VPN Firewall Rules Configuration
Dashboard Location: Security and SD-WAN > Configure > Site-to-site VPN > Site-to-site outbound firewall
VPN Traffic Security Management
Section titled “VPN Traffic Security Management”VPN firewall rules configuration in Meraki organizations provides centralized security policies for site-to-site VPN traffic across all connected networks. This functionality enables administrators to define organization-wide access control policies that govern inter-site communication, ensuring consistent security enforcement across distributed locations. VPN firewall rules are essential for organizations requiring granular control over VPN traffic flows, compliance with security policies, and protection against unauthorized inter-site access while maintaining operational flexibility and centralized management.
Diagram
Section titled “Diagram”
Classes
Section titled “Classes”appliance (meraki.domains.organizations)
Section titled “appliance (meraki.domains.organizations)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| vpn_firewall_rules | Class | [vpn_firewall_rules] | No |
vpn_firewall_rules (meraki.domains.organizations.appliance)
Section titled “vpn_firewall_rules (meraki.domains.organizations.appliance)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| rules | List | [rules] | No | |
| syslog_default_rule | Boolean | true, false | No |
rules (meraki.domains.organizations.appliance.vpn_firewall_rules)
Section titled “rules (meraki.domains.organizations.appliance.vpn_firewall_rules)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| comment | String | min: 1, max: 127 | No | |
| policy | Choice | allow, deny | Yes | |
| protocol | Choice | any, icmp, icmp6, tcp, udp | Yes | |
| source_port | Any | Integer[min: 0, max: 65535] or String[matches: `(?:[1-9][0-9]3 | [1-5][0-9]4 | 6[0-4][0-9]3 |
| source_cidr | String | Regex: ^(?i:any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?)(,(any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?))*$ | No | |
| destination_port | Any | Integer[min: 0, max: 65535] or String[matches: `(?:[1-9][0-9]3 | [1-5][0-9]4 | 6[0-4][0-9]3 |
| destination_cidr | String | Regex: ^(?i:any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?)(,(any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?))*$ | No | |
| syslog | Boolean | true, false | No |
Examples
Section titled “Examples”Example-1: The example below demonstrates VPN firewall rules configuration using tested YAML configuration from pipeline fixtures.
meraki: domains: - name: "!env domain" administrator: name: "!env org_admin" organizations: - name: "!env org" appliance: vpn_firewall_rules: rules: - comment: "Allow HTTPS" policy: allow protocol: tcp source_port: "Any" source_cidr: "192.168.1.0/24" destination_port: "443" # The CIDR Object must be created in Policy Objects in order to be applied. destination_cidr: "10.0.0.0/24" syslog: true - comment: "Deny all UDP" policy: deny protocol: udp source_port: "Any" source_cidr: "Any" destination_port: "Any" destination_cidr: "Any" syslog: false - comment: "Deny all TCP" policy: deny syslog: true - comment: "Allow SSH Administrative Access" policy: allow protocol: tcp source_port: "Any" source_cidr: "!env admin_subnet" destination_port: "22" destination_cidr: "Any" syslog: true syslog_default_rule: true