Skip to main content
Cisco Meraki

Meraki Device-to-Cloud Connectivity - FIPS

日本語(Japanese)はこちら

Meraki is updating its device-to-cloud connectivity to an architecture that was crafted from the ground up to provide even greater security and simplicity for connectivity. This connectivity is currently available on devices that meet certain firmware requirements, noted below in the section, Supported Firmware/Models.

This re-architecture utilizes the latest in tools and development practices, the result of which will improve the security, performance, management, scalability, and resiliency of Meraki's cloud infrastructure. 

For users, there are multiple benefits:

  • Simpler firewall configuration - Only requires one firewall policy: Allow access to 209.206.48.0/20 over HTTPS port 443 (for the commercial cluster).

  • Security - TLS implementation via CiscoSSL library. 

  • FIPS 140-2 validation - A validation level required for the federal market and other compliance standards.

  • Scale and performance - Overall enhanced cloud-connectivity experience.

Certifications

Please refer to Cisco's Global Government Certifications - FIPS 140 landing page, where it is available the following Cisco Meraki products certificate:

What to Expect

Actions required: Meraki devices using this device-to-cloud connectivity method will require TCP port 443 to be open on any upstream firewalls. Please note this does not mean that previously used ports (TCP port 7734 and UDP 7351) should be closed, as access requirements may vary by product and firmware build.

User experience: As Meraki device-to-cloud connectivity is a re-architecture of the device-cloud-server communications, very little will change in terms of the end-user interface. General usage activity, given how the device-cloud communication works, should remain the same. There are no UI components to device-to-cloud connectivity that differ from before, other than different noted open ports/protocol required for cloud connectivity on the Help > Firewall page.

How to Determine your Connection Version

Any devices running supported firmware versions or higher (listed below), will be running this device-to-cloud connectivity method by default. In the event that a device is unable to connect using this connection method (over TCP port 443), the device's firmware reverts back to the device's previously used firmware version, which will continue using the older connection method (TCP port 7734 and UDP 7351).

To verify which connection your devices are using, you can refer to the Help > Firewall Rules page in your dashboard, which displays dynamically based on your network's devices and required connections. From here, you can determine which device types are using which connection. For more information on this page, see the document, Upstream Firewall Rules for Cloud Connectivity.

Supported Firmware/Models

MX

MR 

(All Wi-Fi 6 APs only)

MS

Other lines

MX 16.4 or higher

MR 28.1 or higher

MS 15.1 or higher

Not yet supported

Enabling FIPS

FIPS 140-3 update

Cisco Meraki is working on the transition from FIPS 140-2 to FIPS 140-3. This is the new standard that will be used in designing and implementing cryptographic modules that federal departments and agencies operate.

Prerequisites for enabling FIPS

In order to enable FIPS mode, please ensure that the settings below in your Dashboard are in compliance with FIPS Standards:

  • SNMP: SNMP must use SNMPv3 with SHA and AES128
  • Security & SD-WAN -> Configure: Site-to-site VPN -> Non Meraki VPN settings:clipboard_e8f5a664c978444813b14e7ab5c77e102.png

    • Preshared secret must be greater than 14 characters 
    • Authentication cannot be MD5 
    • Diffie-Hellman Group must be 14 
    • Phase 2 encryption cannot be NULL 
    • PFS can be configured to be either off or 14 
  • Client VPN 
    • Will automatically adjust to DH Group 14 by default 
    • Preshared secret must be greater than 14 characters 
    • RADIUS authentication must be disabled 
  • AnyConnect

    • Preshared secret must be greater than 14 characters 

  • MX Spalsh Page

    • RADIUS authentication must be disabled

  • MX Access Policies 

    • RADIUS authentication must be disabled

  • MX Wireless 

    • Must use WPA2 only 

    • WPA key length must be greater than 14 characters 

    • RADIUS authentication must be disabled

Enable/Disable FIPS mode via UI

FIPS compatible devices will reboot upon enabling FIPS features.

To satisfy the new FIPS compliance requirements for your network, please follow the instructions below.

This setting is available in the Dashboard under Network-wide -> General

clipboard_edc7eb80050f93981b9e74d0be2f941b2.png

Technical Details

Encryption

Device-to-cloud connectivity uses TLS 1.2 with AES 256 for encryption and utilizes FIPS validated cryptography. It enforces mutual TLS and the client to use FIPS 140-2 approved algorithms.

Cloud Connectivity

Updated Meraki cloud communication 

  • Device-to-cloud connectivity now communicates via TCP port 443. This is helpful with upstream firewall configurations, as most firewalls that Meraki's devices are behind already allow connections to port 443.

  • Compared to before, this device-to-cloud connectivity method does not utilize port 7734 and 7351.
    • This includes List updates, Configuration fetching, and firmware fetches.

Firewall rules required 

  • All devices utilizing this device-to-cloud connectivity method require a single firewall rule to allow Meraki cloud communication:
Allow outbound connections to destination 209.206.48.0/20 on TCP port 443
  • It is advisable for device-to-cloud connectivity management traffic to be exempt from TLS/SSL traffic inspection in order to avoid potential connectivity issues.