Site-to-site VPN Firewall Rule Behavior
Administrators have the ability to add firewall rules to restrict the traffic flow through the VPN tunnel for a Cisco Meraki MX Security Appliance. Similar to other Meraki firewall options, this firewall is stateful and will only block traffic if it does not match an existing flow.
These firewall rules will apply to all MX networks in the organization that participate in site-to-site VPN (both AutoVPN and Non-Meraki).
Creating Firewall Rules
To create a firewall rule, follow the steps below.
Navigate to Security & SD-WAN > Configure > Site-to-site VPN.
Select Add a rule in the Site-to-site outbound firewall under the Organization-wide settings section of the page.
Fill in the desired parameters for the rule
Select Save changes.
Considerations for VPN Firewall Rules
When configuring VPN Firewall rules, it is important to remember that traffic should be stopped as close to the originating client device as possible. This cuts down on traffic over the VPN tunnel and will result in the best network performance. Because of this, site-to-site firewall rules are applied only to outgoing traffic. As such, the MX cannot block VPN traffic initiated by non-Meraki peers.
The image below demonstrates a misconfigured site-to-site firewall rule. Site-to-site firewall rules only apply to outbound traffic. This rule will never be applied as the source subnet is not a LAN subnet on the MX:
The following image demonstrates a site to site firewall rule that will be applied correctly. Traffic from the 10.0.1.0/24 subnet will not be able to reach 10.0.2.0/24 subnet since the 10.0.1.0/24 subnet is a LAN subnet on the MX.
When traffic passing through the MX matches a site-to-site VPN route, VPN firewall rules are applied in descending order. VPN traffic to both AutoVPN and Non-Meraki peers is only subject to the site-to-site firewall rules and is never subject to global Layer 3 firewall rules.
Layer 7 Firewall Rules
Unlike Layer 3 firewall rules, Layer 7 firewall rules configured on the Security & SD-WAN > Configure > Firewall page will still apply locally to client traffic destined across both AutoVPN and Non-Meraki peers.