Home > Wireless LAN > Firewall and Traffic Shaping > MR Firewall Rules

MR Firewall Rules

Custom firewall rules provide an administrator with more granular access control beyond LAN isolation. An administrator can define a set of firewall rules that is evaluated for every request sent by a wireless user associated to that SSID. Firewall rules are evaluated from top to bottom. The first rule that matches is applied, and subsequent rules are not evaluated. If no rules match, the default rule (allow all traffic) is applied.

Layer 3 Firewall Rules


Layer 3 firewall rules on the MR are stateless and can be based on destination address and port. As an example, the figure below depicts a sample set of custom firewall rules that will be enforced at layer 3. 

Different kinds of requests will match different rules, as the table below shows. For a web request to CNN, rules 1-4 do not match, so rule #5 (the default rule) applies, and the request is allowed. In contrast, for a BitTorrent request over TCP port 6881, rule #1 does not match, but rule #2 matches. The request is denied, and no subsequent rules are evaluated. 


Create a "Deny Local LAN" firewall rule to easily create secure guest SSID.


Layer 7 Firewall Rules


Using Meraki's unique layer 7 traffic analysis technology, it is possible to create layer 7 firewall rules to completely block certain applications without having to specify specific IP addresses or port ranges using Meraki's heuristic application fingerprints. This can be useful when applications use multiple or changing IP addresses or port ranges. 

It is possible to block applications by category (e.g. 'All video & music sites') or for a specific type of application within a category (e.g. only iTunes within the 'Video & music' category). The figure below illustrates a set of layer 7 firewall rules including applications blocked by entire categories and specific applications blocked within a category:





Firewall rules can be applied for a given SSID or as part of a group policy. The SSID level firewall is configured on the Wireless > Firewall and Traffic Shaping page for each SSID. For a detailed article on group policy configuration click here

Last modified



This page has no classifications.

Explore the Product

Click to Learn More

Article ID

ID: 3980

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community