About the Meraki Access Control Policy
Meraki MX devices may have been managed by the Meraki dashboard before you onboard to CDO and the device may already have some outbound rules. These rules will appear as access control rules in CDO. You can modify these rules and create additional rules within the access control policy
Note that you cannot change the default action of the access control policy in CDO.
Manage the Meraki Access Control Policy
Use this procedure to edit a Meraki access control policy using CDO:
- Open the Devices & Services page.
- Select the Meraki MX device template whose access control policy you want to edit.
- In the Management pane at the right, select Policy.
- Do any of the following:
- To create a new rule, click the blue plus button .
- To edit an existing rule, select the rule and click the edit button in the Actions pane. (Simple edits may also be performed inline without entering edit mode.)
- To delete a rule you no longer need, select the rule and click the remove button in the Actions pane.
- To move a rule within the policy, select the rule in the access control table and click the up or down arrow at the end of the rule row to move the rule.
When editing or adding a rule, continue with the remaining steps in this procedure.
- In the Order field, select the position for the rule within the policy. Network traffic is evaluated against the list of rules in numerical order, 1 to "last."
Rules are applied on a first-match basis, so you must ensure that rules with highly specific traffic matching criteria appear above policies that have more general criteria that would otherwise apply to the matching traffic.
The default is to add the rule to the end of the list. If you want to change a rule's location later, edit this option.
- Enter the rule name. You can use alphanumeric characters, spaces, and these special characters: + . _ -
Note: The Name of the access control rule is used as the name of the rule in CDO while the Remark field is treated as the name of the rule in the Meraki dashboard. The two fields are not dependent on each other.
Select the action to apply if the network traffic is matched by the rule:
- Block—Drop the traffic unconditionally. The traffic is not inspected.
- Allow—Allow the traffic subject to the intrusion and other inspection settings in the policy.
Note: You can only set or modify the rule action. You cannot change the default policy action from CDO.
- Define the traffic matching criteria by using any combination of attributes in the following tabs:
- Source-Click the Source tab and add or remove networks (which includes networks and continents) or ports from which the network traffic originated. The default value is "Any."
- Destination—Click the Destination tab and add or remove networks (which includes networks and continents), or ports on which the traffic arrives. The default value is "Any."
Note: The source and destination networks must be within one of the configured VLAN subnets or, if a VLAN subnet is not manually configured, the default VPN subnet. Deploying a rule that includes an invalid source or destination network will fail.
- Click Save.
- Return to the the Devices & Services page and you should see that the configuration status of the device you made changes to is now "Not synced."
- Select the device and in the Not Synced pane at the right, click Preview and Deploy...
- On the Pending Changes screen, review the changes:
- Red rows indicate that something was deleted, green rows indicate something was added, and blue rows indicate that something was modified in the FTD configuration. The Pending Changes screen also shows when the last deployment was made to the FTD device and who made it.
- Changes are grouped by type. In this example there would be three changes, two of which were to create objects and one was to create an access rule. Clicking the change type jumps you to that section of the pending changes record.
- The Deployed Version column shows the FTD's configuration prior to the change. The Pending Version column shows the change you are about to deploy to the FTD. In this example, because we created everything, the Deployed Version field would be empty and the Pending Version column would have the description of the change you are about to make.
- If you are satisfied with the pending version, click Deploy Now. After the changes are deployed successfully, you can view the change log to confirm what just happened.