Inbound Firewall Rules Configuration
Dashboard Location: Security and SD-WAN > Configure > Firewall > Inbound firewall rules
WAN-to-LAN Traffic Control
Section titled “WAN-to-LAN Traffic Control”Inbound firewall rules configuration in Meraki appliances provides comprehensive security control for traffic entering the network from external sources, such as the internet or WAN connections. This functionality enables administrators to define granular policies for incoming traffic based on source and destination IP addresses, protocols, and ports, supporting both allow and deny actions with detailed logging capabilities. Inbound firewall rules are critical for protecting internal network resources from external threats, controlling remote access, and implementing secure ingress policies while maintaining operational requirements for legitimate external connections.
Diagram
Section titled “Diagram”
Classes
Section titled “Classes”firewall (meraki.domains.organizations.networks.appliance)
Section titled “firewall (meraki.domains.organizations.networks.appliance)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| inbound_firewall_rules | Class | [inbound_firewall_rules] | No |
inbound_firewall_rules (meraki.domains.organizations.networks.appliance.firewall)
Section titled “inbound_firewall_rules (meraki.domains.organizations.networks.appliance.firewall)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| rules | List | [rules] | No | |
| syslog_default_rule | Boolean | true, false | No |
rules (meraki.domains.organizations.networks.appliance.firewall.inbound_firewall_rules)
Section titled “rules (meraki.domains.organizations.networks.appliance.firewall.inbound_firewall_rules)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| comment | String | min: 1, max: 127 | No | |
| policy | Choice | allow, deny | Yes | |
| protocol | Choice | any, icmp, icmp6, tcp, udp | Yes | |
| source_port | Any | Integer[min: 0, max: 65535] or String[matches: `(?:[1-9][0-9]3 | [1-5][0-9]4 | 6[0-4][0-9]3 |
| source_cidr | String | Regex: ^(?i:any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?|VLAN\((?:[1-9]|[1-9]\d|[1-9]\d{2}|[1-3]\d{3}|40[0-8]\d|409[0-4])\)\.(?:\*|[1-9]|[1-9]\d|1\d\d|2[0-4]\d|25[0-4])|(?:[0-9a-fA-F]{0,4}:){2,7}[0-9a-fA-F]{0,4}(?:\/(?:12[0-8]|1[01][0-9]|[1-9][0-9]|[0-9]))?)(,(any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?|VLAN\((?:[1-9]|[1-9]\d|[1-9]\d{2}|[1-3]\d{3}|40[0-8]\d|409[0-4])\)\.(?:\*|[1-9]|[1-9]\d|1\d\d|2[0-4]\d|25[0-4])|(?:[0-9a-fA-F]{0,4}:){2,7}[0-9a-fA-F]{0,4}(?:\/(?:12[0-8]|1[01][0-9]|[1-9][0-9]|[0-9]))?)*)*$ | No | |
| destination_port | Any | Integer[min: 0, max: 65535] or String[matches: `(?:[1-9][0-9]3 | [1-5][0-9]4 | 6[0-4][0-9]3 |
| destination_cidr | String | Regex: ^(?i:any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?|VLAN\((?:[1-9]|[1-9]\d|[1-9]\d{2}|[1-3]\d{3}|40[0-8]\d|409[0-4])\)\.(?:\*|[1-9]|[1-9]\d|1\d\d|2[0-4]\d|25[0-4])|(?:[0-9a-fA-F]{0,4}:){2,7}[0-9a-fA-F]{0,4}(?:\/(?:12[0-8]|1[01][0-9]|[1-9][0-9]|[0-9]))?)(,(any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?|VLAN\((?:[1-9]|[1-9]\d|[1-9]\d{2}|[1-3]\d{3}|40[0-8]\d|409[0-4])\)\.(?:\*|[1-9]|[1-9]\d|1\d\d|2[0-4]\d|25[0-4])|(?:[0-9a-fA-F]{0,4}:){2,7}[0-9a-fA-F]{0,4}(?:\/(?:12[0-8]|1[01][0-9]|[1-9][0-9]|[0-9]))?)*)*$ | No | |
| source_vlans | List | [source_vlans] | No | |
| destination_vlans | List | [destination_vlans] | No | |
| syslog | Boolean | true, false | No |
source_vlans (meraki.domains.organizations.networks.appliance.firewall.inbound_firewall_rules.rules)
