Firewall Logs

Solved
Bala1
Here to help

Firewall Logs

I have MX75, wanted to block some IoT devices going out other than the port and IPs that needs to talk to their respective servers. There was limited logging on the MX itself on cloud so configured Syslog locally and collected the files and checked. Allowed the IPs and ports that it is trying to reach out and denied rest but IoT device failed to connect to the servers. Verified the syslog again it shows only hitting the same IP and ports. I'm not sure I can see all the denied traffic here as the logging messages all looks pretty basic even on Syslog.  Syslog is enabled with roles for "Flows" "Security Events" "Appliance Event Log" not sure what else I need to turn on or where I can see more details on firewall deny's. Any one can shed some light what I'm missing would be really helpful.

1 Accepted Solution
RaphaelL
Kind of a big deal
Kind of a big deal

Hi ,

 

Just make sure that your 'Deny any any' rule is syslog enabled :

 

RaphaelL_0-1689103250506.png

 

View solution in original post

6 Replies 6
RaphaelL
Kind of a big deal
Kind of a big deal

Hi ,

 

Just make sure that your 'Deny any any' rule is syslog enabled :

 

RaphaelL_0-1689103250506.png

 

Bala1
Here to help

This really helped with the deny rule I had to see in Syslog and was able to fix it. Thank you for your help.

 

RaphaelL
Kind of a big deal
Kind of a big deal

You are welcome ! Glad you solved your issues

Bala1
Here to help

Thanks for the quick response. Let me check that.

PhilipDAth
Kind of a big deal
Kind of a big deal

This is how I do it - create a packet capture on the MX for "port 53".  This will capture all DNS queries.  Power cycle the IoT device.  99.9% of the time they do a DNS lookup for what they want to connect to.  Create a firewall allowing that DNS entry.

 

I have also written a tool that can ingest a packet capture and automatically create a group policy with the required firewall rules to allow the device to work.

https://www.ifm.net.nz/cookbooks/meraki-sas.html 

Bala1
Here to help

That is a good idea to packet capture on WAN for port 53. I went another route since I have Pi-hole I got the domain names from there. Tool looks promising hope I will get to use it soon in future. Thanks for sharing.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels