Skip to main content

Organization-Wide Outbound Firewall Rules

Location in Dashboard: Security and SD-WAN >> Configure >> Site-to-site VPN >> Site-to-site outbound firewall

Diagram

Syntax error in textmermaid version 10.9.3

Classes

appliance (meraki.domains.organizations)

NameTypeConstraintMandatoryDefault Value
vpn_firewall_rulesClass[vpn_firewall_rules]No

vpn_firewall_rules (meraki.domains.organizations.appliance)

NameTypeConstraintMandatoryDefault Value
rulesList[rules]No
syslog_default_ruleBooleantrue, falseNo

rules (meraki.domains.organizations.appliance.vpn_firewall_rules)

NameTypeConstraintMandatoryDefault Value
commentStringmin: 1, max: 127No
policyChoiceallow, denyYes
protocolChoiceany, icmp, icmp6, tcp, udpYes
source_portAnyInteger[min: 0, max: 65535] or String[matches: `(?:[1-9][0-9]3[1-5][0-9]46[0-4][0-9]3
source_cidrStringRegex: ^(?i:any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?)(,(any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?))*$No
destination_portAnyInteger[min: 0, max: 65535] or String[matches: `(?:[1-9][0-9]3[1-5][0-9]46[0-4][0-9]3
destination_cidrStringRegex: ^(?i:any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?)(,(any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?))*$No
syslogBooleantrue, falseNo

Config Sample

meraki:
  domains:
    - name: EMEA
      administrator:
        name: Foo Bar
      organizations:
        - name: Dev
          appliance:
            vpn_firewall_rules:
              rules:
                - comment: "Allow HTTPS"
                  policy: allow
                  protocol: tcp
                  source_port: "Any"
                  source_cidr: "192.168.1.0/24"
                  destination_port: "443"
                  # The CIDR Object must be created in Policy Objects in order to be applied.
                  destination_cidr: "10.0.0.0/24"
                  syslog: true
                - comment: "Deny all UDP"
                  policy: deny
                  protocol: udp
                  source_port: "Any"
                  source_cidr: "Any"
                  destination_port: "Any"
                  destination_cidr: "Any"
                  syslog: false
                - comment: "Deny all TCP"
                  policy: deny
                  protocol: tcp
                  source_port: "Any"
                  source_cidr: "Any"
                  destination_port: "Any"
                  destination_cidr: "Any"
                  syslog: false
              syslog_default_rule: true