VPN Firewall Rules Configuration
Dashboard Location: Security and SD-WAN > Configure > Site-to-site VPN > Site-to-site outbound firewall
VPN Traffic Security Management
Section titled “VPN Traffic Security Management”VPN firewall rules configuration in Meraki organizations provides centralized security policies for site-to-site VPN traffic across all connected networks. This functionality enables administrators to define organization-wide access control policies that govern inter-site communication, ensuring consistent security enforcement across distributed locations. VPN firewall rules are essential for organizations requiring granular control over VPN traffic flows, compliance with security policies, and protection against unauthorized inter-site access while maintaining operational flexibility and centralized management.
Diagram
Section titled “Diagram”
Classes
Section titled “Classes”appliance (meraki.domains.organizations)
Section titled “appliance (meraki.domains.organizations)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| vpn_firewall_rules | Class | [vpn_firewall_rules] | No |
vpn_firewall_rules (meraki.domains.organizations.appliance)
Section titled “vpn_firewall_rules (meraki.domains.organizations.appliance)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| rules | List | [rules] | No | |
| syslog_default_rule | Boolean | true, false | No |
rules (meraki.domains.organizations.appliance.vpn_firewall_rules)
Section titled “rules (meraki.domains.organizations.appliance.vpn_firewall_rules)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| comment | String | min: 1, max: 127 | No | |
| policy | Choice | allow, deny | Yes | |
| protocol | Choice | any, icmp, icmp6, tcp, udp | Yes | |
| source_port | Any | Integer[min: 0, max: 65535] or String[matches: `(?:[1-9][0-9]3 | [1-5][0-9]4 | 6[0-4][0-9]3 |
| source_cidr | String | Regex: ^(?i:any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?)(,(any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?))*$ | No | |
| destination_port | Any | Integer[min: 0, max: 65535] or String[matches: `(?:[1-9][0-9]3 | [1-5][0-9]4 | 6[0-4][0-9]3 |
| destination_cidr | String | Regex: ^(?i:any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?)(,(any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?))*$ | No | |
| syslog | Boolean | true, false | No |
Examples
Section titled “Examples”Example-1: The example below demonstrates VPN firewall rules configuration using tested YAML configuration from pipeline fixtures.
meraki: domains: - name: !env domain administrator: name: !env org_admin organizations: - name: !env org appliance: third_party_vpn_peers: - name: AWS VPN 01 public_hostname: vpn.example.com private_subnets: - "192.168.1.0/24" - "192.168.2.0/24" local_id: "192.168.128.10" remote_id: "158.43.128.2" ipsec_policies_preset: aws secret: "supersecretkey" ike_version: "2" network_tags: - "Production" - "VPN" - name: AWS VPN 02 public_ip: 158.43.128.100 private_subnets: - "192.168.1.0/24" - "192.168.2.0/24" local_id: "192.168.128.100" remote_id: "158.43.128.200" ipsec_policies: ike_cipher_algo: - aes128 ike_auth_algo: - sha256 ike_prf_algo: - prfsha256 ike_diffie_hellman_group: - group14 ike_lifetime: 3600 child_cipher_algo: - aes128 child_auth_algo: - sha256 child_pfs_group: - group14 child_lifetime: 3600 secret: "supersecretkey" ike_version: "2" network_tags: - "Production" - "VPN"