L3 Firewall Rules

Location in Dashboard: Security and SD-WAN >> Configure >> Firewall >> Layer 3

Diagram

Classes

firewall (meraki.domains.organizations.networks.appliance)

Name	Type	Constraint	Mandatory	Default Value
l3_firewall_rules	Class	`[l3_firewall_rules]`	No

l3_firewall_rules (meraki.domains.organizations.networks.appliance.firewall)

Name	Type	Constraint	Mandatory	Default Value
rules	List	`[rules]`	No
syslog_default_rule	Boolean	`true`, `false`	No

rules (meraki.domains.organizations.networks.appliance.firewall.l3_firewall_rules)

Name	Type	Constraint	Mandatory	Default Value
comment	String	min: `1`, max: `127`	No
policy	Choice	`allow`, `deny`	Yes
protocol	Choice	`any`, `icmp`, `icmp6`, `tcp`, `udp`	Yes
source_port	Any	Integer[min: `0`, max: `65535`] or String[matches: `(?:[1-9][0-9]3	[1-5][0-9]4	6[0-4][0-9]3
source_cidr	String	Regex: `^(?i:any\|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?)(,(any\|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?))*$`	No
destination_port	Any	Integer[min: `0`, max: `65535`] or String[matches: `(?:[1-9][0-9]3	[1-5][0-9]4	6[0-4][0-9]3
destination_cidr	String	Regex: `^(?i:any\|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?)(,(any\|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?))*$`	No
syslog	Boolean	`true`, `false`	No

Config Sample

meraki:
    domains:
      - name: EMEA
        administrator:
            name: Foo Bar
        organizations:
          - name: Dev
            networks:
              - name: Dev-main-cx-provider
                product_types:
                - appliance
                - camera
                - switch
                - wireless
                appliance:
                  firewall_l3_firewall:
                    rules:
                    - comment: "Block DNS"
                      policy: deny
                      protocol: udp
                      source_port: 53
                      source_cidr: Any
                      destination_port: 53
                      destination_cidr: Any
                      # syslog: true
                    - comment: "Block SSH"
                      policy: deny
                      protocol: tcp
                      source_port: 22
                      source_cidr: Any
                      destination_port: 22
                      destination_cidr: Any
                      # syslog: true
                    # syslog_default_rule: true