Meraki Firewall rules for communicating with Meraki Cloud

dganta — Mon, 05 Jul 2021 12:22:45 GMT

HI Team,

Do not know whether this is the right gforum for Meraki. Customer has bought the meraki wireless access points and for implementing the firewall rules he has a problem with allowing too many destination ips outbound. The customer is located in Manchester united kingdom. Can you please clarify whether the customer can use any specific outbound Ip addresses instead of using the following firewall rules as per Meraki Firewall info. Also the customer does not want to allow any for NTP and wants to know which Specific IP he can configure to allow for NTP.

As of now Meraki firewall info shows the following rules:

Access Points VLAN IP addresses	185.92.120.0/25, 185.17.255.128/25, 50.115.86.96/27, 217.89.128.0/24, 199.231.78.0/24, 108.161.147.0/24, 64.62.142.12/32, 54.193.207.248/32	7351	UDP	outbound	Meraki cloud communication	Access points, MX Security Appliance, Phones, Switches
Access Points VLAN IP addresses	199.231.78.0/24, 64.156.192.245/32, 217.89.128.0/24, 185.17.255.128/25, 50.115.86.96/27, 185.92.120.0/25	9350	UDP	outbound	VPN registry	Access points, MX Security Appliance
Access Points VLAN IP addresses	54.193.207.248/32	80	TCP	outbound	Backup Meraki cloud communication	Access points, MX Security Appliance, Phones, Switches
Access Points VLAN IP addresses	50.115.86.96/27, 64.62.142.2/32, 108.161.147.0/24, 185.17.255.128/25, 185.92.120.0/25, 199.231.78.0/24, 217.89.128.0/24	80, 443, 7734, 7752	TCP	outbound	Backup configuration downloads, Backup firmware downloads, Splash pages, Throughput tests live tool	Access points, MX Security Appliance, Phones, Switches
Access Points VLAN IP addresses	Any	123	UDP	outbound	NTP time synchronization	Access points, MX Security Appliance, Switches

"Please can you clarify why you have specified such a wide range of subnets for the outboumd.

We are expecting to limit these to individual IP addresses’s for your management stations.

We will also not allow ANY rule to NTP time servers you will need to be more specific and specify time sources used.”

If the customer wants a Cisco

Philip D'Ath — Mon, 11 Jul 2016 09:22:37 GMT

If the customer wants a Cisco Meraki supported platform then the customer has to deploy stated rules. Period.

If they don't mind that it doesn't work properly then they can do whatever they like.

Re: If the customer wants a Cisco

jggentry — Tue, 15 Oct 2019 16:37:22 GMT

That was a jerk answer

Re: Meraki Firewall rules for communicating with Meraki Cloud

omz — Wed, 16 Oct 2019 15:05:38 GMT

Meraki and most people say you need to allow all the rules. But .. you dont need to allow all the IP ranges.

As you can see .. some are backup connection, snmp traps, ntp, and for MX devices. If the customer is only using APs... you can just allow 7351 UDP to the given ranges and it should be fine. UDP 9350 is for VPN registry. If the APs are connecting back to a MX wireless concentrator then you need to allow a range for MX and 9350.

Hope this helps.

topic Re: Meraki Firewall rules for communicating with Meraki Cloud in Wireless

Meraki Firewall rules for communicating with Meraki Cloud

If the customer wants a Cisco

Re: If the customer wants a Cisco

Re: Meraki Firewall rules for communicating with Meraki Cloud