Security center always showing no events

SOLVED
Dylan_YYC
Getting noticed

Security center always showing no events

Good morning, 

 

I've been having issues where ill get an email from the dashboard saying that something has been blocked by our MX, when i click the link and it brings me to the security center it always says no events, regardless of the filter timeline. 

 

I currently have an open case but its been open for months now with no change. Anybody else seeing this or herd of what is being done to fix it?

 

Regards,

Dylan.

1 ACCEPTED SOLUTION
RyanB
Meraki Employee

Hey Dylan,

 

This is a known issue and currently under investigation.

In the mean time you could try cloning the network, and moving the MX into the cloned network. (Just to see if moving into a new network kickstarts it.)

 

Feel free to go to Eicar and download the test file to make sure you're triggering the AMP engine. 

 

Thanks!

View solution in original post

11 REPLIES 11
PhilipDAth
Kind of a big deal

It you just look at the security centre normally, and go to events to do see anything?

 

What version software are you running on your MX?

 

Have you tried turning the threat protection settings off and back on?

@PhilipDAth yeah, even if i go via the normal route everything is still blank. Im currently running the stable 13.28, and i do get the emails so i believe it to be working just not showing in the dashboard for some reason. I haven't tried turning the threat protection off and on, maybe?

davidvan
Meraki Alumni (Retired)

@Dylan_YYC have you tried selecting Unknown and Clean dispositions using the Filter at the top of the Security Center?

@davidvan i have, it will show things then but not the event that triggered me to get the alert email. i still have no idea what event caused me to get that.

Adam
Kind of a big deal

Silly question but you verified that Security Appliance>Threat Protections are enabled right?  If both disabled it'll show up blank. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
Dylan_YYC
Getting noticed

@Adam at this point there is no silly questions! Yes, it is enabled and has been since deployment. 

Adam
Kind of a big deal

I'm good at silly questions @Dylan_YYC

 

Have you checked your MX routing?  At one of our sites we were routing all of our traffic via 0.0.0.0 to a private MPLS connection on one of the LAN ports instead of going out the WAN port and this caused there to be nothing in security center since it wasn't traversing the WAN interface.  Other than that, it should be working.  

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
Dylan_YYC
Getting noticed

That's a good idea @Adam, however we don't have that and if our routing were to change to something on the LAN we would be in major trouble. i did double check and its still using the default route to the WAN interface. At this point im at a bit of a loss! 

Adam
Kind of a big deal

Well strange, at this point I'd try an after hours reboot of the MX if you haven't done that.  Then I'd try to simulate some security traffic that should show up to diagnose further.  

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
RyanB
Meraki Employee

Hey Dylan,

 

This is a known issue and currently under investigation.

In the mean time you could try cloning the network, and moving the MX into the cloned network. (Just to see if moving into a new network kickstarts it.)

 

Feel free to go to Eicar and download the test file to make sure you're triggering the AMP engine. 

 

Thanks!

Hey @RyanB

Thanks for the follow up. As far as i can tell AMP is working well as i have used that test file recently and was unable to download it. What troubles me is this has been an ongoing issue for our site for months now, is there any indication on a resolution time?

 

Regards,

Dylan.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.