Skip to main content
Cisco Meraki

Upstream Firewall Rules for Cloud Connectivity

The Cisco Meraki dashboard provides centralized management, optimization, and monitoring of Cisco Meraki devices. In order to manage a Cisco Meraki device through dashboard, it must be able to communicate with the Cisco Meraki cloud (dashboard) over a secure tunnel. This tunnel is created between Cisco Meraki devices and dashboard to pass management and reporting traffic in both directions. 

Because the dashboard is located on the public internet, the tunnel is always initiated outbound from the managed device. Once a connection is established, the device maintains the connection by occasionally sending packets and receiving a response. When a firewall or gateway exists in the data path between the managed device and the dashboard, certain protocols and port numbers must be permitted outbound through the firewall for the secure tunnel to function. 

Addresses and Ports to Allow

A complete list of destination IP addresses, ports, and their respective purposes can be found in dashboard under Help > Firewall info. This list changes dynamically depending on the devices and services added on the dashboard. 

firewall_rules.png

 

CSV Version

"Source_IP","Destination_IP","FQDN","Ports","Protocol","Direction","Description","Devices_using_this_rule"
"Your network(s)","108.161.147.0/24, 199.231.78.0/24, 64.62.142.12/32, 209.206.48.0/20","","7351","UDP","outbound","Meraki cloud communication","Access points, Cameras, MX Security Appliance, Switches"
"Your network(s)","199.231.78.148/32, 64.156.192.245/32","","9350-9351","UDP","outbound","VPN registry","Access points, MX Security Appliance"
"Your network(s)","Any","api.meraki.com","443","TCP","outbound","API Requests",""
"Your network(s)","17.0.0.0/8","","443, 2195-2196, 5223","TCP","outbound","iOS Systems Manager communication","Systems Manager"
"Your network(s)","Any","","5228-5230","TCP","outbound","Android Systems Manager communication","Systems Manager"
"Your network(s)","Any","","80, 443","TCP","outbound","MV cloud archive, Advanced Malware Protection (AMP) lookups, Systems Manager agent communication, Splash pages","Access points, Cameras, MX Security Appliance, Systems Manager"
"Your network(s)","3.210.175.34/32, 13.52.29.190/32, 13.54.51.60/32, 35.161.241.24/32, 35.162.58.56/32, 35.162.65.76/32, 50.18.100.0/32, 52.33.92.73/32, 52.57.34.238/32, 52.59.68.120/32, 52.208.175.132/32, 198.27.154.12/32, 198.27.154.14/32, 209.206.48.0/20","","80, 443, 993, 6514, 7734, 7752, 30001, 60000-61000","TCP","outbound","Camera streaming proxy, Mac/Windows remote desktop, Mac/Windows agent communication, Insight data collection, Backup Meraki cloud communication, Backup configuration downloads, Measured throughput to dashboard.meraki.com, Backup firmware downloads","Access points, Cameras, MX Security Appliance, Switches, Systems Manager"
"Your network(s)","192.168.128.1/32","","1812","UDP","inbound","802.1X with customer-hosted RADIUS","Access points"
"Your network(s)","Any","","123","UDP","outbound","NTP time synchronization","Access points, Cameras, MX Security Appliance, Switches"
"Your network(s)","8.8.8.8/32","","53","UDP","outbound","Uplink connection monitor","MX Security Appliance"
"Your network(s)","8.8.8.8/32, 209.206.48.0/20","","","ICMP","outbound","Uplink connection monitor","MX Security Appliance"

 

It's important to note that different organizations may communicate with different servers, so this list can vary between organizations.

 

There are some circumstances where the IP address or port used to communicate with the dashboard may change. If this type of change is required, administrators are notified in advance. Secure tunnel connectivity is also redundant and will continue to operate though a secondary connection.

Devices Using the "Backup Cloud Connection"

While devices will primarily connect to the dashboard using UDP port 7351 for their tunnel, they will attempt to use HTTP/HTTPS if unable to connect over port 7351. When devices are operating like this, a message will be displayed on the device's status page indicating that the "Connection to the Cisco Meraki cloud is using the backup cloud connection." If this is observed, please ensure that port 7351 is being allowed outbound through the firewall or security appliance traffic from the Cisco Meraki devices it will pass through.

 

If unable to configure the recommended firewall settings for the backup cloud connection due to security constraints, please note that Cisco Meraki devices will continue to operate normally, but some features of the dashboard may be slower to respond. This includes, but is not limited to:

  • Configuration updates
  • Live tools
  • Firmware upgrades

 

Unlike other features, Meraki authentication is always sent over UDP 7351 and will not work over a backup connection.

 

Note: While it is possible for Cisco Meraki devices to operate without the recommended firewall settings in place for the backup cloud connection, the firewall settings for Meraki cloud communication are still required for the devices to function correctly. 

Devices Using the "Uplink Connection Monitor"

Cisco Meraki MX security appliances include features to use multiple redundant WAN links for internet connectivity. 

These features rely on connectivity tests using multiple protocols to various public internet addresses. 


We ask that network administrators allow these common protocols (HTTP, HTTPS, DNS and ICMP) to "any" internet address to allow the connectivity tests to function correctly.

Upstream Firewall Rules for MV Sense Settings  

In instances where MV Sense is configured to transmit to outbound IP addresses or upstream local resources, the upstream firewall rules will need to be configured to allow for MQTT telemetry and analytics data to be sent outbound. These destination IP address (or hostnames) and ports are configurable on a per-camera basis, so ensure these are recorded in a central location for all devices within your network(s). MQTT commonly uses port numbers of 1883 for TCP and 8883 for TLS.

For Integration with Cisco DNA Spaces, MV cameras need to use port 1883.

MX Connection Tests

Upstream Firewall Rules for MX Content Filtering Categories 

In instances where another firewall is positioned upstream from the MX, the following FQDN destinations need to be allowed in order for categorization information traffic to pass successfully to the MX, so it can use the proper category classifications. Keep in mind that the IP addresses these domains resolve to will be different regionally, so ensure you are allowing the correct, current IPs if using IP-based rules instead of FQDN rules on your upstream firewall.
Domain names to whitelist on upstream firewall

  • meraki.brightcloud.com (resolves a CNAME to service.brightcloud.com)
  • service2.brightcloud.com