Skip to main content

 

Cisco Meraki Documentation

Organization-wide Group Policy Troubleshooting

  1. Last updated
  2. Save as PDF
This article discusses the Organization-wide Group Policy feature and further defines some components and expectations when conflicting configuration is present

Enforcement Targets

How do they work?

An Enforcement Target defines the "who" or "what" the policy applies to. Please note that rules are enforced by the MX, meaning the MX must be routing the traffic for the policy to take effect. Two common questions that come up are: 

  • What happens when VLAN(s) are selected?
  • What happens when an SGT is selected?

Example: I configure a policy with enforcement target VLAN 10 for two of my networks. The following networks have VLAN 10 configured like this:

  • Location 1:   10.10.1.0/24
  • Location 2:  10.10.2.0/24

When I attach a ruleset, the rules that have an "Any" as the source, the Dashboard will automatically fill in the subnets. So if I have a rule like this: 

  • Action: Allow
  • Source: Any
  • Destination: 208.67.222.222 

For Location 1, the MX will enforce the following: 

  • Action: Allow
  • Source:  10.10.1.0/24
  • Destination: 208.67.222.222 

For Location 2, the MX will enforce the following: 

  • Action: Allow
  • Source:  10.10.2.0/24
  • Destination: 208.67.222.222 

If we added the enforcement target VLAN 11 - Location 1 (10.11.1.0/24),  the MX will enforce the following: 

  • Action: Allow
  • Source:  10.10.1.0/24 OR 10.11.1.0/24
  • Destination: 208.67.222.222 

Note: An Enforcement Target can belong to only one policy at a time.

If you attempt to select an Enforcement Target that is already attached to a different policy, a warning will appear.

Example: In the image below, we are adding an Enforcement Target to a policy named Workstation. When attempting to select Retail Store 3 - VLAN 2, an alert appears because this VLAN is already associated with the Guest Internet Access policy. Proceeding by clicking Save will remove the VLAN from the previous policy ("Guest Internet Access") and reassign it to the new Workstation policy.

one-policy-enforcement-target.png

Rules & Rulesets

Empty Rulesets

If a ruleset is empty when it is attached to a Policy, the ruleset will emit an allow any source to any destination rule. Please visit the User Guide for more information on configuring Rulesets

Understanding Layer 7 Rules in your Ruleset

When creating firewall rules with Organization-wide Group Policy, you are able to create rules with both IP and Layer 7 Applications. When you add Layer 7 rules, it is expected that a small number of packets may pass through the firewall before being classified. This occurs because NBAR (Network-Based Application Recognition) requires several initial packets to accurately identify the application traffic. For classification purposes, up to 7 packets or a total of 2000 bytes may be allowed before enforcement begins. Please see the example below for details.

  • Rule 1
    • Action: Deny
    • Source: Any
    • Destination: 1.1.1.1/32
  • Rule 2
    • Action: Deny
    • Source: Any
    • Destination: 2.2.2.2/32
  • Rule 3
    • Action: Deny
    • Source: Any
    • Destination: Application X 
  • Rule 4
    • Action: Deny
    • Source: Any
    • Destination:  4.4.4.4/32

What to expect: 

  • Rule 1: All packets to this destination are dropped immediately when the MX first sees the packet (application classification is not required).
  • Rule 2: All packets to this destination are dropped immediately when the MX first sees the packet (application classification is not required).
  • Rule 3: The MX may allow up to 7 packets or a total of 2000 bytes for classification before the rule is enforced. This is necessary for proper application identification.
  • Rule 4: The MX may allow up to 7 packets or a total of 2000 bytes for classification before the rule is enforced.
  • Rule X: Any additional rules will behave similarly, allowing a small number of packets or bytes for initial classification.

The temporary allowance of a small number of packets for application classification is expected behavior and is required for accurate traffic identification. Once the application is recognized, the configured Layer 7 rule is fully enforced, and no additional packets will be allowed. 

Firewall Logging Live Tool

To access the firewall logging live tool navigate to Security & SD-WAN > Appliance Status, from there, click on the Tools tab and look for Firewall Logging Live tool. In this case you will see my rules are blocking traffic going to a Google DNS server. My Organization-wide group policy is applied to VLAN 2 of my network. The Rule # column will show you the VLAN ID. Note, in the future this may change and this article will be updated.

 fwl-live-tool.png

Organization-wide Group Policy vs Network-wide Group Policy

What is Organization-wide Group Policy?
Organization-wide group policy is a new feature introduced with MX firmware version 26.1.2. This feature allows you to manage Layer 3 and Layer 7 firewall rules at an organization level. This features makes it easy to build a consistent Firewall policy at scale.
What is Network-wide Group Policy?
Network-wide group policy is an existing feature. It allows you to make custom configurations for all Meraki products to varying degrees. Each product allows specific settings and some products have overlap in supported feature set. This configuration only exists at the network level. There are various ways to apply group policy. For more information please visit this article
Can you use both types of Group Policy?
You cannot use both an Organization-wide Group Policy (Security > Group Policy) and a Network-wide Group Policy (Network-wide > Group Policy) when applied to a VLAN or to assign an SGT. 
  • When a VLAN is configured with an Organization-wide Group Policy, the option to change the group policy is locked until the VLAN is removed from the Organization-wide Group Policy.
  • Additionally, when an Org-wide Group Policy is applied to a VLAN, you are not able to manually assign an Adaptive Policy group (SGT).

The image below shows an example of what you will see an an Org-wide Group Policy is applied to a VLAN. This is the VLAN configuration view:

vlan-warning-gp.png

Adaptive Policy

Network-wide Group Policy

Within a Network-wide Group Policy (Network-wide > Group Policy) it's possible to assign an SGT. With the introduction of 26.1, the MX is able to map an SGT to the Group Policy and enforce on the configured rules. For Org-wide Group Policy, this means we can enforce Layer 3 or Layer 7 destinations based on the packets SGT. 

Warning:
Before using Organization-wide Group Policy with an SGT as an Enforcement Target, ensure that your Network-wide Group Policies do not overlap with SGT assignments. Overlapping policies may result in indeterminate or unpredictable behavior.

Below is an example of Adaptive Policy settings which will conflict. On the left we have a group policy with the SGT 10 and firewall rules that allow any source to any destination. On the right we have org-wide policy with a very specific set of rules. If the network MX has both of these configured it's possible that it will result in either the Network-wide Group Policy OR the Org-wide Group Policy. Considering the nature for firewall rules, it's recommended to remove the overlapping configuration. 

Screenshot 2025-12-23 at 17.34.06.png

VLAN

If a VLAN is using an Organization-wide Group Policy, you will be unable to save the configuration if an Adaptive Policy Group is also applied to that VLAN. 

sgt-warning.png