Section titled “source_vlans (meraki.domains.organizations.networks.appliance.firewall.inbound_firewall_rules.rules)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| vlan_id | Any | Integer[min: 1, max: 4094] or String[matches: `(?:[1-9] | [1-9][0-9] | [1-9][0-9]2 |
| ipv6_offset | IP | No |
destination_vlans (meraki.domains.organizations.networks.appliance.firewall.inbound_firewall_rules.rules)
Section titled “destination_vlans (meraki.domains.organizations.networks.appliance.firewall.inbound_firewall_rules.rules)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| vlan_id | Any | Integer[min: 1, max: 4094] or String[matches: `(?:[1-9] | [1-9][0-9] | [1-9][0-9]2 |
| ipv6_offset | IP | No |
Examples
Section titled “Examples”Example-1: The example below demonstrates basic inbound firewall rules for common remote access and external service requirements.
For the appliance devices, firewall rules are defined, including an inbound rule that allows SSH traffic (TCP port 22) from any source to the destination subnet 192.168.1.0/24. Optional settings for syslog and default firewall logging are present but currently commented out.
meraki: domains: - name: !env domain administrator: name: !env org_admin organizations: - name: !env org networks: - name: !env network_name product_types: - appliance - switch - wireless - camera - sensor - cellularGateway appliance: firewall: inbound_firewall_rules: rules: - comment: "Allow SSH" policy: allow protocol: tcp source_port: Any source_cidr: Any destination_port: 22 destination_cidr: "192.168.1.0/24" # syslog: true # syslog_default_rule: trueExample-2: The example below demonstrates inbound firewall rule configuration using a plain CIDR as source and VLANs as destination.
The source_cidr and destination_cidr fields accept a comma-separated list of IPv4 and IPv6 CIDRs. VLAN-based destinations should be specified using destination_vlans, where each entry contains a vlan_id and optionally an ipv6_offset (e.g. VLAN(11)::12a). Note that ipv4_offset is not supported for inbound rules. Omitting the offset produces a wildcard match VLAN(<id>).*. The source_cidr and destination_cidr fields will still accept a comma-separated list of plain CIDRs and VLAN(<id>) format tokens directly if preferred.
meraki: domains: - name: !env domain administrator: name: !env org_admin organizations: - name: !env org networks: - name: !env network_name product_types: - appliance - switch - wireless - camera - sensor - cellularGateway appliance: firewall: inbound_firewall_rules: rules: - comment: "Allow traffic from specific VLANs" policy: allow protocol: tcp source_port: Any source_cidr: "10.0.0.0/24" destination_port: 443 destination_vlans: - vlan_id: 11 ipv6_offset: "::12a" # results in VLAN(11)::12a - vlan_id: 20 # results in VLAN(20).* (wildcard) # syslog: true # syslog_default_rule: trueDashboard Location: Security and SD-WAN > Configure > Firewall > Inbound firewall rules
WAN-to-LAN Traffic Control
Section titled “WAN-to-LAN Traffic Control”Inbound firewall rules configuration in Meraki appliances provides comprehensive security control for traffic entering the network from external sources, such as the internet or WAN connections. This functionality enables administrators to define granular policies for incoming traffic based on source and destination IP addresses, protocols, and ports, supporting both allow and deny actions with detailed logging capabilities. Inbound firewall rules are critical for protecting internal network resources from external threats, controlling remote access, and implementing secure ingress policies while maintaining operational requirements for legitimate external connections.
