I have MX75, wanted to block some IoT devices going out other than the port and IPs that needs to talk to their respective servers. There was limited logging on the MX itself on cloud so configured Syslog locally and collected the files and checked. Allowed the IPs and ports that it is trying to reach out and denied rest but IoT device failed to connect to the servers. Verified the syslog again it shows only hitting the same IP and ports. I'm not sure I can see all the denied traffic here as the logging messages all looks pretty basic even on Syslog. Syslog is enabled with roles for "Flows" "Security Events" "Appliance Event Log" not sure what else I need to turn on or where I can see more details on firewall deny's. Any one can shed some light what I'm missing would be really helpful.
This is how I do it - create a packet capture on the MX for "port 53". This will capture all DNS queries. Power cycle the IoT device. 99.9% of the time they do a DNS lookup for what they want to connect to. Create a firewall allowing that DNS entry.
I have also written a tool that can ingest a packet capture and automatically create a group policy with the required firewall rules to allow the device to work.
That is a good idea to packet capture on WAN for port 53. I went another route since I have Pi-hole I got the domain names from there. Tool looks promising hope I will get to use it soon in future. Thanks for sharing.
Get notified when there are additional replies to this discussion.
