Can you log traffic on the deny rule on Meraki?

CarlT
Here to help

Can you log traffic on the deny rule on Meraki?

Hi Guys

Can you log traffic on the deny rule on Meraki?

I cannot seem to get it working, this should be a basic thing for any firewall, surely its available?

Many thanks

Carl

7 REPLIES 7
RaphaelL
Kind of a big deal
Kind of a big deal

Yes you can.

 

I'm assuming you are trying to achieve this on a MX. Go to Security & SD-WAN -> Firewall , then simply create a deny rule and check ''logging enabled'' : 

 

RaphaelL_0-1643809018830.png

 

So are you saying it will log what traffic is being dropped ? if there are allow rules which are also being logged, how do we know in the sylog log that the traffic has been dropped ?

also what events should you switch on under the syslog, security events or flow events?

RaphaelL
Kind of a big deal
Kind of a big deal

Yes all traffic that has the logging enabled will be sent to the syslog server. 

 

Inside the syslog the rule is identified via the ''pattern''  eg : 

 

pattern: allow tcp && (dst 20.0.0.0/8 || dst 30.0.0.0/8  dst port 1234)

 

Adding a rule ID or rule name would have been way simplier , but hey 🙄

ww
Kind of a big deal
Kind of a big deal
GIdenJoe
Kind of a big deal
Kind of a big deal

Hmm I'm not sure you can log deny rules since it's actual flows that are logged.  Flows are created when traffic is allowed. Correct me if I'm wrong with a screenshot please.

 

Usually if you want to log traffic I make an allow rule as specific as possible like the source address limited to one host before sending that off to the syslog server.

RaphaelL
Kind of a big deal
Kind of a big deal

Yes it is possible .Here is the logs : 

<134>1 1643828967.485148461 XXXXXXXXXXXX flows src=XXXXXX dst=XXXXXX mac=XXXXX protocol=tcp sport=50568 dport=443 pattern: deny tcp

 

GIdenJoe
Kind of a big deal
Kind of a big deal

Ok, thanks for that.
Incorporating into knowledge base 😉

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels