Skip to main content

 

Cisco Meraki Documentation

Organization-wide Group Policy

  1. Last updated
  2. Save as PDF

Organization-wide Group Policies is currently in early access public preview. It can be enabled on Early Access page  (Organization > Early Access). ​​​​​

At this time, we recommend using an organization that doesn’t have any firewall or group policies configured or MX devices, or remove any policies before enabling a feature. Team is working to bring this feature to brownfield organizations and to provide migration tools.

 

Overview

Network and Security policies in any organization today are becoming very complex, repetitive, and enforced across several independent devices in the network.  Although intent may be common, such as blocking network access or malicious, objectionable, and intrusive content, administrators may find themselves adding the same policy many times to different enforcement points across their organization.

The Organization policy is a framework in the Meraki Dashboard created to unify and simplify the configuration and management of network and security policies across the platform. Rule profiles can be used to define business logic once (such as firewall rules) and then reuse those across many policies in an organization. The policies are defined once, at the organization level and can be enforced across any number of MX devices at the same time. Any changes to the policy will automatically be propagated to relevant MX devices. By centralizing policy management, organizations can maintain a more organized and scalable network and security posture, ultimately improving their overall compliance.

Solution Requirements

In order to use the Meraki devices as an enforcement point under Organization policies, it must satisfy the following requirements: 

  1. MX firmware version must be 19.1 or above.  Branches with a lower version of code will not be shown under enforcement.  Upgrade your appliance using Organization > Configure > Firmware Upgrades menu option.  Please review this document to find the MX hardware that is supported with this firmware version. 

  1. Only IPv4 is supported at this time.

Requirements: 
  • MX firmware 19.1 and later. Please review this document to find the MX hardware that is supported with this feature.
  • The maximum of 50 policies, 2500 rules and 5000 networks is supported. 

Architecture

Organization Group Policy is build on framework that can expand to include any other type of polices, making it the future of policy management for Meraki platforms, including SASE policies. Object based configuration simplifies the visibility and management.  Enforcement is done across your entire organization with group policies and re-usable rule profiles. 

Screenshot 2025-01-28 at 9.22.41 PM.png

Organization Group Policy components:

  • Scope: Defines who or what the rule profiles apply to. User Groups currently not supported.
  • Rule: Single deny or allow action for source and destination pair.
  • Rule profiles: Predefined re-usable sets of rules to enforce consistently across your organization.
  • Group Policy: Links Scope with pre-configured Rule profile.
  • Group Policies: Set of group policies that is enforced across your organization closest to the traffic source.

To make policies more scalable, easier to mange and read we have eliminated the legacy infinitely orderable rule model. Instead the system automatically orders the rules based on intent and security best practices.

  1. All Deny layer 3 rules
  2. All Allow layer 3 rules
  3. Default layer 3 rules
  4. All Deny layer 7 rules 

Group Policy

Group Policy is a critical component in security management. The source scope specifies the range or group of vlans or networks from which the traffic originates.  The set of rules associated with the scope determines the actions to be taken on the traffic that matches the defined criteria. These actions can include permitting or denying the traffic, inspecting it for security threats, or applying specific policies like intrusion prevention. By carefully defining the scope and the corresponding rule profiles, administrators can ensure that only authorized traffic is allowed, while potentially harmful traffic is blocked or scrutinized, thereby enhancing the overall security posture of the organization.

At this time we support the following use cases:

  • Layer 3 policing for branch users and devices 
  • Layer 7 policing for branch users and devices 

Identification of branch users and devices is done using Vlans and IP addresses. 

Viewing Organization group policy

Navigate to Security >  Group Policy. Here, you will find a comprehensive list of all configured policies. This main policy management page allows you to review each group policy in detail, including its scope, enforcement points, rule profiles, and the last modification date along with the name of the person who made the changes. This centralized view simplifies the process of verifying security compliance within your organization, ensuring that all policies are up-to-date and properly enforced.

Screenshot 2025-01-28 at 9.25.53 PM.png

Scope

Scope defines who or what the rules apply to. Currently we support the following scope objects:

  • Network groups is a configurable object that can consist of one or more Vlans already defined in your organization.
Create Scope Network Groups

Navigate to Security >  Group Policy and select Scope tab.

 

Screenshot 2025-01-28 at 9.27.04 PM.png

 

Select Network groups and click Add scope. New window will open. 

Add a descriptive Scope name and select one, many or all vlans. Each vlan is associated with its network where it is configured. The same vlan ID may exist across multiple networks. If you wish to select all Vlan 11 across your organization, select Vlan ID 11 under search option and then select all Vlan 11 listed. Click Save to create the scope.

 

Screenshot 2025-01-28 at 9.31.44 PM.png

Each vlan and network pair can be included in one scope only. If a vlan is already associated with a scope it will show the scope name it is associated with and cannot be selected.

Rule Profiles

Rule profiles are collections or sets of rules that are reusable and can be applied to various group policies. Each rule within a profile is a single "deny" or "allow" statement, crafted based on the rule's intent. This approach enhances the efficiency of creating and managing policies. Any changes made to a rule can be propagated across multiple policies and enforcement points, ensuring consistency and reducing administrative overhead. Additionally, rule profiles facilitate streamlined policy updates, allowing organizations to quickly adapt to new security requirements or regulatory changes.

Add Rule Profile

Navigate to Security >  Group Policy and select Rule profiles tab.

To create a new profile click Add Profile.

Add new rule profile window will appear.

Create a descriptive Profile name and optionally add a Description.

Click Save. 

Screenshot 2025-01-28 at 9.33.50 PM.png

Once the rule profile is created it will appear with an empty rule list.  

Add Rules

Navigate to Security >  Group Policy and select Rule profiles tab.

Select Add rule under Actions column for a given rule profile. `

Screenshot 2025-01-28 at 10.33.24 PM.png

To create a new rule fill out the following criteria:

  • Rule name - create descriptive rule name without using special characters: #, /, $, @, %, !, etc.
  • Add description - optional field.
  • Rule status  - toggle to enable or disable.
  • Sources - This field will be populated with IP, CIDR, Objects or object groups.
  • IP address/subnet - can be configured for Group Policy with network group as a source.
  • Action - Allow or Deny.
  • Destinations - define where the traffic is intended to arrive.

Screenshot 2025-01-28 at 10.37.50 PM.png

Rule Destinations

Under Rule configuration navigate to Destinations section and select Specify destinations dropdown and select one of the available options:

  • Objects and object groups
  • Internet and SaaS categories
  • IP address or subnet
  • VLANs

Screenshot 2025-03-27 at 3.57.22 PM.png

 

We can configure multiple destination types in a single rule excpet Internet and SaaS Application. Rule will match any of the destination fields.

Screenshot 2025-03-27 at 4.07.56 PM.png

Objects and object groups

Policy objects are reusable, named components that represent logical collections of elements. By using policy objects, you can avoid the need to repeatedly define the same components each time you create a policy. Instead, you can define an object once and reference it in multiple policies. Current supported objects are Network objects that should be configured prior to creation of organization group policy. Configure Network objects 

At most 1 policy object group in source and/or 2 policy object groups in destination.

At most 100 raw IPs in source or destination (policy object groups may be used as well).

Network Objects can be centrally managed through Security >  Policy objects

After selecting Object and object groups, new window will open. Select one or more Objects or Object groups and click Apply.

Screenshot 2024-10-23 at 1.59.17 PM.png

Internet and SaaS categories

After selecting Internet and SaaS categories, new window will open. Select one or more categories or specific application and click Apply. 

If rule contains public applications it cannot have other types of destinations (IP address, group objects etc).

Screenshot 2025-03-27 at 4.04.29 PM.png

IP address or subnet

After selecting IP address or subnet, new window will open. Input IP address or subnet, select protocol and configure ports or port range. 

Screenshot 2024-10-24 at 9.25.36 AM.png

View and Change Rules

Under Rule profiles tab select Rule profile. This will open the list of all active or inactive configured rules under that Rule profile.

Expand Associated policies to see all Group policies this Rule profile is part of.

Rule Type can be Layer 3 (L3) or Layer 7 (L7). This is determined based on the rule configuration.

Any rule can be changed by selecting ... and Edit for rule that needs change. The change in rule or rule profile will propagate across all enforcement points.

Screenshot 2024-10-24 at 12.33.49 PM.png

View Rule Profiles

Navigate to Security >  Group Policy and select Rule profiles tab

Screenshot 2025-01-28 at 10.48.13 PM.png

Create Group Policy

Group policy enables the binding of created objects, forming actionable intents. By mapping predefined Scopes and Rule profiles, an organization group policy is created. Please note that the enforcement location is fixed and cannot be adjusted. The framework is designed so that, based on the group policy configuration, enforcement occurs where it is most effective. This approach significantly streamlines the administration of policies within the organization.

From Security >  Group Policy page select Add group policy.

Screenshot 2025-01-28 at 9.43.38 PM.png

There are 3 main sections to the policy creation:

  1. Group policy name and description
  2. Scope
  3. Rule profiles
  4. Default 

Current Implementation has Network groups scope. Network group is identifier for users and devices behind the branch attached to MR, MS and/or MX/Z devices. At this time only one Scope can be assigned to one Group policy.  

 

Group policy name and description

Select good descriptive group policy name and write description.

Scope

Under Scope section Select a scope. 

Screenshot 2025-01-28 at 9.45.36 PM.png

Navigate to Network groups or User groups and select only one group. 

Rule profiles

Under Rule profiles click Attach profiles.

Screenshot 2025-01-28 at 9.47.01 PM.png

Select one or many Rule profiles and click Attach.

After Rule profiles are attached  navigate to All rules tab under Rule profiles section. This will list all rules from all profiles in order of operation. Rules are executed in order that provides maximum security for the organization, where DENY will always take precedence over ALLOW. Order of rule execution is:

  1. Deny layer 3 rules
  2. Allow layer 3 rules
  3. Default layer 3 rules
  4. Deny layer 7 rules 

 

Default Layer 3 Rule

Each group policy will have one default layer 3 rule. 

Screenshot 2025-01-28 at 9.48.37 PM.png

Screenshot 2025-01-28 at 9.49.08 PM.png

  • Deny RFC 1918 will block all internal traffic, but will allow external internet traffic.
  • Deny all  will block all traffic.
  • Allow all will allow all traffic. It is recommend only during inial setup or troubleshooting to discover applications and traffic inside the organization.

Default layer 7 rule is Allow.

If default L3 rule is set to "Deny all", layer 7 rules will never be hit.

 

Policy Enforcement

After selecting Scope, attaching Rule profiles and selecting default rule, click Save changes. All changes will be propagated to all enforcement points that will be selected based on Scope configuration. 

Change  Policy

Under Policies tab select ... and Edit for policy that needs change.

The change in group policy will propagate across all enforcement points.

 

Verify Policy Rules

Navigate to the network defined by the policy scope.

 

Screenshot 2025-06-23 at 3.54.43 PM.png

 

Navigate to Security & SD-WAN > Appliance Status > Tools

Using Firewall Log check the status of specific flows.

 

Screenshot 2025-06-23 at 4.01.03 PM.png

 

Note that traffic from client in vlan 114 10.114.0.100 to ip address 8.8.8.8 is blocked by matching policy rule below.

 

Screenshot 2025-06-23 at 4.21.30 PM.png 

 

 

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
    Stage
    Draft
  2. Tags
    This page has no tags.