Firewall log for MX84 Filtering ghost

SCTDD
Conversationalist

Firewall log for MX84 Filtering ghost

The event log for my MX84 shows a laptop blocked from URL Content filter at 2:30 am. Cameras confirm no one was here. I checked the laptop first thing in the morning and there was no internet history.

 

Any ideas?

4 Replies 4
Mloraditch
Kind of a big deal
Kind of a big deal

Is your network set to your correct time zone? If so, what type of client tracking are you using? If you use MAC tracking and have a layer 3 switch, your client data may be incorrect. You need to use IP tracking or if your layer 3 is Meraki Unique Client Identifier.

https://documentation.meraki.com/MX/Monitoring_and_Reporting/Client-Tracking_Options

If everything is set correctly for your environment, compare the mac of the client in the dashboard to the client you are checking. Client naming is not an exact science and you may not be looking at the right end device.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
SCTDD
Conversationalist

Thank you for the great suggestions. Time zone is correct. Using Unique Client Identifier. IP address option  is grayed out. The mac is the same. 

 

More info: This is my new Director. This is his old work laptop. He still has a few days and needs to use his vpn to connect to his old workplace. They are a sister organization to us, but we do not share networks in anyway.

PhilipDAth
Kind of a big deal
Kind of a big deal

Lots of things access the Internet on a machine besides users.

Brash
Kind of a big deal
Kind of a big deal

Unless the laptop was completely shut down, it's likely this is just background network connectivity on the laptop. At a worst case it could be malware connecting to a C2 server.

If you're particularly concerned, take a look at what it was trying to access at the time.

Get notified when there are additional replies to this discussion.