Meraki

diablo24 · ‎Apr 13 2020

Hi,

I notice there's an API for getting inbound filters on an MX device:

GET 'https://api.meraki.com/api/v0/networks/{networkId}/appliance/firewall/inboundFirewallRules'

Successful HTTP Status: 200

{
  "rules": [
    {
      "comment": "Allow TCP traffic to subnet with HTTP servers.",
      "policy": "allow",
      "protocol": "tcp",
      "destPort": 443,
      "destCidr": "192.168.1.0/24",
      "srcPort": "Any",
      "srcCidr": "Any",
      "syslogEnabled": false
    }
  ],
  "syslogDefaultRule": true
}

However, I can't find where on the dashboard to configure this. There's a Note on the firewall page that says:

Inbound rules

Inbound traffic will be restricted to the services and forwarding rules configured below.

But the forwarding rules does not look like the output above. Is there another section where this is configured?

Thanks,

-Jerome

PhilipDAth · ‎Apr 13 2020

>That's the reason why I think I can't do NO-NAT.

And part of the reason you can not edit inbound firewall rules.

View solution in original post

PhilipDAth · ‎Apr 13 2020

I'm a little hazy on this, but I think when you configure the MX for NO-NAT mode (aka it becomes just a router) it enables the inbound rules section. Or it might be you need to open a support ticket to get it turned on.

I'm pretty sure it is related to using NO-NAT.

diablo24 · ‎Apr 13 2020

Screen Shot 2020-04-13 at 1.05.31 PM.png

I don't have any NAT configured. I guess I have to open up a support case.

PhilipDAth · ‎Apr 13 2020

By default, you will have outbound PAT configured.

Check out from this post down:

https://community.meraki.com/t5/Security-SD-WAN/MX-in-Routed-Mode-with-No-Nat/m-p/44061/highlight/tr...

diablo24 · ‎Apr 13 2020

Maybe that's the problem. I'm running version 14.40.

PhilipDAth · ‎Apr 13 2020

I don't think I have articulated this well.

You will not get the ability to use the inbound firewall rules unless you have NO-NAT configured and enabled.

Otherwise in your configuration - all inbound initiated traffic is blocked unless you have created a NAT rule to allow that traffic in.

diablo24 · ‎Apr 13 2020

@PhilipDAth

Sorry that might be my fault. In the link you provided above it says:

"NO-NAT is available in the 15.x code, which you can deploy to your device right now via the dashboard."

That's the reason why I think I can't do NO-NAT.

PhilipDAth · ‎Apr 13 2020

>That's the reason why I think I can't do NO-NAT.

And part of the reason you can not edit inbound firewall rules.

munaf · ‎Apr 15 2020

how can we enable inbound rules on meraki mx64 device

MerakiDave · ‎Apr 13 2020

@diablo24 yes you can run No-NAT in MX15 but if all you need is to configure inbound firewalling in the same fasion as configuring the outbound rules, open a support ticket and they can enable inbound FW rules for you, it's not visible in the Dashboard UI by default (although I have requested that it should be).

diablo24 · ‎Apr 13 2020

Thanks @MerakiDave I'll do that.

WWWolf · ‎Apr 15 2020

You should also be able to configure Layer 7 rules to block inbound connections from a "remote IP range" (or single /32 IP). Depending on your needs, it should be just as effective as a Layer 3 rule.

Meraki

Community

Where to configure "inbound" filter on the MX device

Where to configure "inbound" filter on the MX device