Skip to content

VPN Firewall Rules Configuration

Dashboard Location: Security and SD-WAN > Configure > Site-to-site VPN > Site-to-site outbound firewall

VPN firewall rules configuration in Meraki organizations provides centralized security policies for site-to-site VPN traffic across all connected networks. This functionality enables administrators to define organization-wide access control policies that govern inter-site communication, ensuring consistent security enforcement across distributed locations. VPN firewall rules are essential for organizations requiring granular control over VPN traffic flows, compliance with security policies, and protection against unauthorized inter-site access while maintaining operational flexibility and centralized management.

Diagram
NameTypeConstraintMandatoryDefault Value
vpn_firewall_rulesClass[vpn_firewall_rules]No

vpn_firewall_rules (meraki.domains.organizations.appliance)

Section titled “vpn_firewall_rules (meraki.domains.organizations.appliance)”
NameTypeConstraintMandatoryDefault Value
rulesList[rules]No
syslog_default_ruleBooleantrue, falseNo

rules (meraki.domains.organizations.appliance.vpn_firewall_rules)

Section titled “rules (meraki.domains.organizations.appliance.vpn_firewall_rules)”
NameTypeConstraintMandatoryDefault Value
commentStringmin: 1, max: 127No
policyChoiceallow, denyYes
protocolChoiceany, icmp, icmp6, tcp, udpYes
source_portAnyInteger[min: 0, max: 65535] or String[matches: `(?:[1-9][0-9]3[1-5][0-9]46[0-4][0-9]3
source_cidrStringRegex: ^(?i:any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?)(,(any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?))*$No
destination_portAnyInteger[min: 0, max: 65535] or String[matches: `(?:[1-9][0-9]3[1-5][0-9]46[0-4][0-9]3
destination_cidrStringRegex: ^(?i:any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?)(,(any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?))*$No
syslogBooleantrue, falseNo

Example-1: The example below demonstrates VPN firewall rules configuration using tested YAML configuration from pipeline fixtures.

meraki:
domains:
- name: "!env domain"
administrator:
name: "!env org_admin"
organizations:
- name: "!env org"
appliance:
vpn_firewall_rules:
rules:
- comment: "Allow HTTPS"
policy: allow
protocol: tcp
source_port: "Any"
source_cidr: "192.168.1.0/24"
destination_port: "443"
# The CIDR Object must be created in Policy Objects in order to be applied.
destination_cidr: "10.0.0.0/24"
syslog: true
- comment: "Deny all UDP"
policy: deny
protocol: udp
source_port: "Any"
source_cidr: "Any"
destination_port: "Any"
destination_cidr: "Any"
syslog: false
- comment: "Deny all TCP"
policy: deny
syslog: true
- comment: "Allow SSH Administrative Access"
policy: allow
protocol: tcp
source_port: "Any"
source_cidr: "!env admin_subnet"
destination_port: "22"
destination_cidr: "Any"
syslog: true
syslog_default_rule: true