Skip to main content
Cisco Meraki

Cisco+ Secure Connect - Creating Access Policies for Private Applications and Network (Legacy)

This guide shows the legacy method of updating firewall policies in Umbrella Dashboard. The Cloud Firewall configuration is now part of the Secure Connect dashboard. Please review the Cloud Firewall guide for more information on defining a Private Application and Network rule.

The Secure Connect cloud-delivered firewall provides firewall services, without the need to deploy, maintain and upgrade physical or virtual appliances at each site.  

Through the firewall policy rules, you can filter traffic that is destined for private applications or networks at layer 3 and layer 4.


Deployment Considerations

A default rule is in place to block all private access traffic. This rule, can not be deleted but can be edited to allow traffic rather than block. However, no changes to source or destination traffic are possible.  This provides the flexibility to accommodate a block all or permit all policy model.

Documentation NAP Default.png

Private access policies apply to specific traffic flows- see Securing Access to Private Applications and Networks for more detail


  1. Navigate to Policies->Firewall. This will take you to the Umbrella Dashboard.

  1. In the upper right hand corner of the page, click Add

Documentation Firewall Policy.png

  1. Select the Rule Type as Private Applications and Networks

Docs - FW Policy Private Apps.png

  1. Give your rule a good descriptive Name, and a Description for the rule, and choose a Priority Order.  Rules are applied sequentially, with the Default Rule always in the last position. Priority Order positions the rules in the Firewall Policy in the order in that rules are evaluated and applied.

Doc - FW Policy Rule Details.png

  1. Choose the Rule Action

Doc - FW Policy Rule Action.png

  1. Choose the rule's criteria:
  • Source CIDR IP Addresses (optional)- The source addresses (IP or CIDR) to which the rule applies- choose Specify IP and add each CIDR IP address or choose Any
  • Identities (optional if the source IP was previously selected) - Select the groups and/or users  to which the rule applies

Group/user identity is only evaluated for traffic sourced from remote access (client-based) users

  • Destination CIDR IP Addresses- The destination addresses (IP or CIDR) to which the rule applies- choose Specify IP and add each CIDR IP address or choose Any.
  • Private Applications- Select the application and/or application groups to which the rule applies.

Doc - FW Policy Private App.png

  1. Choose a Time Zone, and configure Start and Expiration dates and times. Optionally, check Does Not Expire so that this rule never expires.

Doc - FW Policy Rule Schedule.png

  1. Select an interval for the hit counter. If you disable logging for this firewall rule, the hit counter is also disabled. For more information, see Monitor Hit Count.

Doc - FW Policy Rule Hit Counter.png

  1. Specify whether logging is desired

Doc - FW Policy Rule Logging.png

  1. Click Save 
  • Was this article helpful?