Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Firewall Logs

Solved
Bala1
Here to help
‎Jul 11 2023 12:14 PM
‎Jul 11 2023 12:14 PM

Firewall Logs

I have MX75, wanted to block some IoT devices going out other than the port and IPs that needs to talk to their respective servers. There was limited logging on the MX itself on cloud so configured Syslog locally and collected the files and checked. Allowed the IPs and ports that it is trying to reach out and denied rest but IoT device failed to connect to the servers. Verified the syslog again it shows only hitting the same IP and ports. I'm not sure I can see all the denied traffic here as the logging messages all looks pretty basic even on Syslog.  Syslog is enabled with roles for "Flows" "Security Events" "Appliance Event Log" not sure what else I need to turn on or where I can see more details on firewall deny's. Any one can shed some light what I'm missing would be really helpful.

Labels:
0 Kudos
Subscribe
1 Accepted Solution
RaphaelL
Kind of a big deal
Kind of a big deal
‎Jul 11 2023 12:21 PM
‎Jul 11 2023 12:21 PM

Hi ,

 

Just make sure that your 'Deny any any' rule is syslog enabled :

 

RaphaelL_0-1689103250506.png

 

View solution in original post

Subscribe
6 Replies 6
RaphaelL
Kind of a big deal
Kind of a big deal
‎Jul 11 2023 12:21 PM
‎Jul 11 2023 12:21 PM

Hi ,

 

Just make sure that your 'Deny any any' rule is syslog enabled :

 

RaphaelL_0-1689103250506.png

 

Subscribe
In response to RaphaelL
Bala1
Here to help
‎Jul 11 2023 3:21 PM
‎Jul 11 2023 3:21 PM

This really helped with the deny rule I had to see in Syslog and was able to fix it. Thank you for your help.

 

Subscribe
In response to Bala1
RaphaelL
Kind of a big deal
Kind of a big deal
‎Jul 11 2023 3:34 PM
‎Jul 11 2023 3:34 PM

You are welcome ! Glad you solved your issues

0 Kudos
Subscribe
Bala1
Here to help
‎Jul 11 2023 12:24 PM
‎Jul 11 2023 12:24 PM

Thanks for the quick response. Let me check that.

0 Kudos
Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jul 11 2023 5:56 PM
‎Jul 11 2023 5:56 PM

This is how I do it - create a packet capture on the MX for "port 53".  This will capture all DNS queries.  Power cycle the IoT device.  99.9% of the time they do a DNS lookup for what they want to connect to.  Create a firewall allowing that DNS entry.

 

I have also written a tool that can ingest a packet capture and automatically create a group policy with the required firewall rules to allow the device to work.

https://www.ifm.net.nz/cookbooks/meraki-sas.html 

Subscribe
In response to PhilipDAth
Bala1
Here to help
‎Jul 12 2023 8:51 AM
‎Jul 12 2023 8:51 AM

That is a good idea to packet capture on WAN for port 53. I went another route since I have Pi-hole I got the domain names from there. Tool looks promising hope I will get to use it soon in future. Thanks for sharing.

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.