The firewall settings page in the Meraki Dashboard is accessible via Security Appliance/Teleworker Gateway > Configure > Firewall. On this page you can configure Layer 3 and Layer 7 outbound firewall rules, publicly available appliance services, port forwarding, 1:1 NAT mappings, and 1:Many NAT mappings.
In NAT mode, all inbound connections are denied except for ICMP traffic to the appliance, by default. If you want to allow additional inbound traffic, you will need to create a new port forwarding rule or NAT policy and explicitly allow connections based on protocols, ports, or remote IP addresses (see below).
Outbound connections are allowed by default. Customers may need to add a default deny rule for compliance and increased security.
Here you can configure permit or deny Access Control List (ACL) statements to determine what traffic is allowed between VLANs or out from the LAN to the Internet. These ACL statements can be based on protocol, source IP address and port, and destination IP address and port. These rules do not apply to VPN traffic. To configure firewall rules that affect traffic between VPN peers, please refer to Site-to-site VPN Settings.
Click Add a rule to add a new outbound firewall rule.
Under Actions you can move your configured rules up or down in the list. You can also click the X next to a rule to remove it from the list.
Template Firewall Rules
Additional options are available when configuring firewall rules on a configuration template. For details, see the Firewall rules for templates section of the Configuration Templates page.
These firewall rules are appended to the existing outbound rules when the appliance has failed over to using a cellular modem as its uplink. This can be useful for limiting cellular traffic to only business-critical uses in order to prevent unnecessary cellular overages.
Using Meraki's unique layer 7 traffic analysis technology, it is possible to create firewall rules to block specific web-based services, websites, or types of websites without having to specify IP addresses or port ranges. This can be particularly useful when applications or websites use more than one IP address, or when their IP addresses or port ranges are subject to change.
It is possible to block applications by category (e.g. 'All video & music sites') or for a specific type of application within a category (e.g. only iTunes within the 'Video & music' category). The figure below illustrates a set of layer 7 firewall rules that includes both blocking entire categories and blocking specific applications within a category:
It is also possible to block traffic based on HTTP hostname, destination port, remote IP range, and destination IP/port combinations.
The Layer 7 Firewall can also be used to block traffic based on the source country of inbound traffic or the destination country of outbound traffic. To do so, create a new Layer 7 Firewall rule and select Countries... from the Application drop-down. You have the option of blocking all traffic to or from a specified set of countries or blocking any traffic that is not to or from a specified set of countries.
Geo-IP firewall rules are available only in the Advanced Security Edition.
Use this area to configure port forwarding rules and 1:1 NAT mappings as desired.
Use this option to forward traffic destined for the WAN IP of the MX on a specific port to any IP address within a local subnet or VLAN. Click Add a port forwarding rule to create a new port forward. You need to provide the following:
Description: A description of the rule.
You can also create a port forwarding rule to forward a range of ports. However, the range configured in the Public port field must be the same length as the range configured in the Local port field. The public ports will be forwarded to their corresponding local ports within the range. For instance, if you forward TCP 223-225 to TCP 628-630, port 223 would be translated to 628, port 224 would be translated to 629, and port 224 would be translated to 630.
Use this option to map an IP address on the WAN side of the MX (other than the WAN IP of the MX itself) to a local IP address on your network. Click Add a 1:1 NAT mapping to create a new mapping. You need to provide the following:
Under Actions you can move a configured rule up or down in the list. Click the X to remove it entirely.
Creating a 1:1 NAT rule does not automatically allow inbound traffic to the public IP listed in the NAT mapping. By default all inbound connections are denied. You will have to configure Allowed inbound connections as described above in order to allow the inbound traffic.
1:Many NAT, also known as Port Address Translation (PAT), is more flexible that 1:1 NAT. It allows you to specify one public IP that has multiple forwarding rules for different ports and LAN IPs. To add a 1:Many NAT listener IP, click Add 1:Many IP.
A 1:Many NAT entry will be created with one associated forwarding rule. To add additional rules, click Add a port forwarding rule under the existing rule or rules for a particular 1:Many entry.
Description: A description of the rule.
Use this feature to allow Bonjour to work between VLANs. Click Add a Bonjour forwarding rule to create a new forwarding rule.