1. Home
  2. Blog
  3. Firewall Best Practices
  4. 15 Cisco Meraki Firewall Best Practices

Last updated June 17th, 2024 by Tim Shea

Cisco Meraki firewalls combine straightforward device setup, cloning, and provisioning processes with a cloud-based, centralized dashboard.

By reducing the need for physical hardware and staff members dedicated to managing the firewalls, Cisco Meraki reduces overall IT costs. In a company with remote offices and limited networking staff, Cisco Meraki stateful firewalls provide robust security and SD-WAN (software defined wide area networking) features, including: 

  • Advanced Malware Protection (AMP) 

  • Content filtering 

  • Web-safe search 

  • Intrusion Detection and Prevention (IPS/IDS) 

  • HTTPS inspection 

  • VPN (Virtual Private Networks) tunnels 

  • FIPS Mode

By following implementation best practices for Meraki firewalls, you can rapidly integrate them into your network architecture.

What are Common Cisco Meraki Network Firewall Configuration Challenges?

When deploying Cisco Meraki firewalls, you should be aware of these common configuration issues that undermine security and performance:  

  • WAN misconfigurations prevent correct firewall functioning and reduce performance. 

  • VPN misconfigurations erode VPN traffic for remote access and site-to-site performance. 

  • Failure to manage firmware updates increases security risk. 

  • Misconfigured firewall rules increase security risk with too much traffic while too little traffic impacts end users’ connectivity. 

  • Misconfigured content filters allow access to risky websites and content. 

  • Misconfigured NAT rules can disrupt inbound and outbound traffic.  

  • Failure to enable IDS/IPS may leave attacks undetected.  

  • Failure to configure Simple Network Management Protocol (SNMP) makes monitoring difficult and increases the time spent troubleshooting issues.  

  • Failure to configure link aggregation may create a bottleneck or network outage. 

Key Benefits of Implementing Best Practices for Cisco Meraki Firewalls 

By implementing Cisco Meraki firewalls using best practices, you can: 

  • Improve network speed and performance by separating critical applications from voice VLAN. 

  • Add a layer of security that mitigates data breach risks to sensitive data and critical applications from unauthorized access. 

  • Save IT team’s bandwidth by simplifying the configuration and management processes with a centralized location for controlling and managing firewalls.  

  • Gain visibility into and analytics for Cisco Meraki firewall deployment for proactive monitoring and troubleshooting. 

15 Best Practices for Configuring Cisco Meraki Firewalls 

To ensure optimal security and performance, consider the following best practices: 

  1. Routed NAT mode: Connect the WAN appliance directly to the ISP handoff so it has a public IP address, especially if you require Layer 3 networking capabilities. 

  1. Passthrough or VPN Concentrator Mode: Ensure an existing Layer 3 device is upstream to handle network routing functions so WAN appliance in this mode can act as layer 2 firewall integrated into existing LAN (Local Area Network). 

  1. Redundancy and High Availability: Combine two high availability paired WAN with multiple ISP connections to maintain network functionality and connectivity.  

  1. Addressing and VLANS: Deploy multiple subnets for different traffic use cases, including networks that host employee data, provide guest access, and support critical applications.  

  1. Routing and Layer 3 Connectivity: Configure a single subnet between the Cisco Meraki WAN appliance and other layer 3 devices when multiple devices perform level 3 functions to maintain routing consistency, minimize traffic, and reduce routing.  

  1. Layer 3 Firewall Rules 

  • Configure outbound firewall rules to limit outgoing traffic between subnets that are not closely related since default VLAN configurations enable communications between WAN appliances.  

  • Configure firewall rules for IP addresses or URLs when internal users need internet access but should be blocked from certain sites.  

  1. Layer 7 Firewall Rules:  

  • Configure rules as precisely as possible for granular control without blocking traffic flows for critical applications. 

  • Only block traffic from known malicious countries. 

  1. Port forwarding rules: Configure port forwarding rules narrowly according to the traffic allowed behind the firewall. Do not create port forwarding rules with “Any” for allowed IP ranges.  

  1. 1:1 and 1: Many NAT Rules: Limit the range of ports used and remote IPs allowed to connect. 

  1.  Advanced Malware Protection (AMP): Enable AMP on WAN appliance for scanning and inspecting HTTP downloads. 

  1.  Intrusion Detection and Prevention (IDS/IPS): Enable IDS/IPS on WAN appliances to detect, alert, and act against malicious traffic.  

  1. IP Source Address Spoofing Protection: Set feature to “Block” not ‘Log” to mitigate malicious IP spoofing event on network. 

  1.  Client VPN: Deploy and use client VPN feature with Systems Manager policy to improve end-user network performance while reducing issues managing VPN traffic.  

  1.  SD-WAN 

  • Set throughput bandwidth to the highest amount available. 

  • Configure secure rule list checks to hourly.  

  • Set uplink connections to load balance traffic for policy-based routing on WAN appliance using source traffic to define flow preferences.  

  1. Traffic shaping: Enable default traffic shaping rules to prioritize and shape traffic on local network. 

Using Tufin to Automate and Orchestrate Cisco Meraki Firewall Management 

Many organizations incorporate Cisco Meraki firewalls into a larger, multi-vendor network architecture, often managing multiple dashboards. 

Tufin’s native integration with Cisco Meraki provides automation that enables centralized visibility and control across a diverse collection of firewalls.

With Tufin Orchestration Suite, organizations achieve strategic objectives like: 

  • Faster troubleshooting with an Interactive Topology Map for network visualization and rapid identification of network connectivity and security issues 

  • Reduced audit costs with built-in reporting to ensure compliance, audit readiness, and network connectivity that reduces preparation time from weeks to minutes

Don't miss out on more Tufin blogs

Subscribe to our weekly blog digest

Ready to Learn More

Get a Demo

In this post:

Background Image