Home > Security and SD-WAN > Site-to-site VPN > Site-to-site VPN Firewall Rule Behavior

Site-to-site VPN Firewall Rule Behavior


Administrators have the ability to add firewall rules to restrict the traffic flow through the VPN tunnel for a Cisco Meraki MX Security Appliance. Similar to other Meraki firewall options, this firewall is stateful and will only block traffic if it does not match an existing flow.

These firewall rules will apply to all MX networks in the organization that participate in site-to-site VPN (both AutoVPN and Non-Meraki).

Creating Firewall Rules

To create a firewall rule, follow the steps below.

  1. Navigate to Security & SD-WAN > Configure > Site-to-site VPN.

  2. Select Add a rule in the Site-to-site outbound firewall under the Organization-wide settings section of the page.
    org-wide settings outbound rules.PNG

  3. Fill in the desired parameters for the rule

  4. Select Save changes.

Considerations for VPN Firewall Rules

When configuring VPN Firewall rules, it is important to remember that traffic should be stopped as close to the originating client device as possible. This cuts down on traffic over the VPN tunnel and will result in the best network performance. Because of this, site-to-site firewall rules are applied only to outgoing traffic. As such, the MX cannot block VPN traffic initiated by non-Meraki peers. 


The image below demonstrates a misconfigured site-to-site firewall rule. Site-to-site firewall rules only apply to outbound traffic. This rule will never be applied as the source subnet is not a LAN subnet on the MX:



The following image demonstrates a site to site firewall rule that will be applied correctly. Traffic from the subnet will not be able to reach subnet since the subnet is a LAN subnet on the MX.15abbaa0-386a-4f07-9421-b38b2f8ba60b


When traffic passing through the MX matches a site-to-site VPN route, VPN firewall rules are applied in descending order. VPN traffic to both AutoVPN and Non-Meraki peers is only subject to the site-to-site firewall rules and is never subject to global Layer 3 firewall rules.


Last modified



This page has no classifications.

Explore the Product

Click to Learn More

Article ID

ID: 1399

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community