Does Meraki MX64 Advanced security block Outgoing files ?

Twikki
Here to help

Does Meraki MX64 Advanced security block Outgoing files ?

Good day everyone.

 

I have installed my first Meraki MX64 with advanced Security license, enabled all the security features I could find, including IPS, AMP etc. and put the highest security on it.

 

I was wondering, Meraki blocks all the files downloaded to the network. but what about outgoing files? Does the Meraki block files going out too? Let's say I have some files I want to upload to an FTP server. Could the Meraki think they are malicious and block them?

I tried to call the Meraki support, but he didn't know, and sent me the documentation on AMP, but couldn't find anything.

 

best regards

Daniel

19 REPLIES 19
PhilipDAth
Kind of a big deal
Kind of a big deal

I could be wrong, but I believe AMP only works from WAN to LAN interfaces.

 

I could be wrong, but I believe IPS works between all layer 3 interfaces (including between internal VLAN interfaces).

PhilipDAth
Kind of a big deal
Kind of a big deal

With regard to IPS:

https://documentation.meraki.com/MX-Z/Content_Filtering_and_Threat_Protection/Threat_Protection

"Intrusion detection feeds all packets flowing between the LAN and Internet interfaces and in-between VLANs through the SNORT® intrusion detection engine and logs the generated alerts to the Security Report."

 

With regard to AMP:

https://documentation.meraki.com/MX-Z/Content_Filtering_and_Threat_Protection/Advanced_Malware_Prote...

"The MX Security Appliance will block HTTP-based file downloads based on the disposition received from the AMP cloud."

Because it only mentions "downloads" I would presume this to mean WAN to LAN only.

Hi Philip,

 

Thanks a lot below. I would presume it means WAN to LAN only too by what you linked below.

 

Regarding the IPS. That would mean if the files has been blocked, I would be able to see it in the logs.

 

I could also try and disable to just for a test and see if the files get through.


Personally I don't believe it's the Meraki blocking the files, but I will never say never. so I wanted to investigate it before I told them it's not the firewall.

 

I'm probably asking stupid. But the Security Report, is that the one I find under "Security appliance" -> Security center ?

PhilipDAth
Kind of a big deal
Kind of a big deal

That is one of them.  The other is under Organisation.

Hi Philip,

 

I have gone under both Security appliance and organization, filtered everything to only blocked.

but I get nothing in the list. I would presume this means nothing has been blocked. if I filter "allowed" I get a lot of information 🙂

 

MX.png

Ryan_C
Getting noticed

If you are working on a active issue and want to rule out the FW why not just disable AMP/IDS for the 3 min they are testing? See if the file goes through. 

 

Not sure if you have done anything with bandwidth limits but I have seen that cause issues with uploads before. 

PhilipDAth
Kind of a big deal
Kind of a big deal

Just reading this again - your real issue is with FTP.

 

Merai does not support active mode FTP.  If you are trying to conect to the FTP server using active mode it will fail. You need to use passive mode, or a modern version of ftp - such as sftp ot ftps (these need to be supported by the FTP server to work).

Hello Philip,

 

It was ment as an example. Sorry for the confusement.

I have got updated information regarding the issue.

 

Basically what happens is that our costumer has an older version of Navision 2009. which generates a file ( EDN file ) which is then sent through office 365 by Navision to an email address outside the organization.

 

so basically we use Office 365 from the inside, sending an email with a file attached to an email address.

 

I have tried to disable IPS & AMP aswell.

I read somewhere I might need to allow office 365 ? is that true? Everything with office 365 seems to work just fine.

best regards

Daniel

Ryan_C
Getting noticed

If you whitelist the client that is trying to send the file does it send? 

Ryan_C
Getting noticed

If you have disabled AMP/ and IDS and have whitelisted the client the only other way this is a meraki issue is a bandwidth issue Here is what a whitelisted client will bypass https://documentation.meraki.com/MR/Group_Policies_and_Blacklisting/Blocking_and_Whitelisting_Client...

Whitelist

Applies the following settings to a client:

Hello Ryan_C

Thanks for the input.

I have now whitelisted the client. Just to make sure that is not an issue. Thanks a lot! will keep you guys updated on what I find out regarding this.

I really appreciate you guys input 🙂

best regards

Daniel

Hi Guys,

 

I have tried something else, maybe that could replicate my issue.

 

I logged on to their system and created a new file, filled it up with some data, and renamed it to test.EDN ( the file type navision sends with )

 

then I sent an email to another domain from their system, and I receive the email.

Wouldn't that conclude that the file type is NOT blocked by Meraki?

best regards

Daniel

Ryan_C
Getting noticed

Seems like you have ruled out the meraki. This sound more like an email issue. Not related to a Meraki form but check if they are running advanced threat on 365 and/ or other av/spam filtering. 

Hi Ryan, will try and check that.

 

Do you guys know if I need to allow anything specific in the firewall regards to Office 365? I do not have any outgoing firewall rules or anything like that. I can also send emails and receive emails fine.

 

I only have defined port forwarding rules, but not for office 355.

Best regards

Daniel

PhilipDAth
Kind of a big deal
Kind of a big deal

There is nothing that you need to configure to allow any of the Office 365 suite of applications to work.

Hi Philips.


Thanks a lot for confirming.

 

My boss is very sceptical, and thinks it might still be the Meraki, but I really think I have ruled out everything related to the Meraki in this case.

I really appreciate all of your guys help 🙂

best regards

Daniel

PhilipDAth
Kind of a big deal
Kind of a big deal

Try running whatever it is over a 4G circuit (perhaps hotspot it to a phone) and see if the same issue happens.  I nbet it will.  Then it is 100% isolated.

Hi Philip,

 

How to do you mean? If I test it on a 4g circuit, and it works, wouldn't that mean it's isolated to that it's the Meraki thats the problem? 🙂

best regards

Daniel

Hi guys,

 

Just wanted to give you an update on my issue.

 

I might have gotten very close to the issue.

 

I have figured out that it is an old script running on an old server 2003.

The script connects to an FTP ( Active ) Unsecured and uploads the files.

 

However, it does not work. Anyway, if I change it to passive mode. it works!

 

Going through the logs of the FTP transfer I find that it connects fine, and then times out. searching for this issue, it seems there is a bug in the specific software version of WinSCP they are running. that might cause this.

I will upgrade the software and try it out again.

best regards

Daniel

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels