Meraki

Community

FQDN in MX Firewall Rules Fails Resolution with Umbrella Clients

Brash
Kind of a big deal
Kind of a big deal
3 weeks ago
3 weeks ago

FQDN in MX Firewall Rules Fails Resolution with Umbrella Clients

Since rolling out Umbrella integration with Meraki, we have encountered issues with the MX-Umbrella SIG tunnels - primarily around user performance. This is anything from delayed open of webpages, webpages suddenly timing out and Outlook clients intermittently failing to fetch or send mail. This issue is not seen when the endpoints have the Umbrella client installed.

We've finally made the call to scratch the SIG tunnel integration and instead migrate all managed endpoints to use the Umbrella client.

 

By side-effect however, now all DNS traffic from the endpoints is encrypted and therefore FQDN's used in MX firewall rules are not resolving (as the MX is unable to snoop the DNS query/response).

 

I'm having trouble reconciling this as often Meraki and Umbrella are sold together as a SASE solution, but the limitation of the MX not to perform its own lookups for FQDN's in firewall rules means the two products don't seem to be fully compatible.

 

Just wondering if anyone else out there has encountered this and/or found a nice way to workaround this issue.

4 Replies 4
RWelch
Kind of a big deal
Kind of a big deal
3 weeks ago
3 weeks ago

I've not had this but am curious what MX firmware you are using....cuz not all of them are equal when it comes to DNS (IMO).  Yes, I get Umbrella adds another dynamic in the equation.  

Hope you can nug down the issue.  I'm sure if you are seeing/noticing it, others are as well.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to RWelch
Brash
Kind of a big deal
Kind of a big deal
3 weeks ago
3 weeks ago

The MX's are running 18.211.6.

For the Umbrella SIG integration we worked with support but couldn't produce reliable data to prove where the issue was (Local MX, Umbrella VMX instance, Umbrella backend etc). Hence why we gave up on it and put the client everywhere instead. I suspect the secure client version of the integration (without the VMX's) work far better but was not feasible for us to deploy (and has additional costs).

 

For the FQDN's, it appears to be an expected behaviour according to the docs, but just a frustrating outcome when Umbrella is involved.

 

"FQDN-based L3 firewall rules are implemented based on snooping DNS traffic. When a client device attempts to access a web resource, the MX will track the DNS requests and response to learn the IP of the web resource returned to the client device. "

 

"MX will not be able to snoop TCP-based or encrypted DNS traffic."

MX Firewall Settings - Cisco Meraki Documentation

 

I'm quietly hoping someone else has found a way around this, or that there's a secret backend feature to enable the MX doing it's own lookups of the FQDN's. 😅

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
3 weeks ago
3 weeks ago

If you are using the Secure Client Umbrella module to send all web traffic to Umbrella - you'll need to implement the FQDN rules in Umbrella.

GIdenJoe
Kind of a big deal
Kind of a big deal
3 weeks ago
3 weeks ago

Is the MX the only firewall that does not use it's own lookup?  Most firewalls I've seen work just fine by doing their own lookups.  Might be a good idea to implement this on the MX too.  Too many rules I have need to double up by adding the IP's from the responses I do myself.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.