Cellular Firewall Rules Configuration
Dashboard Location: Security and SD-WAN > Configure > Firewall > Cellular failover rules
Network Layer Security Management on Cellular Failover
Section titled “Network Layer Security Management on Cellular Failover”These firewall rules are appended to the existing outbound rules when the appliance has failed over to using a cellular modem as its uplink. This can be useful for limiting cellular traffic to only business-critical uses to prevent unnecessary cellular overages.
Note: As the cellular failover rules are appended, if a deny any any is applied to the general Layer 3 firewall rules, cellular failover rules will never trigger.
Diagram
Section titled “Diagram”
Classes
Section titled “Classes”firewall (meraki.domains.organizations.networks.appliance)
Section titled “firewall (meraki.domains.organizations.networks.appliance)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| cellular_firewall_rules | List | [cellular_firewall_rules] | No |
cellular_firewall_rules (meraki.domains.organizations.networks.appliance.firewall)
Section titled “cellular_firewall_rules (meraki.domains.organizations.networks.appliance.firewall)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| comment | String | min: 1, max: 127 | No | |
| policy | Choice | allow, deny | Yes | |
| protocol | Choice | any, icmp, icmp6, tcp, udp | Yes | |
| source_port | Any | Integer[min: 0, max: 65535] or String[matches: `(?:[1-9][0-9]3 | [1-5][0-9]4 | 6[0-4][0-9]3 |
| source_cidr | String | Regex: ^(?i:any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?|VLAN\((?:[1-9]|[1-9]\d|[1-9]\d{2}|[1-3]\d{3}|40[0-8]\d|409[0-4])\)\.(?:\*|[1-9]|[1-9]\d|1\d\d|2[0-4]\d|25[0-4])|([0-9a-fA-F]{0,4}:){2,7}[0-9a-fA-F]{0,4}(\/\d{1,3})?)(,(any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?|VLAN\((?:[1-9]|[1-9]\d|[1-9]\d{2}|[1-3]\d{3}|40[0-8]\d|409[0-4])\)\.(?:\*|[1-9]|[1-9]\d|1\d\d|2[0-4]\d|25[0-4])|([0-9a-fA-F]{0,4}:){2,7}[0-9a-fA-F]{0,4}(\/\d{1,3})?))*$ | No | |
| destination_port | Any | Integer[min: 0, max: 65535] or String[matches: `(?:[1-9][0-9]3 | [1-5][0-9]4 | 6[0-4][0-9]3 |
| destination_cidr | String | Regex: ^(?i:any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?|VLAN\((?:[1-9]|[1-9]\d|[1-9]\d{2}|[1-3]\d{3}|40[0-8]\d|409[0-4])\)\.(?:\*|[1-9]|[1-9]\d|1\d\d|2[0-4]\d|25[0-4])|([0-9a-fA-F]{0,4}:){2,7}[0-9a-fA-F]{0,4}(\/\d{1,3})?)(,(any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?|VLAN\((?:[1-9]|[1-9]\d|[1-9]\d{2}|[1-3]\d{3}|40[0-8]\d|409[0-4])\)\.(?:\*|[1-9]|[1-9]\d|1\d\d|2[0-4]\d|25[0-4])|([0-9a-fA-F]{0,4}:){2,7}[0-9a-fA-F]{0,4}(\/\d{1,3})?))*$ | No | |
| source_policy_objects | List | String[min: 1, max: 127] | No | |
| source_policy_object_groups | List | String[min: 1, max: 127] | No | |
| destination_policy_objects | List | String[min: 1, max: 127] | No | |
| destination_policy_object_groups | List | String[min: 1, max: 127] | No | |
| source_vlans | List | [source_vlans] | No | |
| destination_vlans | List | [destination_vlans] | No | |
| syslog | Boolean | true, false | No |
source_vlans (meraki.domains.organizations.networks.appliance.firewall.cellular_firewall_rules)
Section titled “source_vlans (meraki.domains.organizations.networks.appliance.firewall.cellular_firewall_rules)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| vlan_id | Any | Integer[min: 1, max: 4094] or String[matches: `(?:[1-9] | [1-9][0-9] | [1-9][0-9]2 |
| ipv4_offset | Integer | min: 1, max: 254 | No | |
| ipv6_offset | IP | No |
destination_vlans (meraki.domains.organizations.networks.appliance.firewall.cellular_firewall_rules)
Section titled “destination_vlans (meraki.domains.organizations.networks.appliance.firewall.cellular_firewall_rules)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| vlan_id | Any | Integer[min: 1, max: 4094] or String[matches: `(?:[1-9] | [1-9][0-9] | [1-9][0-9]2 |
| ipv4_offset | Integer | min: 1, max: 254 | No | |
| ipv6_offset | IP | No |
Examples
Section titled “Examples”Example-1: The example below demonstrates cellular firewall rule configuration.
