Skip to content

VPN Firewall Rules Configuration

Dashboard Location: Security and SD-WAN > Configure > Site-to-site VPN > Site-to-site outbound firewall

VPN firewall rules configuration in Meraki organizations provides centralized security policies for site-to-site VPN traffic across all connected networks. This functionality enables administrators to define organization-wide access control policies that govern inter-site communication, ensuring consistent security enforcement across distributed locations. VPN firewall rules are essential for organizations requiring granular control over VPN traffic flows, compliance with security policies, and protection against unauthorized inter-site access while maintaining operational flexibility and centralized management.

Diagram
NameTypeConstraintMandatoryDefault Value
vpn_firewall_rulesClass[vpn_firewall_rules]No

vpn_firewall_rules (meraki.domains.organizations.appliance)

Section titled “vpn_firewall_rules (meraki.domains.organizations.appliance)”
NameTypeConstraintMandatoryDefault Value
rulesList[rules]No
syslog_default_ruleBooleantrue, falseNo

rules (meraki.domains.organizations.appliance.vpn_firewall_rules)

Section titled “rules (meraki.domains.organizations.appliance.vpn_firewall_rules)”
NameTypeConstraintMandatoryDefault Value
commentStringmin: 1, max: 127No
policyChoiceallow, denyYes
protocolChoiceany, icmp, icmp6, tcp, udpYes
source_portAnyInteger[min: 0, max: 65535] or String[matches: `(?:[1-9][0-9]3[1-5][0-9]46[0-4][0-9]3
source_cidrStringRegex: ^(?i:any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?)(,(any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?))*$No
destination_portAnyInteger[min: 0, max: 65535] or String[matches: `(?:[1-9][0-9]3[1-5][0-9]46[0-4][0-9]3
destination_cidrStringRegex: ^(?i:any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?)(,(any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?))*$No
syslogBooleantrue, falseNo

Example-1: The example below demonstrates VPN firewall rules configuration using tested YAML configuration from pipeline fixtures.

meraki:
domains:
- name: !env domain
administrator:
name: !env org_admin
organizations:
- name: !env org
appliance:
third_party_vpn_peers:
- name: AWS VPN 01
public_hostname: vpn.example.com
private_subnets:
- "192.168.1.0/24"
- "192.168.2.0/24"
local_id: "192.168.128.10"
remote_id: "158.43.128.2"
ipsec_policies_preset: aws
secret: "supersecretkey"
ike_version: "2"
network_tags:
- "Production"
- "VPN"
- name: AWS VPN 02
public_ip: 158.43.128.100
private_subnets:
- "192.168.1.0/24"
- "192.168.2.0/24"
local_id: "192.168.128.100"
remote_id: "158.43.128.200"
ipsec_policies:
ike_cipher_algo:
- aes128
ike_auth_algo:
- sha256
ike_prf_algo:
- prfsha256
ike_diffie_hellman_group:
- group14
ike_lifetime: 3600
child_cipher_algo:
- aes128
child_auth_algo:
- sha256
child_pfs_group:
- group14
child_lifetime: 3600
secret: "supersecretkey"
ike_version: "2"
network_tags:
- "Production"
- "VPN"