Skip to main content

 

Cisco Meraki Documentation

Organization-wide Group Policy User Guide

  1. Last updated
  2. Save as PDF

Configuration Overview 

In this guide we will configure and manage Organization-wide Group Policies.

Definitions

  • Enforcement Target: Defines the "who" or "what" the policy applies to (acting as the "source" in a typical firewall rule). This can be a specific VLAN(s) or an SGT from which traffic originates.
  • Rulesets: A collection of firewall rules that can include both Layer 3 (IPv4) and Layer 7 (Application) criteria.
  • Firewall Rule: Specifies the criteria (source, destination, port, protocol) and the action (allow or deny) to be taken on traffic.

Managing Policies

Navigate to Security >  Group Policy. Here, you will find a comprehensive list of all configured policies. This page allows you to review each group policy in detail, including its enforcement targets, rulesets, and the last modified date. owp-gp-overview.png

Creating a New Policy

  1. Navigate to Security > Group Policy.
  2. Click Add group policy in the upper-right corner of the table.
  3. Enter a name for the new policy.
  4. (Optional) Enter a description for the policy.
  5. Click Save.

Once a policy is created, be sure to add an Enforcement Target and attach a Ruleset.

create-policy.png

Editing an existing Policy

  1. Navigate to Security > Group Policy.
  2. Click the name of the policy you want to edit.

Add Enforcement Target

For more information on Enforcement Targets and version support, please see this guide.

  1. Inside the policy, click the Add enforcement button.
  2. A selector will appear showing all configured network VLANs or SGTs.
    • Only MX VLANs meeting the firmware requirements will be selectable.
    • A specific VLAN or SGT can only belong to a single Organization-wide Group Policy.
    • If using SGT as an Enforcement Target, please refer to the troubleshooting guide for more information. 
  3. Select your target and click Save. This action immediately commits the change.

select-enforcement-target.png

Warning: Changes take effect immediately upon saving.

Attaching a Ruleset 
  1. Inside the policy, click Attach rulesets.
  2. Select the desired ruleset(s).

  3. Enter the Ruleset Priority. The default is one which will put the rule at the top of the list 

  4. Repeat steps 2-3 as needed 

  5. The rules are currently staged. Click Save and deploy to immediately commit the policy  

Warning: Changes take effect immediately upon saving.

Managing Rulesets

Creating a Ruleset

  1. Navigate to Security > Group Policy and click the Rulesets tab.
  2. Click Add ruleset in the top right corner.
  3. To edit an existing ruleset, click its name.
  4. To delete a ruleset, click Delete ruleset, then confirm by clicking "I understand" and "Delete ruleset" in the modal.
  5. Click Save. Once the rule profile is created it will appear with an empty rule list.  

ruleset_tab.png

Adding Rules to a Ruleset

  1. Navigate to Security > Group Policy and select Rulesets tab.
  2. Click on the name of a ruleset to edit it.
  3. Click the Add rule button.
  4. Configure the Rule criteria (more information below)
  5. Click Save to return to the ruleset view.

Rules can be configured with the following options:

  • Name: Give the rule a descriptive name without using special characters: #, /, $, @, %, !, etc
  • Add description: (Optional) Add a description of the rule
  • Priority: By default, new rules are added to the top. Enter a specific number to insert the rule at that priority level. 
    • Example: entering 2 in a list of 10 rules will place the new rule in the second position and shift the rest of the rules down
    • Example: entering 99 in a list of 10 rules will place the new rule at the bottom as rule 11.
  • Rule Status: Enable or disable the rule. If the rule is disabled, it will not be enforced. (Default: Enabled). 
  • Logging: Enable syslog logging when the rule is matched 
  • Action: Choose Allow or Deny.
  • Source:
    • Default: "Any" (The dashboard uses the Policy's Enforcement Target as the source).
    • Specify Source: You can manually enter an IP/CIDR, select a Policy Object/Group, select a specific VLAN, or specify source ports.
  • Destination: Choose from the following:
    • Policy Objects / Groups: Reusable objects created under Organization > Policy Objects.
    • Internet and SaaS Resources: Layer 7 application categories (NBAR). *See note below*
    • IP Address/Subnet: Standard L3 IPv4 CIDR input.
    • Ports and Protocols: TCP, UDP (with specific ports), or ICMP.
    • VLANs: Select any VLAN within your organization.
    • Geo IP: Matches traffic based on the geographic location 

    • FQDN: Matches traffic based on a Fully Qualified Domain Name (for example, example.com 

    • Site-specific VLANs: Substitutes the VLAN as an object in place of the IP associated with the VLAN  

    • IPv4 Offset: Specifies an offset (for example, 20) to apply the rule to the nth IP address within the VLAN’s subnet. If the offset exceeds the available IP range, the term will not be enforced. 

    • IPv6 Offset: Specifies an offset (for example, 0:0:0:20) to apply the rule to the nth IP address within the VLAN’s subnet. If the offset exceeds the available IP range, the term will not be enforced.  

    • SGT: Select any Security Group Tag (SGT) within your organization 

Note: When you add Layer 7 rules to the policy, it is expected that a small number of packets may pass through the firewall before being classified. This occurs because NBAR (Network-Based Application Recognition) requires several initial packets to accurately identify the application traffic. For classification purposes, up to 7 packets or a total of 2000 bytes may be allowed before enforcement begins. Subsequent rules may also allow some packets for classification purposes. Please see the troubleshooting section Understanding Layer 7 Rules in your Ruleset

Warning: Changes take effect immediately upon saving.

create_rule.png

Disabling a Rule in a Ruleset

  1. Navigate to Security > Group Policy and select Rulesets tab.
  2. Click on the Ruleset that you want to edit
  3. To disable a specific rule, click the "..." icon in the right-most column of the rule table for that rule.
  4. Click Disable. The icon will change from a green star to a gray minus symbol.

disable-rule.png

Deleting a Rule in a Ruleset

  1. Navigate to Security > Group Policy and select Rulesets tab.
  2. Click on the Ruleset that you want to edit
  3. To delete a specific rule, click the "..." icon in the right-most column of the rule table for that rule.
  4. Click Delete rule
  5. A popup will appear. To confirm, click the checkbox for "I understand that this action cannot be undone".
  6. Click Delete rule. Please note that the rule is immediately deleted.

delete_rule.png

Deleting a Ruleset

  1. Navigate to Security > Group Policy and select Rulesets tab.
  2. To delete a specific Ruleset, click the "..." icon in the right-most column of the table for that ruleset.
  3. Click Delete ruleset
  4. A popup will appear. To confirm, click the checkbox for "I understand that this action cannot be undone".
  5. Click Delete ruleset. Please note that the ruleset is immediately deleted.

delete_ruleset.png

Viewing your Policy Rules

  1. Navigate to Security > Group Policy 
  2. Click on the Policy you would like to view
  3. Scroll to the Rulesets section, then click the Rules tab

Screenshot 2025-12-23 at 18.21.14.png