Layer 3 Firewall Rules Configuration

Dashboard Location: Security and SD-WAN > Configure > Firewall > Layer 3 firewall rules

Network Layer Security Management

Layer 3 firewall rules configuration in Meraki appliances provides comprehensive IP-based access control for network traffic, enabling administrators to define granular security policies based on source and destination IP addresses, protocols, and ports. This functionality allows for sophisticated network segmentation, application control, and security enforcement at the network layer, supporting both allow and deny policies with detailed logging capabilities. L3 firewall rules are essential for implementing zero-trust security models, controlling inter-VLAN communication, and protecting critical network resources from unauthorized access.

Diagram

Classes

firewall (meraki.domains.organizations.networks.appliance)

Name	Type	Constraint	Mandatory	Default Value
l3_firewall_rules	Class	`[l3_firewall_rules]`	No

l3_firewall_rules (meraki.domains.organizations.networks.appliance.firewall)

Name	Type	Constraint	Mandatory	Default Value
rules	List	`[rules]`	No
syslog_default_rule	Boolean	`true`, `false`	No

rules (meraki.domains.organizations.networks.appliance.firewall.l3_firewall_rules)

Name	Type	Constraint	Mandatory	Default Value
comment	String	min: `1`, max: `127`	No
policy	Choice	`allow`, `deny`	Yes
protocol	Choice	`any`, `icmp`, `icmp6`, `tcp`, `udp`	Yes
source_port	Any	Integer[min: `0`, max: `65535`] or String[matches: `(?:[1-9][0-9]3	[1-5][0-9]4	6[0-4][0-9]3
source_cidr	String	Regex: `^(?i:any\|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?\|VLAN$(?:[1-9]\|[1-9]\d\|[1-9]\d{2}\|[1-3]\d{3}\|40[0-8]\d\|409[0-4])$\.(?:\\|[1-9]\|[1-9]\d\|1\d\d\|2[0-4]\d\|25[0-4]))(,(any\|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?\|VLAN$(?:[1-9]\|[1-9]\d\|[1-9]\d{2}\|[1-3]\d{3}\|40[0-8]\d\|409[0-4])$\.(?:\\|[1-9]\|[1-9]\d\|1\d\d\|2[0-4]\d\|25[0-4])))*$`	No
destination_port	Any	Integer[min: `0`, max: `65535`] or String[matches: `(?:[1-9][0-9]3	[1-5][0-9]4	6[0-4][0-9]3
destination_cidr	String	Regex: `^(?i:any\|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?\|VLAN$(?:[1-9]\|[1-9]\d\|[1-9]\d{2}\|[1-3]\d{3}\|40[0-8]\d\|409[0-4])$\.(?:\\|[1-9]\|[1-9]\d\|1\d\d\|2[0-4]\d\|25[0-4]))(,(any\|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?\|VLAN$(?:[1-9]\|[1-9]\d\|[1-9]\d{2}\|[1-3]\d{3}\|40[0-8]\d\|409[0-4])$\.(?:\\|[1-9]\|[1-9]\d\|1\d\d\|2[0-4]\d\|25[0-4])))*$`	No
syslog	Boolean	`true`, `false`	No

Examples

Example-1: The example below demonstrates Layer 3 firewall rules configuration using tested YAML configuration from pipeline fixtures.

meraki:
  domains:
    - name: !env domain
      administrator:
        name: !env org_admin
      organizations:
        - name: !env org
          networks:
            - name: !env network_name
              product_types:
                - appliance
                - switch
                - wireless
                - camera
                - sensor
                - cellularGateway
              appliance:
                firewall:
                  l3_firewall_rules:
                    rules:
                      - comment: "Block Bad Traffic"
                        policy: deny
                        protocol: udp
                        source_port: 1433
                        source_cidr: 10.10.10.0/24,VLAN(10).*,VLAN(20).5
                        destination_port: 1433
                        destination_cidr: Any
                        # syslog: true
                      - comment: "Block SSH"
                        policy: deny
                        protocol: tcp
                        source_port: 22
                        source_cidr: Any
                        destination_port: 22
                        destination_cidr: Any
                        # syslog: true
                    # syslog_default_rule: true