This configuration implements granular security policies for network segmentation and application control. The rules support zero-trust security models and inter-VLAN communication management through policy actions (allow/deny), protocol specifications (tcp/udp/icmp/any), source/destination addressing with CIDR notation, and port ranges.
This configuration creates two comprehensive cellular firewall rules for network security enforcement.
The first rule, “Block Bad Traffic”, denies UDP traffic on port 1433 originating from the subnet 10.10.10.0/24 to any destination on port 1433, effectively blocking potentially malicious SQL-related traffic. The second rule, “Block SSH”, denies TCP traffic on port 22 from any source to any destination, preventing unauthorized SSH access across the network. Optional syslog settings are available to log matched traffic for monitoring and auditing purposes.
meraki: domains: - name: !env domain administrator: name: !env org_admin organizations: - name: !env org networks: - name: !env network_name product_types: - appliance - switch - wireless - camera - sensor - cellularGateway appliance: firewall: cellular_firewall_rules: - comment: "Block Bad Traffic" policy: deny protocol: udp source_port: 1433 source_cidr: 10.10.10.0/24 # source_cidr: 10.10.10.0/24,VLAN(10).*,VLAN(20).5 # example for devices that support VLANs destination_port: 1433 destination_cidr: Any # syslog: true - comment: "Block SSH" policy: deny protocol: tcp source_port: 22 source_cidr: Any destination_port: 22 destination_cidr: Any # syslog: trueExample-2: The example below demonstrates cellular firewall rule configuration using policy objects, policy object groups, and VLANs as source and destination.
The source_cidr and destination_cidr fields accept a comma-separated list of IPv4 and IPv6 CIDRs. VLAN-based sources and destinations should be specified using source_vlans and destination_vlans respectively, where each entry contains a vlan_id and optionally an ipv4_offset (e.g. VLAN(10).5) or ipv6_offset (e.g. VLAN(11)::12a). Omitting both offsets produces a wildcard match VLAN(<id>).*. Named policy objects and policy object groups should be specified in source_policy_objects, source_policy_object_groups, destination_policy_objects, and destination_policy_object_groups respectively. All these fields are assembled into a single comma-separated srcCidr/destCidr string sent to the Meraki API. The source_cidr and destination_cidr fields will still accept a comma-separated list of plain CIDRs and VLAN(<id>) format tokens directly if preferred.
meraki: domains: - name: !env domain administrator: name: !env org_admin organizations: - name: !env org networks: - name: !env network_name product_types: - appliance - switch - wireless - camera - sensor - cellularGateway appliance: firewall: cellular_firewall_rules: - comment: "Block mixed sources on cellular" policy: deny protocol: udp source_port: Any source_cidr: 10.0.0.0/24,10.32.0.0/25 source_policy_objects: - my_host_object source_policy_object_groups: - my_network_group source_vlans: - vlan_id: 10 ipv4_offset: "5" # results in VLAN(10).5 - vlan_id: 11 ipv6_offset: "::12a" # results in VLAN(11)::12a - vlan_id: 20 # results in VLAN(20).* (wildcard) destination_port: Any destination_cidr: 192.168.0.0/24 destination_vlans: - vlan_id: 30 ipv4_offset: "1" # results in VLAN(30).1Dashboard Location: Security and SD-WAN > Configure > Firewall > Cellular failover rules
Network Layer Security Management on Cellular Failover
Section titled “Network Layer Security Management on Cellular Failover”These firewall rules are appended to the existing outbound rules when the appliance has failed over to using a cellular modem as its uplink. This can be useful for limiting cellular traffic to only business-critical uses to prevent unnecessary cellular overages.
Note: As the cellular failover rules are appended, if a deny any any is applied to the general Layer 3 firewall rules, cellular failover rules will never trigger.
