So I have a policy object group that contains 2 domains (*.vendor.com,*.vendor.net) this group is linked to an allow L3 firewall rule.
I have a server that requires access to prod1.vendor.net attached to the allow, rule but the rule does not seem to be taking effect as in my syslog server I see deny hits and it is the IP address of prod1.vendor.net, what is the process that Meraki uses to resolve DNS names to the wildcard rules, other rules work just fine that use wild cards but this one does not. I have re created the rule and still have issues.
Solved! Go to solution.
Note that the FQDN rules work by intercepting DNS queries for the domain.
If you access the domain, so it is cached on the machine, then create a rule - it won't take effect because your machine won't perform another DNS query that the MX can see till your existing cached entry has expired.
You may need to flush your DNS cache when creating new rules to make them take affect immediately.
Some DNS entries have very short TTLs, like 10s. Rules using these often don't work, or work poorly.
Have you tried to allow on Content filtering?
it works if I remove the deny L3 rule for the server, so its more like the meraki is having issues with the DNS name
Probably your rule is configured wrong, or some ports were not allowed.
Does it work if you just put in the fqdn in the fw rules?
same result, it is live so I had to roll it back but I am testing now using allow rules and logging to the syslog server
first rule is the group
2nd is just the fqdn
3rd is the IP
strange thing is that it logs just 2 times for the allow rule on the first one and then nothing, although I see more traffic when I look at the flow so the DNS is resolving.
Note that the FQDN rules work by intercepting DNS queries for the domain.
If you access the domain, so it is cached on the machine, then create a rule - it won't take effect because your machine won't perform another DNS query that the MX can see till your existing cached entry has expired.
You may need to flush your DNS cache when creating new rules to make them take affect immediately.
Some DNS entries have very short TTLs, like 10s. Rules using these often don't work, or work poorly.
Thanks, this is making sense with my intermittent issues. I did some digging and the vlan that the server is on has a static route configured for the DNS server on a different subnet and that other subnet is using the L3 switch to reply going around the Meraki. Unfortunately to fix this there will probably be down time while I cut over the vlan from the L3 switch to the firewall. I was hoping I could build the vlan with a different gateway, trunk the vlan to the meraki, cut over the gateway on the DNS servers from the core, remove the static route. but it wont let me build the new vlan because it overlaps with the static route (as expected) I will just wait for after hours and make the changes probably.