Meraki Community

hello,
we have mostly MX250's on 18.211.2    and MR46's

basically, I want to be able to whatever traffic is being blocked. Id like to know, what did the blocking (was it the content filter or firewall? if its a firewall rule, which rule), also exactly what url / ip /whatever was blocked.


Right now I have lots of logs that say "flows deny" with a src/dst ip, a mac and a protocol. - What is that? Is that a firewall rule? which firewall? which rule?

In my MX firewall rules I have selected certain ones to log to syslog  how do i find those in the logs?

how do i see what the content filter is blocking?


thanks!

Adrian,

For the "Flows Deny" that sounds like the ACLs in effect. This includes the switching ACLs and MR ACLs.  Meraki will not block any LAN/Outbound connections unless you specifically state to do so. By default, it's in an allow state. However, for the MRs, it will automatically block LAN connections. You'd have to go into Wireless -> Firewall & Traffic Shaping, then check those rules.

For all inbound traffic being blocked, you can view the Security Center in Security & SD-Wan -> Security Center. You can see what is being blocked through the content filter, and what is being blocked in general based on pre-defined rules via Snort. You can also see these logs in Network-Wide -> Event Log.

Hopefully this information helps.

Hi, thanks for the reply - but this is about syslog messages.

If the meraki logs didnt truncate the messages, then there would be no need for the syslog server but since they do, I need to understand what is generating the messages (which firewall, which rule, whats the content filter doing?).

My apologies, I need to read better. For "Flows Deny", I am 99% certain that it's going to be an inbound connection from an external IP. We get tons of them every day. I can't give you any other information on Syslog. We let our SIEM translate it. I'm sorry.