UPDATE: this challenge has ended. Huge thanks to everyone who submitted entries — we were delighted to see so many of you participate! Correct answers below:
Of those who submitted the correct answers above, we randomly selected two winners. Congrats to @tkamimura4 and @Raz!
This month’s community challenge is brought to you by Technical Evangelist, @SandroZ! This corporate network was the victim of an April Fool’s prank and needs your help to restore effective security. Submit the correct firewall rules before the deadline Friday and be entered to win Meraki swag!
Firewall Challenge
What a nice April Fool’s prank! Somebody rewrote the firewall rules on the MX at the edge of this corporate network.
Reviewing all security requirements will take some time, and the network engineers don’t want to remove or change any of the rules already in place, but there are some pressing issues that need to be resolved immediately and accurately.
Information is scarce, but you do have a high-level network diagram:
And the firewall rules currently configured on the MX:
NOTE: all MS switches are configured as L2 only. All routing decisions and firewall rules are handled by the same MX at the edge of the corporate network.
Your mission: Fix the 3 issues reported using one Allow firewall rule per issue to be prepended to the list of firewall rules already in place.
You must use the following Network Groups / Network Objects already listed in the customer’s dashboard:
- Meraki cloud communication, containing all the cloud IP addresses required for the management communication between the Meraki devices and the Meraki cloud.
- Camera streaming proxy, containing all the cloud IP addresses required to access the camera streaming outside of the corporate network over the internet.
- Building A Clients - Building B Clients, containing the subnets used for Clients in the respective buildings
- Building A Meraki Devices - Building B Meraki Devices, containing the subnets used for Meraki devices (MV, MR, MS) in the respective buildings
You already double checked the configuration of Network Groups / Network Objects and they are correct!
You have everything you need from the network diagram and image of the firewall configuration.
Reported issues
Issue 1:
The IT team is complaining about a warning message appearing on all MS switches, all MV cameras and all MR Access Points:
“Connection to the Cisco Meraki Cloud is using the backup Cloud connection.”
Issue 2:
Network engineers identified a huge spike of data downloaded from the internet, and the destination for that traffic is a wired client inside building A: the workstation of the security guard for the building. In addition, the cameras in building A are generating more upload traffic than usual.
Issue 3:
The remote security guard reported to be unable to see footage from cameras located in Building B. Cameras in Building A works perfectly.
How to enter
Fill the table for the 3 firewall rules (1 rule for each issue).
Rules need to be as specific as possible to just solve the reported issues.
#
|
Policy
|
Rule description
|
Protocol
|
Source
|
Src port
|
Destination
|
Dst port
|
1
|
Allow
|
Issue 1
|
?
|
?
|
Any
|
?
|
?
|
2
|
Allow
|
Issue 2
|
?
|
?
|
Any
|
?
|
?
|
3
|
Allow
|
Issue 3
|
?
|
?
|
Any
|
?
|
?
|
Check for options inside the squared brackets:
Protocol: [TCP,UDP]
Source: [1 or more Network Group / Network Object provided]
Destination: [1 or more Network Group / Network Object provided]
Dst Port: [1 destination port number]
Everyone who submits the correct 3 firewall rules as a comment on this post before April 30th at 11am PDT will be entered to win one of two Meraki thermal bottles:
Thermal Water Bottle
How to win
There will be two winners for this challenge. In order to win, you must have provided the 3 correct firewall rules. In the likely event that multiple submissions contain all 3 correct answers, we will randomly select 2 winners from that group of respondents. Note that all comments will remain hidden throughout the challenge. Winners will be announced shortly after submissions are closed!
The Fine Print