Diagram
Section titled “Diagram”
Classes
Section titled “Classes”firewall (meraki.domains.organizations.networks.appliance)
Section titled “firewall (meraki.domains.organizations.networks.appliance)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| inbound_firewall_rules | Class | [inbound_firewall_rules] | No |
inbound_firewall_rules (meraki.domains.organizations.networks.appliance.firewall)
Section titled “inbound_firewall_rules (meraki.domains.organizations.networks.appliance.firewall)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| rules | List | [rules] | No | |
| syslog_default_rule | Boolean | true, false | No |
rules (meraki.domains.organizations.networks.appliance.firewall.inbound_firewall_rules)
Section titled “rules (meraki.domains.organizations.networks.appliance.firewall.inbound_firewall_rules)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| comment | String | min: 1, max: 127 | No | |
| policy | Choice | allow, deny | Yes | |
| protocol | Choice | any, icmp, icmp6, tcp, udp | Yes | |
| source_port | Any | Integer[min: 0, max: 65535] or String[matches: `(?:[1-9][0-9]3 | [1-5][0-9]4 | 6[0-4][0-9]3 |
| source_cidr | String | Regex: ^(?i:any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?|VLAN\((?:[1-9]|[1-9]\d|[1-9]\d{2}|[1-3]\d{3}|40[0-8]\d|409[0-4])\)\.(?:\*|[1-9]|[1-9]\d|1\d\d|2[0-4]\d|25[0-4])|(?:[0-9a-fA-F]{0,4}:){2,7}[0-9a-fA-F]{0,4}(?:\/(?:12[0-8]|1[01][0-9]|[1-9][0-9]|[0-9]))?)(,(any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?|VLAN\((?:[1-9]|[1-9]\d|[1-9]\d{2}|[1-3]\d{3}|40[0-8]\d|409[0-4])\)\.(?:\*|[1-9]|[1-9]\d|1\d\d|2[0-4]\d|25[0-4])|(?:[0-9a-fA-F]{0,4}:){2,7}[0-9a-fA-F]{0,4}(?:\/(?:12[0-8]|1[01][0-9]|[1-9][0-9]|[0-9]))?)*)*$ | No | |
| destination_port | Any | Integer[min: 0, max: 65535] or String[matches: `(?:[1-9][0-9]3 | [1-5][0-9]4 | 6[0-4][0-9]3 |
| destination_cidr | String | Regex: ^(?i:any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?|VLAN\((?:[1-9]|[1-9]\d|[1-9]\d{2}|[1-3]\d{3}|40[0-8]\d|409[0-4])\)\.(?:\*|[1-9]|[1-9]\d|1\d\d|2[0-4]\d|25[0-4])|(?:[0-9a-fA-F]{0,4}:){2,7}[0-9a-fA-F]{0,4}(?:\/(?:12[0-8]|1[01][0-9]|[1-9][0-9]|[0-9]))?)(,(any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?|VLAN\((?:[1-9]|[1-9]\d|[1-9]\d{2}|[1-3]\d{3}|40[0-8]\d|409[0-4])\)\.(?:\*|[1-9]|[1-9]\d|1\d\d|2[0-4]\d|25[0-4])|(?:[0-9a-fA-F]{0,4}:){2,7}[0-9a-fA-F]{0,4}(?:\/(?:12[0-8]|1[01][0-9]|[1-9][0-9]|[0-9]))?)*)*$ | No | |
| syslog | Boolean | true, false | No |
Examples
Section titled “Examples”Example-1: The example below demonstrates basic inbound firewall rules for common remote access and external service requirements.
For the appliance devices, firewall rules are defined, including an inbound rule that allows SSH traffic (TCP port 22) from any source to the destination subnet 192.168.1.0/24. Optional settings for syslog and default firewall logging are present but currently commented out.
meraki: domains: - name: !env domain administrator: name: !env org_admin organizations: - name: !env org networks: - name: !env network_name product_types: - appliance - switch - wireless - camera - sensor - cellularGateway appliance: firewall: inbound_firewall_rules: rules: - comment: "Allow SSH" policy: allow protocol: tcp source_port: Any source_cidr: Any destination_port: 22 destination_cidr: "192.168.1.0/24" # syslog: true # syslog_default_rule: true