Cellular Firewall Rules Configuration

Dashboard Location: Security and SD-WAN > Configure > Firewall > Cellular failover rules

Network Layer Security Management on Cellular Failover

These firewall rules are appended to the existing outbound rules when the appliance has failed over to using a cellular modem as its uplink. This can be useful for limiting cellular traffic to only business-critical uses to prevent unnecessary cellular overages.

Note: As the cellular failover rules are appended, if a deny any any is applied to the general Layer 3 firewall rules, cellular failover rules will never trigger.

Diagram

Classes

firewall (meraki.domains.organizations.networks.appliance)

Name	Type	Constraint	Mandatory	Default Value
cellular_firewall_rules	List	`[cellular_firewall_rules]`	No

cellular_firewall_rules (meraki.domains.organizations.networks.appliance.firewall)

Name	Type	Constraint	Mandatory	Default Value
comment	String	min: `1`, max: `127`	No
policy	Choice	`allow`, `deny`	Yes
protocol	Choice	`any`, `icmp`, `icmp6`, `tcp`, `udp`	Yes
source_port	Any	Integer[min: `0`, max: `65535`] or String[matches: `(?:[1-9][0-9]3	[1-5][0-9]4	6[0-4][0-9]3
source_cidr	String	Regex: `^(?i:any\|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?\|VLAN$(?:[1-9]\|[1-9]\d\|[1-9]\d{2}\|[1-3]\d{3}\|40[0-8]\d\|409[0-4])$\.(?:\\|[1-9]\|[1-9]\d\|1\d\d\|2[0-4]\d\|25[0-4])\|([0-9a-fA-F]{0,4}:){2,7}[0-9a-fA-F]{0,4}(\/\d{1,3})?)(,(any\|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?\|VLAN$(?:[1-9]\|[1-9]\d\|[1-9]\d{2}\|[1-3]\d{3}\|40[0-8]\d\|409[0-4])$\.(?:\\|[1-9]\|[1-9]\d\|1\d\d\|2[0-4]\d\|25[0-4])\|([0-9a-fA-F]{0,4}:){2,7}[0-9a-fA-F]{0,4}(\/\d{1,3})?))*$`	No
destination_port	Any	Integer[min: `0`, max: `65535`] or String[matches: `(?:[1-9][0-9]3	[1-5][0-9]4	6[0-4][0-9]3
destination_cidr	String	Regex: `^(?i:any\|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?\|VLAN$(?:[1-9]\|[1-9]\d\|[1-9]\d{2}\|[1-3]\d{3}\|40[0-8]\d\|409[0-4])$\.(?:\\|[1-9]\|[1-9]\d\|1\d\d\|2[0-4]\d\|25[0-4])\|([0-9a-fA-F]{0,4}:){2,7}[0-9a-fA-F]{0,4}(\/\d{1,3})?)(,(any\|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?\|VLAN$(?:[1-9]\|[1-9]\d\|[1-9]\d{2}\|[1-3]\d{3}\|40[0-8]\d\|409[0-4])$\.(?:\\|[1-9]\|[1-9]\d\|1\d\d\|2[0-4]\d\|25[0-4])\|([0-9a-fA-F]{0,4}:){2,7}[0-9a-fA-F]{0,4}(\/\d{1,3})?))*$`	No
syslog	Boolean	`true`, `false`	No

Examples

Example-1: The example below demonstrates cellular firewall rule configuration.

This configuration implements granular security policies for network segmentation and application control. The rules support zero-trust security models and inter-VLAN communication management through policy actions (allow/deny), protocol specifications (tcp/udp/icmp/any), source/destination addressing with CIDR notation, and port ranges.

This configuration creates two comprehensive cellular firewall rules for network security enforcement.

The first rule, “Block Bad Traffic”, denies UDP traffic on port 1433 originating from the subnet 10.10.10.0/24 to any destination on port 1433, effectively blocking potentially malicious SQL-related traffic. The second rule, “Block SSH”, denies TCP traffic on port 22 from any source to any destination, preventing unauthorized SSH access across the network. Optional syslog settings are available to log matched traffic for monitoring and auditing purposes.

meraki:
  domains:
    - name: !env domain
      administrator:
        name: !env org_admin
      organizations:
        - name: !env org
          networks:
            - name: !env network_name
              product_types:
                - appliance
                - switch
                - wireless
                - camera
                - sensor
                - cellularGateway
              appliance:
                firewall:
                  cellular_firewall_rules:
                    - comment: "Block Bad Traffic"
                      policy: deny
                      protocol: udp
                      source_port: 1433
                      source_cidr: 10.10.10.0/24
                      # source_cidr: 10.10.10.0/24,VLAN(10).*,VLAN(20).5 # example for devices that support VLANs
                      destination_port: 1433
                      destination_cidr: Any
                      # syslog: true
                    - comment: "Block SSH"
                      policy: deny
                      protocol: tcp
                      source_port: 22
                      source_cidr: Any
                      destination_port: 22
                      destination_cidr: Any
                      # syslog: true