Skip to main content

Organization-Wide Outbound Firewall Rules

Location in Dashboard: Security and SD-WAN >> Configure >> Site-to-site VPN >> Site-to-site outbound firewall

Diagram

Classes

appliance (meraki.domains.organizations)

NameTypeConstraintMandatoryDefault Value
vpn_firewall_rulesClass[vpn_firewall_rules]No

vpn_firewall_rules (meraki.domains.organizations.appliance)

NameTypeConstraintMandatoryDefault Value
rulesList[rules]No
syslog_default_ruleBooleantrue, falseNo

rules (meraki.domains.organizations.appliance.vpn_firewall_rules)

NameTypeConstraintMandatoryDefault Value
commentStringmin: 1, max: 127No
policyChoiceallow, denyYes
protocolChoiceany, icmp, icmp6, tcp, udpYes
source_portAnyInteger[min: 0, max: 65535] or String[matches: `(?:[1-9][0-9]3[1-5][0-9]46[0-4][0-9]3
source_cidrStringRegex: ^(?i:any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?)(,(any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?))*$No
destination_portAnyInteger[min: 0, max: 65535] or String[matches: `(?:[1-9][0-9]3[1-5][0-9]46[0-4][0-9]3
destination_cidrStringRegex: ^(?i:any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?)(,(any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?))*$No
syslogBooleantrue, falseNo

Config Sample

meraki:
domains:
- name: EMEA
administrator:
name: Foo Bar
organizations:
- name: Dev
appliance:
vpn_firewall_rules:
rules:
- comment: "Allow HTTPS"
policy: allow
protocol: tcp
source_port: "Any"
source_cidr: "192.168.1.0/24"
destination_port: "443"
# The CIDR Object must be created in Policy Objects in order to be applied.
destination_cidr: "10.0.0.0/24"
syslog: true
- comment: "Deny all UDP"
policy: deny
protocol: udp
source_port: "Any"
source_cidr: "Any"
destination_port: "Any"
destination_cidr: "Any"
syslog: false
- comment: "Deny all TCP"
policy: deny
protocol: tcp
source_port: "Any"
source_cidr: "Any"
destination_port: "Any"
destination_cidr: "Any"
syslog: false
syslog_default_rule: true