Organization-Wide Outbound Firewall Rules

Location in Dashboard: Security and SD-WAN >> Configure >> Site-to-site VPN >> Site-to-site outbound firewall

Diagram

Classes

appliance (meraki.domains.organizations)

Name	Type	Constraint	Mandatory	Default Value
vpn_firewall_rules	Class	`[vpn_firewall_rules]`	No

vpn_firewall_rules (meraki.domains.organizations.appliance)

Name	Type	Constraint	Mandatory	Default Value
rules	List	`[rules]`	No
syslog_default_rule	Boolean	`true`, `false`	No

rules (meraki.domains.organizations.appliance.vpn_firewall_rules)

Name	Type	Constraint	Mandatory	Default Value
comment	String	min: `1`, max: `127`	No
policy	Choice	`allow`, `deny`	Yes
protocol	Choice	`any`, `icmp`, `icmp6`, `tcp`, `udp`	Yes
source_port	Any	Integer[min: `0`, max: `65535`] or String[matches: `(?:[1-9][0-9]3	[1-5][0-9]4	6[0-4][0-9]3
source_cidr	String	Regex: `^(?i:any\|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?)(,(any\|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?))*$`	No
destination_port	Any	Integer[min: `0`, max: `65535`] or String[matches: `(?:[1-9][0-9]3	[1-5][0-9]4	6[0-4][0-9]3
destination_cidr	String	Regex: `^(?i:any\|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?)(,(any\|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?))*$`	No
syslog	Boolean	`true`, `false`	No

Config Sample

meraki:
  domains:
    - name: EMEA
      administrator:
        name: Foo Bar
      organizations:
        - name: Dev
          appliance:
            vpn_firewall_rules:
              rules:
                - comment: "Allow HTTPS"
                  policy: allow
                  protocol: tcp
                  source_port: "Any"
                  source_cidr: "192.168.1.0/24"
                  destination_port: "443"
                  # The CIDR Object must be created in Policy Objects in order to be applied.
                  destination_cidr: "10.0.0.0/24"
                  syslog: true
                - comment: "Deny all UDP"
                  policy: deny
                  protocol: udp
                  source_port: "Any"
                  source_cidr: "Any"
                  destination_port: "Any"
                  destination_cidr: "Any"
                  syslog: false
                - comment: "Deny all TCP"
                  policy: deny
                  protocol: tcp
                  source_port: "Any"
                  source_cidr: "Any"
                  destination_port: "Any"
                  destination_cidr: "Any"
                  syslog: false
              syslog_default_rule: true