VPN Firewall Rules Configuration
Dashboard Location: Security and SD-WAN > Configure > Site-to-site VPN > Site-to-site outbound firewall
VPN Traffic Security Management
Section titled “VPN Traffic Security Management”VPN firewall rules configuration in Meraki organizations provides centralized security policies for site-to-site VPN traffic across all connected networks. This functionality enables administrators to define organization-wide access control policies that govern inter-site communication, ensuring consistent security enforcement across distributed locations. VPN firewall rules are essential for organizations requiring granular control over VPN traffic flows, compliance with security policies, and protection against unauthorized inter-site access while maintaining operational flexibility and centralized management.
Diagram
Section titled “Diagram”Classes
Section titled “Classes”appliance (meraki.domains.organizations)
Section titled “appliance (meraki.domains.organizations)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| vpn_firewall_rules | Class | [vpn_firewall_rules] | No |
vpn_firewall_rules (meraki.domains.organizations.appliance)
Section titled “vpn_firewall_rules (meraki.domains.organizations.appliance)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| rules | List | [rules] | No | |
| syslog_default_rule | Boolean | true, false | No |
rules (meraki.domains.organizations.appliance.vpn_firewall_rules)
Section titled “rules (meraki.domains.organizations.appliance.vpn_firewall_rules)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| comment | String | min: 1, max: 127 | No | |
| policy | Choice | allow, deny | Yes | |
| protocol | Choice | any, icmp, icmp6, tcp, udp | Yes | |
| source_port | Any | Integer[min: 0, max: 65535] or String[matches: `(?:[1-9][0-9]3 | [1-5][0-9]4 | 6[0-4][0-9]3 |
| source_cidr | String | Regex: ^(?i:any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?)(,(any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?))*$ | No | |
| destination_port | Any | Integer[min: 0, max: 65535] or String[matches: `(?:[1-9][0-9]3 | [1-5][0-9]4 | 6[0-4][0-9]3 |
| destination_cidr | String | Regex: ^(?i:any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?)(,(any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?))*$ | No | |
| syslog | Boolean | true, false | No |
Examples
Section titled “Examples”Example-1: The example below demonstrates VPN firewall rules configuration.
This configuration manages security policies for VPN traffic and site-to-site connectivity. The example includes VPN-specific firewall rules, access controls, and traffic filtering for secure inter-site communication and remote access.
The configuration begins with the rules array containing four distinct firewall rules, each serving a specific security purpose:
Rule named “Allow HTTPS Traffic,” allows secure HTTPS (TCP port 443) traffic from any port within the local 192.168.1.0/24 subnet to any host in the 10.0.0.0/24 subnet, and logs all matching traffic for auditing purposes.
Rule 2, “Deny All UDP,” blocks all UDP traffic between any source and destination, regardless of port or IP range, and does not generate any log entries.
Rule 3, “Deny all TCP,” blocks all TCP traffic between any source and destination, regardless of IP or port, and does not log the denied connections.
Rule 4, “Allow SSH Administrative Access,” permits TCP traffic on port 22 (SSH) from the subnet defined by admin_subnet enviromental variable to any destination, and logs all matching connections for auditing.
meraki: domains: - name: !env domain administrator: name: !env org_admin organizations: - name: !env org appliance: third_party_vpn_peers: - name: AWS VPN 01 public_hostname: vpn.example.com private_subnets: - "192.168.1.0/24" - "192.168.2.0/24" local_id: "192.168.128.10" remote_id: "158.43.128.2" ipsec_policies_preset: aws secret: "supersecretkey" ike_version: "2" network_tags: - "Production" - "VPN" - name: AWS VPN 02 public_ip: 158.43.128.100 private_subnets: - "192.168.1.0/24" - "192.168.2.0/24" local_id: "192.168.128.100" remote_id: "158.43.128.200" ipsec_policies: ike_cipher_algo: - aes128 ike_auth_algo: - sha256 ike_prf_algo: - prfsha256 ike_diffie_hellman_group: - group14 ike_lifetime: 3600 child_cipher_algo: - aes128 child_auth_algo: - sha256 child_pfs_group: - group14 child_lifetime: 3600 secret: "supersecretkey" ike_version: "2" network_tags: - "Production" - "VPN"