Hi All Two weeks ago we noticed a lot of (blocked) events under Network Wide/event log /security appliance related with one client accessing spyware url's etc..event were "Content filtering blocked URL " . type . Mostly outbound traffic !! Trying to get to that client seemed impossible so far: No matter what event i select out of hundred of those, if i click the client name the Dashboard can not get info about it : Sorry, we couldn't find that client. Please go back and try again. Second approach: that client also was under Security center / MX summary/most affected clients , and clicking on that client name there we get The IP and MAC address from our L3 switch. Under Security center/MX events . , when clicking to the client we receive again the L3 switch MAC and an IP:port pair that seems to be changing each 2 or 3 days. Getting to that client once we get the Ip was easy but never found any Virus, malware etc at least nothing relevant. One given log entry at Nov 21 13:41 will show client XC09b557 ...and after a few days , that same entry (same day and time ) shows a different client name . AMP is doing a great job blocking that but this events represent a LAN traffic that we want to eliminate, and must be based on some client equipment. SO any ideas on how to locate the root of that traffic ?? Thanks in advanced
The reason I can think of why you are not getting the client details is if your client tracking option is set to use MAC address instead of IP address since the client is behind a layer 3 switch. Please find the link below for the doc regarding the Meraki Client Tracking Options.
If you are using a combined network then the IP address tracking is not available. You can uncombine the network to get that option.
It is recommended to use IP address tracking if your clients are behind a layer 3 device. If you can see details from other clients on the Network maybe its gateway IP is the MX.
The cloud track is recommended if your downstream layer 3 switch is also a Meraki. However, any change in the tracking option willreset your historical client usage statistics and there is no way to get around it for now.
Please hit kudos if you found this post helpful and/or click "accept as solution" if this solved your problem.