Skip to content

Layer 3 Firewall Rules Configuration

Dashboard Location: Security and SD-WAN > Configure > Firewall > Layer 3 firewall rules

Layer 3 firewall rules configuration in Meraki appliances provides comprehensive IP-based access control for network traffic, enabling administrators to define granular security policies based on source and destination IP addresses, protocols, and ports. This functionality allows for sophisticated network segmentation, application control, and security enforcement at the network layer, supporting both allow and deny policies with detailed logging capabilities. L3 firewall rules are essential for implementing zero-trust security models, controlling inter-VLAN communication, and protecting critical network resources from unauthorized access.

Diagram

firewall (meraki.domains.organizations.networks.appliance)

Section titled “firewall (meraki.domains.organizations.networks.appliance)”
NameTypeConstraintMandatoryDefault Value
l3_firewall_rulesClass[l3_firewall_rules]No

l3_firewall_rules (meraki.domains.organizations.networks.appliance.firewall)

Section titled “l3_firewall_rules (meraki.domains.organizations.networks.appliance.firewall)”
NameTypeConstraintMandatoryDefault Value
rulesList[rules]No
syslog_default_ruleBooleantrue, falseNo

rules (meraki.domains.organizations.networks.appliance.firewall.l3_firewall_rules)

Section titled “rules (meraki.domains.organizations.networks.appliance.firewall.l3_firewall_rules)”
NameTypeConstraintMandatoryDefault Value
commentStringmin: 1, max: 127No
policyChoiceallow, denyYes
protocolChoiceany, icmp, icmp6, tcp, udpYes
source_portAnyInteger[min: 0, max: 65535] or String[matches: `(?:[1-9][0-9]3[1-5][0-9]46[0-4][0-9]3
source_cidrStringRegex: ^(?i:any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?)(,(any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?))*$No
destination_portAnyInteger[min: 0, max: 65535] or String[matches: `(?:[1-9][0-9]3[1-5][0-9]46[0-4][0-9]3
destination_cidrStringRegex: ^(?i:any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?)(,(any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?))*$No
syslogBooleantrue, falseNo

Example-1: The example below demonstrates Layer 3 firewall rules configuration using tested YAML configuration from pipeline fixtures.

meraki:
domains:
- name: "!env domain"
administrator:
name: "!env org_admin"
organizations:
- name: "!env org"
networks:
- name: "!env network_name"
product_types:
- appliance
- switch
- wireless
- camera
- sensor
- cellularGateway
appliance:
firewall:
l3_firewall_rules:
rules:
- comment: "Block Bad Traffic"
policy: deny
protocol: udp
source_port: 1433
source_cidr: Any
destination_port: 1433
destination_cidr: Any
# syslog: true
- comment: "Block SSH"
policy: deny
protocol: tcp
source_port: 22
source_cidr: Any
destination_port: 22
destination_cidr: Any
# syslog: true
# syslog_default_rule: true
destination_cidr: "Any"
syslog: false
- comment: "Block Peer-to-Peer Traffic"
policy: deny
protocol: "any"
source_port: "Any"
source_cidr: "Any"
destination_port: "6881-6889"
destination_cidr: "Any"
syslog: true
syslog_default_rule: true