Hi Guys
Can you log traffic on the deny rule on Meraki?
I cannot seem to get it working, this should be a basic thing for any firewall, surely its available?
Many thanks
Carl
Yes you can.
I'm assuming you are trying to achieve this on a MX. Go to Security & SD-WAN -> Firewall , then simply create a deny rule and check ''logging enabled'' :
So are you saying it will log what traffic is being dropped ? if there are allow rules which are also being logged, how do we know in the sylog log that the traffic has been dropped ?
also what events should you switch on under the syslog, security events or flow events?
Yes all traffic that has the logging enabled will be sent to the syslog server.
Inside the syslog the rule is identified via the ''pattern'' eg :
pattern: allow tcp && (dst 20.0.0.0/8 || dst 30.0.0.0/8 dst port 1234)
Adding a rule ID or rule name would have been way simplier , but hey 🙄
Make sure to add the syslog first.
Hmm I'm not sure you can log deny rules since it's actual flows that are logged. Flows are created when traffic is allowed. Correct me if I'm wrong with a screenshot please.
Usually if you want to log traffic I make an allow rule as specific as possible like the source address limited to one host before sending that off to the syslog server.
Yes it is possible .Here is the logs :
<134>1 1643828967.485148461 XXXXXXXXXXXX flows src=XXXXXX dst=XXXXXX mac=XXXXX protocol=tcp sport=50568 dport=443 pattern: deny tcp
Ok, thanks for that.
Incorporating into knowledge base 😉