Layer 3 Firewall Rules Configuration
Dashboard Location: Security and SD-WAN > Configure > Firewall > Layer 3 firewall rules
Network Layer Security Management
Section titled “Network Layer Security Management”Layer 3 firewall rules configuration in Meraki appliances provides comprehensive IP-based access control for network traffic, enabling administrators to define granular security policies based on source and destination IP addresses, protocols, and ports. This functionality allows for sophisticated network segmentation, application control, and security enforcement at the network layer, supporting both allow and deny policies with detailed logging capabilities. L3 firewall rules are essential for implementing zero-trust security models, controlling inter-VLAN communication, and protecting critical network resources from unauthorized access.
Diagram
Section titled “Diagram”Classes
Section titled “Classes”firewall (meraki.domains.organizations.networks.appliance)
Section titled “firewall (meraki.domains.organizations.networks.appliance)”Name | Type | Constraint | Mandatory | Default Value |
---|---|---|---|---|
l3_firewall_rules | Class | [l3_firewall_rules] | No |
l3_firewall_rules (meraki.domains.organizations.networks.appliance.firewall)
Section titled “l3_firewall_rules (meraki.domains.organizations.networks.appliance.firewall)”Name | Type | Constraint | Mandatory | Default Value |
---|---|---|---|---|
rules | List | [rules] | No | |
syslog_default_rule | Boolean | true , false | No |
rules (meraki.domains.organizations.networks.appliance.firewall.l3_firewall_rules)
Section titled “rules (meraki.domains.organizations.networks.appliance.firewall.l3_firewall_rules)”Name | Type | Constraint | Mandatory | Default Value |
---|---|---|---|---|
comment | String | min: 1 , max: 127 | No | |
policy | Choice | allow , deny | Yes | |
protocol | Choice | any , icmp , icmp6 , tcp , udp | Yes | |
source_port | Any | Integer[min: 0 , max: 65535 ] or String[matches: `(?:[1-9][0-9]3 | [1-5][0-9]4 | 6[0-4][0-9]3 |
source_cidr | String | Regex: ^(?i:any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?|VLAN\((?:[1-9]|[1-9]\d|[1-9]\d{2}|[1-3]\d{3}|40[0-8]\d|409[0-4])\)\.(?:\*|[1-9]|[1-9]\d|1\d\d|2[0-4]\d|25[0-4]))(,(any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?|VLAN\((?:[1-9]|[1-9]\d|[1-9]\d{2}|[1-3]\d{3}|40[0-8]\d|409[0-4])\)\.(?:\*|[1-9]|[1-9]\d|1\d\d|2[0-4]\d|25[0-4])))*$ | No | |
destination_port | Any | Integer[min: 0 , max: 65535 ] or String[matches: `(?:[1-9][0-9]3 | [1-5][0-9]4 | 6[0-4][0-9]3 |
destination_cidr | String | Regex: ^(?i:any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?|VLAN\((?:[1-9]|[1-9]\d|[1-9]\d{2}|[1-3]\d{3}|40[0-8]\d|409[0-4])\)\.(?:\*|[1-9]|[1-9]\d|1\d\d|2[0-4]\d|25[0-4]))(,(any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?|VLAN\((?:[1-9]|[1-9]\d|[1-9]\d{2}|[1-3]\d{3}|40[0-8]\d|409[0-4])\)\.(?:\*|[1-9]|[1-9]\d|1\d\d|2[0-4]\d|25[0-4])))*$ | No | |
syslog | Boolean | true , false | No |
Examples
Section titled “Examples”Example-1: The example below demonstrates Layer 3 firewall rules configuration using tested YAML configuration from pipeline fixtures.
meraki: domains: - name: !env domain administrator: name: !env org_admin organizations: - name: !env org networks: - name: !env network_name product_types: - appliance - switch - wireless - camera - sensor - cellularGateway appliance: firewall: l3_firewall_rules: rules: - comment: "Block Bad Traffic" policy: deny protocol: udp source_port: 1433 source_cidr: 10.10.10.0/24,VLAN(10).*,VLAN(20).5 destination_port: 1433 destination_cidr: Any # syslog: true - comment: "Block SSH" policy: deny protocol: tcp source_port: 22 source_cidr: Any destination_port: 22 destination_cidr: Any # syslog: true # syslog_default_rule: true