Extensible Firewall Templates for Security Appliances
When configuring large distributed networks, small insignificant tasks become time consuming and laborious quite quickly. Meraki cloud managed networking products eliminate a lot of the complexity of this type of deployment with features such as configuration templates and AutoVPN. With configuration templates you are able to rapidly deploy hundreds or thousands of remote sites and connect them together with a VPN in a few clicks.
As we recently announced in our Quarterly update, there have been some enhancements to the features on the MX which allow further automation of multiple site deployments. It is now possible to add firewall rules to your configuration template that are dynamically generated to match the appropriate networks.
A recap on templates
A template is a configuration which can be applied to tens, hundreds, or thousands of MX Security appliances. Networks within a Meraki dashboard Organization can be bound to this template so that they inherit these settings and only has to be configured once. If this configuration is no longer required they can be bound to a different template, or reverted to the configuration state they had before they were bound. This reduces monotonous administrative tasks and prevents human error.
One of the advantages of templates is that they can dynamically allocate subnets and IP addresses for each site. In some instances it may be desirable to have identical subnet and IP configurations at each site, but when this is not the case, unique configurations are required per site. Using templates, a network administrator can choose to have subnets and MX interface IPs created automatically, so there is no subnet duplication or IP overlap.
Making security easy
With many retailers taking advantage of Meraki’s solutions for their stores, PCI 3.0 security is an important concern. The Meraki MX’s built in security features such as anti-malware and Intrusion Detection & Prevention (IDS/IPS) make it simple to deploy a robust security solution. However there is still a need to configure relevant firewall settings to safeguard payment processing systems in a retail environment, or confidential business data in an enterprise.
The new firewall objects functionality in the Meraki dashboard allows network administrators to summarize detailed firewall configurations and replicate them to many sites with templates. This has a huge impact on the amount of work required, firewall rules are only configured once for the template, no matter how many remote sites you have. In an organization of 500 remote sites, with a simple firewall rule set of only 10 lines, that’s a saving of 490 lines of configuration or 98% less work !
It’s all in the name
When configuring an MX template an administrator will create the VLANs and associated subnets that need to be replicated at each site. The key step in this process is assigning a name to this VLAN. This name is the object identifier that is referenced on the firewall page.
Now when configuring the firewall rules for the template, the name of the VLAN can be selected. This means that no matter what network mask is automatically generated for that site, the firewall rule will reflect the subnet correctly. For example in the screenshots below, ‘home’ and ‘corp’ are referenced as aliases for the actual subnet at that site.
If the firewall rule needs to be specific to a particular host within the subnet, the ‘Add host bits’ button allows you to define a specific host for the site at which this rule applies. Again this is exceptionally useful in retail environments, where it is common for devices to have specific host addresses. A good example of this is that every cash register on every site could have addresses .5, .6, & .7
Extensible Firewall Templates are a flexible and easy to use feature for configuring your Meraki networks. From corporate branch sites, to retail outlets and large scale teleworking using the Meraki Z1, templates improve the operational efficiency of the network administrator and allow lean IT teams to respond quickly to business needs on tight deadlines.