Meraki

Community

VLAN group policy vs mx firewall rules

Announcer
Getting noticed
‎Oct 10 2023 9:28 AM
‎Oct 10 2023 9:28 AM

VLAN group policy vs mx firewall rules

I'm trying to find out which way is better?  Apply rules in the vlan group policy vs adding the rule in the mx firewall section.  Say I have vlan10 192.168.10.0, and vlan 20 192.168.20.0.  If I want to open up TCP port 445 to 20.0 where would be the best place to put it.  I'm curious because on the vlan group policy side the last rule is allow any-any.  Doesn't this cancel out any other rules I make?

0 Kudos
3 Replies 3
ww
Kind of a big deal
Kind of a big deal
‎Oct 10 2023 9:37 AM
‎Oct 10 2023 9:37 AM

L3 firewall and GP firewall are allow any by default. You have to create a deny any any  yourself if that is your fw strategy. 

 

The difference is that L3 firewall rules are statefull.  The GP firewall is stateless(like a ACL)

Inderdeep
Kind of a big deal
Kind of a big deal
‎Oct 10 2023 11:35 AM
‎Oct 10 2023 11:35 AM

The perfect example here below @Announcer 
https://community.meraki.com/t5/Security-SD-WAN/MX-Group-Policy-vs-L3-Firewall-Rule/m-p/100520 

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
0 Kudos
Brash
Kind of a big deal
Kind of a big deal
‎Oct 10 2023 12:02 PM
‎Oct 10 2023 12:02 PM

As well as what's been said above, MX firewall rules can use policy objects and Vlans as source or destination.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.