Meraki

JimBetts · ‎Nov 21 2023

A customer of mine needs to see hit counts on MX rules so that he can eliminate his any-any permit rule after verifying that all legit traffic is covered. We can get a snapshot by looking at the L3 rules with the GUI but we'd like to have several days of data to ensure that we're going to break as few things as possible. getNetworkApplianceFirewallL3FirewallRules tells us what the rules are, but no hit counts. Any suggestions?

ww · ‎Nov 21 2023

I would suggest a Syslog server . And analyse that data

PhilipDAth · ‎Nov 21 2023

Hmmm, when using the dashboard, I believe hits are only recorded while you have the page open. I have no idea what the returned value would mean from the API in this context.

+1 to @ww . You will need to use syslog for this.

GIdenJoe · ‎Nov 21 2023

You'll need to indeed use a syslog server and parse the firewall events in it.
Don't forget to discard the flow_start and flow_end events.
At the end of the firewall events you have a matching statement that should make it obvious which actual rule it is matching. The rule number or name is NOT in the log.

Once you have filtered out the events you want you only need a linecount to get your counters.

DarrenOC · ‎Nov 22 2023

As previously stated set up a syslog server to view live traffic - kiwi syslog do a free trial license for 30 days.

or, just flick the allow all any any to deny and see what breaks

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.

JimBetts · ‎Nov 22 2023

or, just flick the allow all any any to deny and see what breaks

The story of my life. 🙂 I actually did look up this subject before I asked again hoping that they had added it to the API and I just couldn't find it. I'd bet you it is there but is expensive to execute so they just don't document it.

Meraki

Community

MX L3 rule hit counts

MX L3 rule hit counts