Meraki

Community

Firewall rules for MV's

Solved
Dunky
Head in the Cloud
‎Jul 21 2023 3:14 AM
‎Jul 21 2023 3:14 AM

Firewall rules for MV's

The published rules for the MV's contain a dst of ANY as shown below:

Dunky_0-1689934248635.png

We are not permitted to have an 'any' dst - does anyone know if Meraki publish anywhere what the actual destinations are?

 

0 Kudos
1 Accepted Solution
In response to PhilipDAth
Dunky
Head in the Cloud
‎Aug 11 2023 8:56 AM
‎Aug 11 2023 8:56 AM

After raising a support case I got a really helpful response and explanation as to why they publish the dst as ANY as per below:

 

Thanks for getting in touch with us here at Cisco Meraki! I'll be happy to provide support on this case.

So for the MV Cloud Archive specifically, it's port 443 you'll want open outbound on any upstream device. The destination catch-all of any I believe, is shown because it will change based on where you choose your organisation's location to be and thus the corresponding data centre, details found here: https://documentation.meraki.com/General_Administration/Organizations_and_Networks/Creating_a_Dashbo...

Depending if you fall into APAC, EU, or NA data centres the destination IP for archival you require may differ but here is a list of potentials depending on your config:

APAC - https://cloud-archive-upload.apa.vision.meraki.com 13.112.106.253
EU - https://cloud-archive-upload.euc.vision.meraki.com 3.65.231.194
NA - https://cloud-archive-upload.use.vision.meraki.com 3.225.48.233

Please note, our recommended, supported configuration is for the destination to be set to any so please bear this set configuration in mind for any future troubleshoot. Wishing you a good weekend, let me know if I can assist further!

I have used the relevant FQDN as the dst as I did an NSLOOKUP and got a different IP so I guess there is more than one dst IP for the FQDN.

View solution in original post

0 Kudos
8 Replies 8
alemabrahao
Kind of a big deal
‎Jul 21 2023 3:41 AM
‎Jul 21 2023 3:41 AM

It's how Meraki works.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Dunky
Head in the Cloud
‎Jul 21 2023 3:42 AM
‎Jul 21 2023 3:42 AM

It's of no use to me if our ppl wont permit an ANY dst.

Surely they must know what their devices connect to.

0 Kudos
In response to Dunky
DarrenOC
Kind of a big deal
Kind of a big deal
‎Jul 21 2023 6:30 AM
‎Jul 21 2023 6:30 AM

HI @Dunky - Somebody within Meraki will have this information.

 

@GreenMan  - sorry to pick on you but you're the first name that popped into my head.  Are you able to source this info or inquiry internally?

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
RaphaelL
Kind of a big deal
Kind of a big deal
‎Jul 21 2023 4:42 AM
‎Jul 21 2023 4:42 AM

NTP is using *.pool.ntp.org which is essentialy 0.0.0.0/0

In response to RaphaelL
Dunky
Head in the Cloud
‎Jul 21 2023 4:53 AM
‎Jul 21 2023 4:53 AM

Thanks, I guess that will be uk.pool.ntp.org then for deployments in the UK.

PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jul 22 2023 5:45 PM
‎Jul 22 2023 5:45 PM

Try doing a packet capture on "port 53".  This will show you the DNS queries being made.  Create rules to those destinations instead,

In response to PhilipDAth
Dunky
Head in the Cloud
‎Jul 23 2023 5:13 AM
‎Jul 23 2023 5:13 AM

Yeah thats what I am gonna have to do, just thought it stramge why Meraki dont publish dst IP/subnets or FQDNs for one particular rule

In response to PhilipDAth
Dunky
Head in the Cloud
‎Aug 11 2023 8:56 AM
‎Aug 11 2023 8:56 AM

After raising a support case I got a really helpful response and explanation as to why they publish the dst as ANY as per below:

 

Thanks for getting in touch with us here at Cisco Meraki! I'll be happy to provide support on this case.

So for the MV Cloud Archive specifically, it's port 443 you'll want open outbound on any upstream device. The destination catch-all of any I believe, is shown because it will change based on where you choose your organisation's location to be and thus the corresponding data centre, details found here: https://documentation.meraki.com/General_Administration/Organizations_and_Networks/Creating_a_Dashbo...

Depending if you fall into APAC, EU, or NA data centres the destination IP for archival you require may differ but here is a list of potentials depending on your config:

APAC - https://cloud-archive-upload.apa.vision.meraki.com 13.112.106.253
EU - https://cloud-archive-upload.euc.vision.meraki.com 3.65.231.194
NA - https://cloud-archive-upload.use.vision.meraki.com 3.225.48.233

Please note, our recommended, supported configuration is for the destination to be set to any so please bear this set configuration in mind for any future troubleshoot. Wishing you a good weekend, let me know if I can assist further!

I have used the relevant FQDN as the dst as I did an NSLOOKUP and got a different IP so I guess there is more than one dst IP for the FQDN.

0 Kudos
Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.