VLAN group policy vs mx firewall rules

Getting noticed

VLAN group policy vs mx firewall rules

I'm trying to find out which way is better?  Apply rules in the vlan group policy vs adding the rule in the mx firewall section.  Say I have vlan10, and vlan 20  If I want to open up TCP port 445 to 20.0 where would be the best place to put it.  I'm curious because on the vlan group policy side the last rule is allow any-any.  Doesn't this cancel out any other rules I make?

3 Replies 3
Kind of a big deal
Kind of a big deal

L3 firewall and GP firewall are allow any by default. You have to create a deny any any  yourself if that is your fw strategy. 


The difference is that L3 firewall rules are statefull.  The GP firewall is stateless(like a ACL)

Kind of a big deal
Kind of a big deal

The perfect example here below @Announcer 

Cisco IT Blogs awarded in 2020 & 2021
Kind of a big deal
Kind of a big deal

As well as what's been said above, MX firewall rules can use policy objects and Vlans as source or destination.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.