Layer 7 Firewall Rules Configuration

Dashboard Location: Security and SD-WAN > Configure > Firewall > Layer 7 firewall rules

Application Layer Security Management

Layer 7 firewall rules configuration in Meraki appliances provides deep packet inspection and application-aware security controls, enabling administrators to create sophisticated policies based on application identification, content categories, geographic locations, and specific hosts or domains. This functionality supports advanced threat protection, content filtering, and application control through intelligent traffic analysis at the application layer. L7 firewall rules are essential for implementing comprehensive security policies, controlling application usage, preventing data exfiltration, and ensuring compliance with organizational acceptable use policies.

Diagram

Classes

firewall (meraki.domains.organizations.networks.appliance)

Name	Type	Constraint	Mandatory	Default Value
l7_firewall_rules	List	`[l7_firewall_rules]`	No

l7_firewall_rules (meraki.domains.organizations.networks.appliance.firewall)

Name	Type	Constraint	Mandatory
policy	Choice	`deny`	No
type	Choice	`application`, `applicationCategory`, `host`, `ipRange`, `port`, `blockedCountries`, `allowedCountries`	No
value	String	min: `1`, max: `127`	No
value_countries	List	String[min: `1`, max: `127`]	No

Examples

Example-1: The example below demonstrates Layer 7 firewall rules configuration.

This configuration implements application-layer security policies and content filtering. The example includes application-specific rules, traffic blocking policies, and Layer 7 traffic inspection for advanced threat protection and application control.

This configuration creates Layer 7 firewall rules using “policy: deny” to block traffic based on different “type” classifications including “applicationCategory” (content category blocking), “application” (specific application blocking), “host” (domain blocking), and “port” (service port blocking). Each rule specifies a “value” field containing the target identifier such as Meraki category IDs, application IDs, domain names like “abc.com”, or port numbers like “1433” for SQL Server. These rules provide application-aware filtering beyond traditional IP and port-based controls.

Category IDs may be obtained from GET /networks/{networkId}/appliance/firewall/l7FirewallRules/applicationCategories API.

meraki:
  domains:
    - name: !env domain
      administrator:
        name: !env org_admin
      organizations:
        - name: !env org
          networks:
            - name: !env network_name
              product_types:
                - appliance
                - switch
                - wireless
                - camera
                - sensor
                - cellularGateway
              appliance:
                firewall:
                  l7_firewall_rules:
                    - policy: deny
                      type: applicationCategory
                      value: "meraki:layer7/category/27"
                    - policy: deny
                      type: application
                      value: "meraki:layer7/application/106"
                    - policy: deny
                      type: host
                      value: "abc.com"
                    - policy: deny
                      type: port
                      value: "161"
                    - policy: deny
                      type: ipRange
                      value: "192.168.0.1"
                    - policy: deny
                      type: ipRange
                      value: "192.168.0.2:80"
                    - policy: deny
                      type: blockedCountries
                      value_countries:
                        - GB
                        - US
                    - policy: deny
                      type: allowedCountries
                      value_countries:
                        - DE
                        - GB