Diagram
Section titled “Diagram”
Classes
Section titled “Classes”firewall (meraki.domains.organizations.networks.appliance)
Section titled “firewall (meraki.domains.organizations.networks.appliance)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| cellular_firewall_rules | List | [cellular_firewall_rules] | No |
cellular_firewall_rules (meraki.domains.organizations.networks.appliance.firewall)
Section titled “cellular_firewall_rules (meraki.domains.organizations.networks.appliance.firewall)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| comment | String | min: 1, max: 127 | No | |
| policy | Choice | allow, deny | Yes | |
| protocol | Choice | any, icmp, icmp6, tcp, udp | Yes | |
| source_port | Any | Integer[min: 0, max: 65535] or String[matches: `(?:[1-9][0-9]3 | [1-5][0-9]4 | 6[0-4][0-9]3 |
| source_cidr | String | Regex: ^(?i:any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?|VLAN\((?:[1-9]|[1-9]\d|[1-9]\d{2}|[1-3]\d{3}|40[0-8]\d|409[0-4])\)\.(?:\*|[1-9]|[1-9]\d|1\d\d|2[0-4]\d|25[0-4])|([0-9a-fA-F]{0,4}:){2,7}[0-9a-fA-F]{0,4}(\/\d{1,3})?)(,(any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?|VLAN\((?:[1-9]|[1-9]\d|[1-9]\d{2}|[1-3]\d{3}|40[0-8]\d|409[0-4])\)\.(?:\*|[1-9]|[1-9]\d|1\d\d|2[0-4]\d|25[0-4])|([0-9a-fA-F]{0,4}:){2,7}[0-9a-fA-F]{0,4}(\/\d{1,3})?))*$ | No | |
| destination_port | Any | Integer[min: 0, max: 65535] or String[matches: `(?:[1-9][0-9]3 | [1-5][0-9]4 | 6[0-4][0-9]3 |
| destination_cidr | String | Regex: ^(?i:any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?|VLAN\((?:[1-9]|[1-9]\d|[1-9]\d{2}|[1-3]\d{3}|40[0-8]\d|409[0-4])\)\.(?:\*|[1-9]|[1-9]\d|1\d\d|2[0-4]\d|25[0-4])|([0-9a-fA-F]{0,4}:){2,7}[0-9a-fA-F]{0,4}(\/\d{1,3})?)(,(any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?|VLAN\((?:[1-9]|[1-9]\d|[1-9]\d{2}|[1-3]\d{3}|40[0-8]\d|409[0-4])\)\.(?:\*|[1-9]|[1-9]\d|1\d\d|2[0-4]\d|25[0-4])|([0-9a-fA-F]{0,4}:){2,7}[0-9a-fA-F]{0,4}(\/\d{1,3})?))*$ | No | |
| syslog | Boolean | true, false | No |
Examples
Section titled “Examples”Example-1: The example below demonstrates cellular firewall rule configuration.
This configuration implements granular security policies for network segmentation and application control. The rules support zero-trust security models and inter-VLAN communication management through policy actions (allow/deny), protocol specifications (tcp/udp/icmp/any), source/destination addressing with CIDR notation, and port ranges.
This configuration creates two comprehensive cellular firewall rules for network security enforcement.
The first rule, “Block Bad Traffic”, denies UDP traffic on port 1433 originating from the subnet 10.10.10.0/24 to any destination on port 1433, effectively blocking potentially malicious SQL-related traffic. The second rule, “Block SSH”, denies TCP traffic on port 22 from any source to any destination, preventing unauthorized SSH access across the network. Optional syslog settings are available to log matched traffic for monitoring and auditing purposes.
meraki: domains: - name: !env domain administrator: name: !env org_admin organizations: - name: !env org networks: - name: !env network_name product_types: - appliance - switch - wireless - camera - sensor - cellularGateway appliance: firewall: cellular_firewall_rules: - comment: "Block Bad Traffic" policy: deny protocol: udp source_port: 1433 source_cidr: 10.10.10.0/24 # source_cidr: 10.10.10.0/24,VLAN(10).*,VLAN(20).5 # example for devices that support VLANs destination_port: 1433 destination_cidr: Any # syslog: true - comment: "Block SSH" policy: deny protocol: tcp source_port: 22 source_cidr: Any destination_port: 22 destination_cidr: Any # syslog: true