Skip to main content

 

Cisco Meraki Documentation

Upstream Firewall Rules for Cloud Connectivity

The Cisco Meraki dashboard provides centralized management, optimization, and monitoring of Cisco Meraki devices. In order to manage a Cisco Meraki device through dashboard, it must be able to communicate with the Cisco Meraki cloud (dashboard) over a secure tunnel. This tunnel is created between Cisco Meraki devices and dashboard to pass management and reporting traffic in both directions. 

Because the dashboard is located on the public internet, the tunnel is always initiated outbound from the managed device. Once a connection is established, the device maintains the connection by occasionally sending packets and receiving a response. When a firewall or gateway exists in the data path between the managed device and the dashboard, certain protocols and port numbers must be permitted outbound through the firewall for the secure tunnel to function. 

Addresses and Ports to Allow

A complete list of destination IP addresses, ports, and their respective purposes can be found in dashboard under Help > Firewall info

This list changes dynamically depending on the devices and services added on the dashboard as well as the region the organization is located. The below example will not necessarily reflect your networks' unique requirements.

Upstream firewall rules for cloud connectivity

Download rules to CSV

Below the firewall rules section is a Download button with two options: Rules as CSV and Unfiltered rules as CSV. Rules as CSV will download in the same format as shown in dashboard in which rule consolidation takes place. For example multiple functions using TCP 443 will be combined into one rule. If you download the CSV as Unfiltered rules as CSV the rule set is not combined and shows the each specific function and the corresponding requirements for source, destination, ports, protocol, etc.

Devices Using the "Backup Cloud Connection"

For devices that connect to the dashboard using UDP port 7351 for their tunnel, they will attempt to use HTTP/HTTPS if unable to connect over port 7351. When devices are operating like this, a message will be displayed on the device's status page indicating that the "Connection to the Cisco Meraki cloud is using the backup cloud connection." If this is observed, please ensure that port 7351 is being allowed outbound through the firewall or security appliance traffic from the Cisco Meraki devices it will pass through.

 

If unable to configure the recommended firewall settings for the backup cloud connection due to security constraints, please note that Cisco Meraki devices will continue to operate normally, but some features of the dashboard may be slower to respond. This includes, but is not limited to:

  • Configuration updates
  • Live tools
  • Firmware upgrades

 

Unlike other features, Meraki authentication is always sent over UDP 7351 and will not work over a backup connection.

 

Note: While it is possible for Cisco Meraki devices to operate without the recommended firewall settings in place for the backup cloud connection, the firewall settings for Meraki cloud communication are still required for the devices to function correctly. 

Devices Using the "Uplink Connection Monitor"

Cisco Meraki MX security appliances include features to use multiple redundant WAN links for internet connectivity. 

These features rely on connectivity tests using multiple protocols to various public internet addresses. 

We ask that network administrators allow these common protocols (HTTP, HTTPS, DNS and ICMP) to "any" internet address to allow the connectivity tests to function correctly.

Many Meraki devices perform these connectivity tests including the MX, MR, MV, and MS series of products. 

For a more in-depth explanation of Connection Monitor Behavior please refer to the following documentation: Connection Monitoring for WAN Failover

Upstream Firewall Rules for DNS

Meraki devices must be able to reach port 53 of a DNS server that can resolve the hostnames of Meraki servers.

Upstream Firewall Rules for NTP

Meraki devices must be able to resolve pool.ntp.org and reach it via UDP port 123.

Upstream Firewall Rules for Cisco Threat Grid

For the most up to date list of destination address and TCP/UDP ports for Cisco Threat Grid please refer to this document

  • panacea.threatgrid.com → TCP 443 (North America)
  • panacea.threatgrid.eu → TCP 443 (Europe) 

Upstream Firewall Rules for Cisco AMP

For the most up to date list of destination address and TCP/UDP ports for Cisco AMP, please refer to this document. 

  • cloud-meraki-est.amp.cisco.com → TCP 443
  • cloud-meraki-asn.amp.cisco.com → TCP 443

Upstream Firewall Rules for Cisco Meraki AutoVPN registries

Any devices sitting upstream of an MX or MR/CW access point will need the following destinations whitelisted so the device can communicate with the Auto VPN registries: 

Port 

  • UDP 9350-9381 

IP range for non-China cloud (Meraki dashboard login via meraki.com or gov-meraki.com): 

  • 209.206.48.0/20 

  • 158.115.128.0/19  

  • 216.157.128.0/20 

IP range for China cloud (Meraki dashboard login via meraki.cn): 

  • 43.192.139.128/25 

  • 43.196.13.128/25 

Upstream Firewall Rules for MV Sense Settings  

In instances where MV Sense is configured to transmit to outbound IP addresses or upstream local resources, the upstream firewall rules will need to be configured to allow for MQTT telemetry and analytics data to be sent outbound. These destination IP address (or hostnames) and ports are configurable on a per-camera basis, so ensure these are recorded in a central location for all devices within your network(s). MQTT commonly uses port numbers of 1883 for TCP and 8883 for TLS.

For Integration with Cisco DNA Spaces, MV cameras need to use port 1883.

MX Connection Tests

Upstream Firewall Rules for MX Content Filtering Categories 

In instances where another firewall is positioned upstream from the MX, the following FQDN destinations need to be allowed in order for categorization information traffic to pass successfully to the MX, so it can use the proper category classifications. Keep in mind that the IP addresses these domains resolve to will be different regionally, so ensure you are allowing the correct, current IPs if using IP-based rules instead of FQDN rules on your upstream firewall.
Domain names to add to the allow list on upstream firewall

  • meraki.brightcloud.com (resolves a CNAME to service.brightcloud.com)
  • service2.brightcloud.com

 

Upstream Firewall Rules for MX Cisco Talos Content Filtering (MX 17+)

MX Security Appliances must be operating on firmware MX17 or up.

MX Security Appliances query the below Cisco Talos domain and IP Addresses for Content Filtering categorization.

Please ensure the below are allowed on firewalls upstream of the MX along with TCP port 443: 

Domain:

  • *.talos.cisco.com

IPv4 Addresses:

  • 146.112.62.0/24
  • 146.112.63.0/24
  • 146.112.255.0/24
  • 146.112.59.0/24

IPv6 Addresses:

  • 2a04:e4c7:ffff::/48
  • 2a04:e4c7:fffe::/48

MS Connection Tests

Meraki Switches (MS) will perform the following tests:

  • Pings to 8.8.8.8 every second
  • ARP requests for its gateway and its own IP every 150 seconds
  • Round-robin DNS lookups every 150 seconds

MR Connection Tests

MRs will perform the following tests:

  • Pings to 8.8.8.8 every 5 seconds to computer average latency and loss on the uplink
  • ARP requests are sent to the MR's default gateway every 10-20 seconds
  • DNS lookups every 60 - 150 seconds