Skip to main content
Cisco Meraki

Upstream Firewall Rules for Cloud Connectivity

The Cisco Meraki dashboard provides centralized management, optimization, and monitoring of Cisco Meraki devices. In order to manage a Cisco Meraki device through dashboard, it must be able to communicate with the Cisco Meraki cloud (dashboard) over a secure tunnel. This tunnel is created between Cisco Meraki devices and dashboard to pass management and reporting traffic in both directions. 

Because the dashboard is located on the public internet, the tunnel is always initiated outbound from the managed device. Once a connection is established, the device maintains the connection by occasionally sending packets and receiving a response. When a firewall or gateway exists in the data path between the managed device and the dashboard, certain protocols and port numbers must be permitted outbound through the firewall for the secure tunnel to function. 

Addresses and Ports to Allow

A complete list of destination IP addresses, ports, and their respective purposes can be found in dashboard under Help > Firewall info

This list changes dynamically depending on the devices and services added on the dashboard. 

allowfirewall.jpg

CSV Version

"Source_IP","Destination_IP","FQDN","Ports","Protocol","Direction","Description","Devices_using_this_rule"
"209.206.48.0/20, 216.157.128.0/20, 158.115.128.0/19","Your network(s)","","Any","UDP","inbound","SNMP traps","Access points, MX Security Appliance, Switches"
"Your network(s)","64.62.142.12/32, 209.206.48.0/20, 216.157.128.0/20, 158.115.128.0/19","","7351","UDP","outbound","Meraki cloud communication","Access points, Cameras, MX Security Appliance, Switches"
"Your network(s)","17.0.0.0/8","","443, 2195-2196, 5223","TCP","outbound","iOS Systems Manager communication","Systems Manager"
"Your network(s)","Any","","5228-5230","TCP","outbound","Android Systems Manager communication","Systems Manager"
"Your network(s)","13.54.51.60/32, 52.57.34.238/32, 52.59.68.120/32, 198.27.154.14/32, 198.27.154.12/32, 35.162.65.76/32, 35.161.241.24/32, 35.162.58.56/32, 50.18.100.0/32, 13.52.29.190/32, 3.210.175.34/32, 209.206.48.0/20, 216.157.128.0/20, 158.115.128.0/19","","443, 30001","TCP","outbound","Camera streaming proxy","Cameras"
"Your network(s)","Any","","80, 443","TCP","outbound","MV cloud archive, Meraki cloud communication, Systems Manager agent communication, Splash pages","Access points, Cameras, MX Security Appliance, Switches, Systems Manager"
"Your network(s)","158.115.128.0/19, 209.206.48.0/20, 216.157.128.0/20","","80, 993, 7734, 7752, 60000-61000","TCP","outbound","Backup Meraki cloud communication, Backup configuration downloads, Measured throughput to dashboard.meraki.com, Backup firmware downloads, Mac/Windows remote desktop, Mac/Windows agent communication","Access points, Cameras, MX Security Appliance, Switches, Systems Manager"
"Your network(s)","Any","","123","UDP","outbound","NTP time synchronization","Access points, Cameras, MX Security Appliance, Switches"
"Your network(s)","209.206.48.0/20, 216.157.128.0/20, 158.115.128.0/19","","","ICMP","outbound","Uplink connection monitor","MX Security Appliance"

Devices Using the "Backup Cloud Connection"

While devices will primarily connect to the dashboard using UDP port 7351 for their tunnel, they will attempt to use HTTP/HTTPS if unable to connect over port 7351. When devices are operating like this, a message will be displayed on the device's status page indicating that the "Connection to the Cisco Meraki cloud is using the backup cloud connection." If this is observed, please ensure that port 7351 is being allowed outbound through the firewall or security appliance traffic from the Cisco Meraki devices it will pass through.

 

If unable to configure the recommended firewall settings for the backup cloud connection due to security constraints, please note that Cisco Meraki devices will continue to operate normally, but some features of the dashboard may be slower to respond. This includes, but is not limited to:

  • Configuration updates
  • Live tools
  • Firmware upgrades

 

Unlike other features, Meraki authentication is always sent over UDP 7351 and will not work over a backup connection.

 

Note: While it is possible for Cisco Meraki devices to operate without the recommended firewall settings in place for the backup cloud connection, the firewall settings for Meraki cloud communication are still required for the devices to function correctly. 

Devices Using the "Uplink Connection Monitor"

Cisco Meraki MX security appliances include features to use multiple redundant WAN links for internet connectivity. 

These features rely on connectivity tests using multiple protocols to various public internet addresses. 


We ask that network administrators allow these common protocols (HTTP, HTTPS, DNS and ICMP) to "any" internet address to allow the connectivity tests to function correctly.

Upstream Firewall Rules for Cisco Threat Grid

For the most up to date list of destination address and TCP/UDP ports for Cisco Threat Grid please refer to this document

  • panacea.threatgrid.com → TCP 443 (North America)
  • panacea.threatgrid.eu → TCP 443 (Europe) 

Upstream Firewall Rules for Cisco AMP

For the most up to date list of destination address and TCP/UDP ports for Cisco AMP, please refer to this document. 

  • cloud-meraki-est.amp.cisco.com → TCP 443
  • cloud-meraki-asn.amp.cisco.com → TCP 443

Upstream Firewall Rules for Cisco Meraki AutoVPN registries

A device sitting upstream of a Cisco Meraki security appliance (MX) will need the following destination subnet(s)/port(s) whitelisted so that the MX can communicate with the AutoVPN registries:

  • 209.206.48.0/20 → UDP 9350 and 9351

Upstream Firewall Rules for MV Sense Settings  

In instances where MV Sense is configured to transmit to outbound IP addresses or upstream local resources, the upstream firewall rules will need to be configured to allow for MQTT telemetry and analytics data to be sent outbound. These destination IP address (or hostnames) and ports are configurable on a per-camera basis, so ensure these are recorded in a central location for all devices within your network(s). MQTT commonly uses port numbers of 1883 for TCP and 8883 for TLS.

For Integration with Cisco DNA Spaces, MV cameras need to use port 1883.

MX Connection Tests

Upstream Firewall Rules for MX Content Filtering Categories 

In instances where another firewall is positioned upstream from the MX, the following FQDN destinations need to be allowed in order for categorization information traffic to pass successfully to the MX, so it can use the proper category classifications. Keep in mind that the IP addresses these domains resolve to will be different regionally, so ensure you are allowing the correct, current IPs if using IP-based rules instead of FQDN rules on your upstream firewall.
Domain names to whitelist on upstream firewall

  • meraki.brightcloud.com (resolves a CNAME to service.brightcloud.com)
  • service2.brightcloud.com

 

Upstream Firewall Rules for MX Cisco Talos Content Filtering (MX 17+)

MX Security Appliances must be operating on firmware MX17 or up.

MX Security Appliances query the below Cisco Talos domain and IP Addresses for Content Filtering categorization. Please ensure the below are allowed on firewalls upstream of the MX.

Domain:

  • *.talos.cisco.com

IPv4 Addresses:

  • 146.112.62.0/24
  • 146.112.63.0/24
  • 146.112.255.0/24
  • 146.112.59.0/24

IPv6 Addresses:

  • 2a04:e4c7:ffff::/48

  • 2a04:e4c7:fffe::/48