Ghost Client ? malware?

MAG
Here to help

Ghost Client ? malware?

Hi All Two weeks ago we noticed a lot of (blocked) events under Network Wide/event log /security appliance related with one client accessing spyware url's etc..event were "Content filtering blocked URL " . type . Mostly outbound traffic !! Trying to get to that client seemed impossible so far: No matter what event i select out of hundred of those, if i click the client name the Dashboard can not get info about it : Sorry, we couldn't find that client. Please go back and try again. Second approach: that client also was under Security center / MX summary/most affected clients , and clicking on that client name there we get The IP and MAC address from our L3 switch. Under Security center/MX events . , when clicking to the client we receive again the L3 switch MAC and an IP:port pair that seems to be changing each 2 or 3 days. Getting to that client once we get the Ip was easy but never found any Virus, malware etc at least nothing relevant. One given log entry at Nov 21 13:41 will show client XC09b557 ...and after a few days , that same entry (same day and time ) shows a different client name . AMP is doing a great job blocking that but this events represent a LAN traffic that we want to eliminate, and must be based on some client equipment. SO any ideas on how to locate the root of that traffic ?? Thanks in advanced
3 Replies 3
DensyoV
Meraki Employee
Meraki Employee

Hi,

 

The reason I can think of why you are not getting the client details is if your client tracking option is set to use MAC address instead of IP address since the client is behind a layer 3 switch. Please find the link below for the doc regarding the Meraki Client Tracking Options.


https://documentation.meraki.com/MX/Monitoring_and_Reporting/Client_Tracking_Options

 

Hope this helps.

Please hit kudos if you found this post helpful and/or click "accept as solution" if this solved your problem.
MAG
Here to help

HI,

Client traking is set to MAC indeed but that honestly i do not think that would be the reason since i can see details from any other client on the Network.

 

Ip tracking is not available on that precise Network.

 

I considered to set that to  Cloud tracking but since that change resets all tha Networks statistics it is not the way to go for now.

Any other ideas ??

 

Thanks

DensyoV
Meraki Employee
Meraki Employee

Hi,

 

If you are using a combined network then the IP address tracking is not available. You can uncombine the network to get that option. 

It is recommended to use IP address tracking if your clients are behind a layer 3 device. If you can see details from other clients on the Network maybe its gateway IP is the MX.

The cloud track is recommended if your downstream layer 3 switch is also a Meraki. However, any change in the tracking option will reset your historical client usage statistics and there is no way to get around it for now.

 

Thanks,

 

 

 

 

 

 

Please hit kudos if you found this post helpful and/or click "accept as solution" if this solved your problem.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels