Cisco Meraki firewall with implicit deny? Yes, its possible.

How we setup firewalls for small business and what you will learn in this article

This article applies to all Cisco Meraki firewall models and will teach you how to setup an implicit deny rule (and explain why all small business IT setups should be configured this way).

What is implicit deny and why should you care?

Implicit deny means all network traffic is denied unless allowed by your firewall rules. By starting with implicit deny, IT admins can protect against improper firewall configurations that will lead to unauthorized traffic traversing through your network. The challenge is Cisco Meraki firewall rules use the “ANY” object for both internal and WAN, so without ANY, that VLAN is unable to route to the internet.


What traffic would an implicit deny firewall rule block?

The answer is everything is blocked unless explicitly allowed. But when doing your firewall setup Cisco Meraki does not support default denied, so your IT admin probably creates the rules with something like this:

This creates two main issues:

  1. New VLANs automatically inherit the “ANY to ANY” rule, giving it unrestricted access to your network.
  2. You always have more deny rules than allow, sometimes many more making it difficult to audit.

Now when a customer asks for a new guest WIFI network to be created, that network has access to everything unless the IT team remembers to create a deny firewall rule. This is considered a very weak security posture and will lead to a human error which could cause a data breach.



How to setup Implicit Deny in Cisco Meraki MX firewall rules (step by step guide)

  1. Login to Meraki dashboard and head to “Security & SD-WAN” and “Addressing & VLANs“.
  2. Under “Routing” enable “VLANs” and create 3 VLANs that cover the RFC1918 private address subnets.
    1. Note: You can have as many VLANs as you want, just as long as 3 VLAN’s cover class A, B, and C subnets.
  3. Go to “Organization” and “Policy Objects” and under “All Objects” create the following:
    1. Class A:
    2. Class B:
    3. Class C:
  4. Now select “Groups” and click “Add New” and create the following:
    1. Give it a name (Implicit Deny) or (RFC-1918)
    2. Add the Class A, B, and C objects into this group.
  5. Go to “Security & SD-WAN” and “Firewall” and set the following rules:
    1. Top rule is Meraki to ALL (this enables dashboard tools to work as expected).
      1. Note: Make sure you set Meraki switches and wireless to use your Meraki infrastructure VLAN.
    2. Configure the VLANs you want to communicate with each other.
      1. Examples: Private to Private, Private to Printers, Private to Servers
    3. Then set your implicit deny above the default rule “Allow ANY to ANY”.

These basic firewall rules empower your security posture in a few ways:

  1. You now have less rules for your firewall to process, increasing throughput performance.
  2. When a new VLAN is created it will have internet access but cannot reach any other VLAN.
  3. You have a stronger security posture against human error.
  4. It is easier to audit/test firewall rules.

Things to consider when doing implicit deny

  1. Meraki support operates with the assumption you have implicit allow (default rule).
  2. When setting up the client VPN for Cisco Meraki remember to add an allow rule on your firewall or it will not work.
  3. Make sure you configure your switches and WAPs to use the VLAN which has access to the entire network so the dashboard tools work.

If you are interested in us configuring firewalls or handling your Cisco Meraki configuration please contact us on our website. We are experts in IT setup for small business with offices throughout the United States and are Meraki masters. And to be clear, there are many Cisco Meraki benefits, but depending on your needs it might not be the best option. But overall, Cisco Meraki is a fantastic product, very easy to use, and has the ability to deliver your business a high-uptime IT experience so you can grow without IT issues.