Meraki

TEAM-ind · ‎Oct 26 2018

I have nine locations each with a Meraki MX security appliance. All of the locations use content filtering and group policies to restrict access to certain websites.

I am having an issue with internal intranet sites being blocked on a shopfloor policy that blocks all url patterns (*) and only allows patterns on the matching whitelist. I am having to white list are internal URL patterns.

Further, AMP is causing issues with our internal sharepoint site at one of our locations, and in AMPs case, the whitelists are not at all reliable (many issues where whitelisting has no affect, and disabling AMP does).

Is there a way to tell the MX to not apply content filtering and threat protection to Site-to-Site VPN traffic?

MacuserJim · ‎Oct 26 2018

I don't think there is away to disable content filtering for Site-to-site VPN traffic, you would need to make content filtering tweaks for all traffic.

For the shop floor instead of using content filtering to block all URL patterns I would recommend using the Layer 3 firewall settings to deny any traffic, and then have L3 firewall rules to allow traffic to either internal subnets, or specific IPs/FQDNs. I do something similar on a bunch of networks I manage and it works quite well.

As for your AMP issues, Meraki has mad a lot of improvements in the more recent firmware releases. What firmware version are you running on your MX appliances?

TEAM-ind · ‎Oct 26 2018

Thanks for the suggestions, MacuserJim. I am at 13.33 on all of the appliances. Still seeing frequent AMP issues related to whitelisting not having any affect. Both on MX100 and MX84.

MacuserJim · ‎Oct 26 2018

It may be worth trying the MX 14.34 beta firmware on one of your sites and see if that helps with the AMP issues. I know a lot has been done to address AMP in the 14.x firmware revisions, specifically around the whitelisting issues for AMP.

TEAM-ind · ‎Oct 26 2018

Thanks, again MacUserJim for the suggestion. I have stayed away from beta versions as that has always implied "not ready for prime time" to me. But I may have to put that bias away, as it pertains to MX software.

MacuserJim · ‎Oct 26 2018

I feel ya. Past experience with Meraki's beta firmware has been pretty good so hopefully you don't have any issues with testing out this beta.

TEAM-ind · ‎Nov 9 2018

Update on this -- Meraki support says I should "try" 15.10. Anyone tried a version of firmware that requires Meraki Support to push?

MacuserJim · ‎Nov 9 2018

I have previously and have never had major issues with them. I actually can't really think of any specific bugs running a firmware like that either.

TEAM-ind · ‎Dec 11 2018

Upgraded to 15.10, today. After the upgrade, I have no WAN2 connection. Support has verified this happened as a result of the upgrade and is advising to either reset the appliance or roll back the firmware. Just wanted to share are bad experience with beta.

TEAM-ind · ‎Dec 11 2018

Our bad experience. I apologize for the poor grammar.

TEAM-ind · ‎Dec 11 2018

Another update. 15.10 did not fix the AMP issue that I am seeing, and broke port 2 on an MX100 that was configured to use that port as internet 2. Rolled back to firmware 13.33 and port 2 works, again...AMP still has many issues, even with the latest beta, and the latest beta is not a good idea in a production environment. All done now. Thanks.

Meraki

Community

Content Filtering and Threat Protection

Content Filtering and Threat Protection