Skip to main content
Cisco Meraki

Cisco+ Secure Connect - Creating Access Policies for Private Applications and Network

The Secure Connect cloud-delivered firewall provides firewall services, without the need to deploy, maintain and upgrade physical or virtual appliances at each site.  

Through the firewall policy rules, you can filter traffic that is destined for private applications or networks at layer 3 and layer 4.

Prerequisites

  • Defined private applications and/or networks see: Defining Private Applications
  • If the rule leverages user identity, SAML must be configured

Deployment Considerations

A default rule is in place to block all private access traffic. This rule, can not be deleted but can be edited to allow traffic rather than block. However, no changes to source or destination traffic are possible.  This provides the flexibility to accommodate a block all or permit all policy model.

Documentation NAP Default.png

Private access policies apply to specific traffic flows- see Securing Access to Private Applications and Networks for more detail

Configuration 

  1. Navigate to Policies->Firewall. This will take you to the Umbrella Dashboard.

Documenation - Menu NAP.png

  1. In the upper right hand corner of the page, click Add

Documentation Firewall Policy.png

  1. Select the Rule Type as Private Applications and Networks

Docs - FW Policy Private Apps.png

  1. Give your rule a good descriptive Name, a Description for the rule, and choose a Priority Order.  Rules are applied sequentially, with the Default Rule always in the last position. Priority Order positions rules in the Firewall Policy in the order in that rules are evaluated and applied.

Doc - FW Policy Rule Details.png

  1. Choose the Rule Action

Doc - FW Policy Rule Action.png

  1. Choose the rule's criteria:
  • Source CIDR IP Addresses (optional)- The source addresses (IP or CIDR) to which the rule applies- choose Specify IP and add each CIDR IP address or choose Any
  • Identities (optional if source IP was previously selected) - Select the groups and/or users  to which the rule applies

Group/user identity is only evaluated for traffic sourced from remote access (client based) users

  • Destination CIDR IP Addresses- The destination addresses (IP or CIDR) to which the rule applies- choose Specify IP and add each CIDR IP address or choose Any
  • Private Applications- Select the application and/or application groups to which the rule applies

Doc - FW Policy Rule Criteria .png

  1. Choose a Time Zone, configure Start and Expiration dates and times. Optionally, check Does Not Expire so that this rule never expires.

Doc - FW Policy Rule Schedule.png

  1. Select an interval for the hit counter. If you disable logging for this firewall rule, the hit counter is also disabled. For more information, see Monitor Hit Count.

Doc - FW Policy Rule Hit Counter.png

  1. Specify whether logging is desired

Doc - FW Policy Rule Logging.png

  1. Click Save 
  • Was this article helpful?