended. To target specific types of users (Guests) and devices.  However,  I would like to start using the API to programmatically update IP Blacklists for all users and devices.  From my reading, this seems to be easiest via Group Policy L3 Firewall API call. Please let me know if I am missing something or reading this wrong.

 

I have a vision of my future where I am trying to troubleshoot blocked traffic and I am bouncing between the "Network" L3 rules and GP rules and getting wires crossed (figuratively of course). 

 

I understand this is a broad question, just looking for $.02 from your experience or ideas to keep the thinking clean.

 

 

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

When there are multiple VLANs I often create a group policy to contain the rules and apply them directly to the VLAN.  I find it can make things easier to think through later on when there are a lot of rules.

 

If there are only a small number of rules I tend to use the global firewall rules.

 

If there are no VLANs then I just tend to use the global firewall rules.

 

 

View solution in original post

4 Replies 4
CptnCrnch
Kind of a big deal
Kind of a big deal

Whatever you do: please keep in mind that Group Policies are not stateful. At least I had to learn the hard way that return traffic won‘t get through...

cmiarshvac
Getting noticed

I saw this in a community thread. It is definitely one of the features I am concerned about. Specifically creating a "deny" on the Network that kills a response from an allowed request. Am I right to be concerned about a lot of potential tail chasing?
PhilipDAth
Kind of a big deal
Kind of a big deal

When there are multiple VLANs I often create a group policy to contain the rules and apply them directly to the VLAN.  I find it can make things easier to think through later on when there are a lot of rules.

 

If there are only a small number of rules I tend to use the global firewall rules.

 

If there are no VLANs then I just tend to use the global firewall rules.

 

 

cmiarshvac
Getting noticed

I do have VLANs. And It does seems to make sense to use GP for them and keep the main Network rules small and clear. As I think thru this, my biggest fear is managing the different VLAN rule sets and repeating between them. I feel like managing multiple rules sets might be hard. The first thing that comes to mind is building a tool to compare rules between the Group Polices to make sure that I have added or removed from all policies as appropriate. Does something like this already exist?
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels