Organization-Wide Outbound Firewall Rules
Location in Dashboard: Security and SD-WAN
>> Configure
>> Site-to-site VPN
>> Site-to-site outbound firewall
Diagram
Classes
appliance (meraki.domains.organizations)
Name | Type | Constraint | Mandatory | Default Value |
---|---|---|---|---|
vpn_firewall_rules | Class | [vpn_firewall_rules] | No |
vpn_firewall_rules (meraki.domains.organizations.appliance)
Name | Type | Constraint | Mandatory | Default Value |
---|---|---|---|---|
rules | List | [rules] | No | |
syslog_default_rule | Boolean | true , false | No |
rules (meraki.domains.organizations.appliance.vpn_firewall_rules)
Name | Type | Constraint | Mandatory | Default Value |
---|---|---|---|---|
comment | String | min: 1 , max: 127 | No | |
policy | Choice | allow , deny | Yes | |
protocol | Choice | any , icmp , icmp6 , tcp , udp | Yes | |
source_port | Any | Integer[min: 0 , max: 65535 ] or String[matches: `(?:[1-9][0-9]3 | [1-5][0-9]4 | 6[0-4][0-9]3 |
source_cidr | String | Regex: ^(?i:any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?)(,(any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?))*$ | No | |
destination_port | Any | Integer[min: 0 , max: 65535 ] or String[matches: `(?:[1-9][0-9]3 | [1-5][0-9]4 | 6[0-4][0-9]3 |
destination_cidr | String | Regex: ^(?i:any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?)(,(any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?))*$ | No | |
syslog | Boolean | true , false | No |
Config Sample
meraki:
domains:
- name: EMEA
administrator:
name: Foo Bar
organizations:
- name: Dev
appliance:
vpn_firewall_rules:
rules:
- comment: "Allow HTTPS"
policy: allow
protocol: tcp
source_port: "Any"
source_cidr: "192.168.1.0/24"
destination_port: "443"
# The CIDR Object must be created in Policy Objects in order to be applied.
destination_cidr: "10.0.0.0/24"
syslog: true
- comment: "Deny all UDP"
policy: deny
protocol: udp
source_port: "Any"
source_cidr: "Any"
destination_port: "Any"
destination_cidr: "Any"
syslog: false
- comment: "Deny all TCP"
policy: deny
protocol: tcp
source_port: "Any"
source_cidr: "Any"
destination_port: "Any"
destination_cidr: "Any"
syslog: false
syslog_default_rule: true