Skip to main content
Cisco Meraki

Meraki Device-to-Cloud Connectivity - FIPS

Meraki is updating its device-to-cloud connectivity to an architecture that was crafted from the ground up to provide even greater security and simplicity for connectivity. This connectivity is currently available on devices that meet certain firmware requirements, noted below in the section, Supported Firmware/Models.

This re-architecture utilizes the latest in tools and development practices, the result of which will improve the security, performance, management, scalability, and resiliency of Meraki's cloud infrastructure. 

For users, there are multiple benefits:

  • Simpler firewall configuration - Only requires one firewall policy: Allow access to over HTTPS port 443 (for the commercial cluster).

  • Security - TLS implementation via CiscoSSL library. 

  • FIPS 140-2 validation - A validation level required for the federal market and other compliance standards.

  • Scale and performance - Overall enhanced cloud-connectivity experience.


Please refer to Cisco's Global Government Certifications - FIPS 140 landing page, where it is available the following Cisco Meraki products certificate:

What to Expect

Actions required: Meraki devices using this device-to-cloud connectivity method will require TCP port 443 to be open on any upstream firewalls. Please note this does not mean that previously used ports (TCP port 7734 and UDP 7351) should be closed, as access requirements may vary by product and firmware build.

User experience: As Meraki device-to-cloud connectivity is a re-architecture of the device-cloud-server communications, very little will change in terms of the end-user interface. General usage activity, given how the device-cloud communication works, should remain the same. There are no UI components to device-to-cloud connectivity that differ from before, other than different noted open ports/protocol required for cloud connectivity on the Help > Firewall page.

How to Determine your Connection Version

Any devices running supported firmware versions or higher (listed below), will be running this device-to-cloud connectivity method by default. In the event that a device is unable to connect using this connection method (over TCP port 443), the device's firmware reverts back to the device's previously used firmware version, which will continue using the older connection method (TCP port 7734 and UDP 7351).

To verify which connection your devices are using, you can refer to the Help > Firewall Rules page in your dashboard, which displays dynamically based on your network's devices and required connections. From here, you can determine which device types are using which connection. For more information on this page, see the document, Upstream Firewall Rules for Cloud Connectivity.

Supported Firmware/Models

This device-to-cloud connectivity option is currently only publicly available on MX and MR models included in the "Supported Models," list. They must also be running MX 16.4 or higher (for MX) or MR 28.1 or higher (for MR).

Supported Firmware



(All Wi-Fi 6 APs only)


Other lines

Public beta:

MX 16.4 or higher

Public beta:

MR 28.1 or higher

Public beta:

MS 15.1 or higher

Not yet supported

Enabling FIPS

Meraki MX

FIPS 140-3 update

Cisco Meraki is working on the transition from FIPS 140-2 to FIPS 140-3. This is the new standard that will be used in designing and implementing cryptographic modules that federal departments and agencies operate.

To satisfy the new FIPS compliance requirements for your network, please follow the instructions below:

1. Enable/Disable FIPS mode via UI

FIPS compatible devices will reboot upon enabling FIPS features.

This setting is available in the Dashboard under Network-wide -> General


2. Prerequisites for enabling FIPS

Important considerations to keep in mind before enabling FIPS features:

  • To enable FIPS features please make sure that FIPS mode is Enabled. FIPS features cannot be enabled if the FIPS mode is Disabled.

  • FIPS mode cannot be Disabled while FIPS features are Enabled.

  • With FIPS enabled, features using non-compliant security algorithms will not function as expected.

In order to enable FIPS mode, please ensure that the settings below in your Dashboard are in compliance with FIPS Standards:

  • SNMP: SNMP must use SNMPv3 with SHA and AES128
  • Security & SD-WAN -> Configure: Site-to-site VPN -> Non Meraki VPN settings:clipboard_e8f5a664c978444813b14e7ab5c77e102.png

    • Preshared secret must be greater than 14 characters 
    • Authentication cannot be MD5 
    • Diffie-Hellman Group must be 14 
    • Phase 2 encryption cannot be NULL 
    • PFS can be configured to be either off or 14 
  • Client VPN 
    • Will automatically adjust to DH Group 14 by default 
    • Preshared secret must be greater than 14 characters 
    • RADIUS authentication must be disabled 
  • AnyConnect

    • Preshared secret must be greater than 14 characters 

  • MX Spalsh Page

    • RADIUS authentication must be disabled

  • MX Access Policies 

    • RADIUS authentication must be disabled

  • MX Wireless 

    • Must use WPA2 only 

    • WPA key length must be greater than 14 characters 

    • RADIUS authentication must be disabled 

Technical Details


Device-to-cloud connectivity uses TLS 1.2 with AES 256 for encryption and utilizes FIPS validated cryptography. It enforces mutual TLS and the client to use FIPS 140-2 approved algorithms.

Cloud Connectivity

Updated Meraki cloud communication 

  • Device-to-cloud connectivity now communicates via TCP port 443. This is helpful with upstream firewall configurations, as most firewalls that Meraki's devices are behind already allow connections to port 443.

  • Compared to before, this device-to-cloud connectivity method does not utilize port 7734 and 7351. This includes config, list, and firmware fetches.

Firewall rules required 

All devices utilizing this device-to-cloud connectivity method require a single firewall rule to allow Meraki cloud communication:

Allow outbound connections to destination on TCP port 443