cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to find out what is hitting a deny rule on the MX

SOLVED
Here to help

How to find out what is hitting a deny rule on the MX

Hi,

I've got a deny outbound rule set up on my MX and something is hitting it fairly often. Destination is the IP address and I'd like to know what device is trying to connect to that specific IP. How can I find this information?

Also, how can I view all denied traffic on the MX?

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Kind of a big deal

Re: How to find out what is hitting a deny rulle on the MX

You can see the connections being made through the box via Syslog. There's no way to view this information through the dashboard, only via external logging. 

View solution in original post

6 REPLIES 6
Kind of a big deal

Re: How to find out what is hitting a deny rulle on the MX

You can see the connections being made through the box via Syslog. There's no way to view this information through the dashboard, only via external logging. 

View solution in original post

Highlighted
Kind of a big deal

Re: How to find out what is hitting a deny rulle on the MX

Either syslog like @jdsilva says, or leave a packet capture running for a while and you might get lucky.

Here to help

Re: How to find out what is hitting a deny rulle on the MX

Wow, I can't believe such as a basic firewall feature is missing! How can we troubleshoot firewall rules?
Meraki Employee

Re: How to find out what is hitting a deny rulle on the MX

Hey Kristof,

 

I would say your best bet when investigating this type of things is carrying out a quick packet capture, filtering by the destination IP that you have restricted, on the LAN side of the MX. 

This should allow you to pinpoint the IP addresses attempting to access that destination.

 

Meraki Insight might help a bit more in helping you track down what is happening.

 

I would say, however, if you think you'd like to view this type of information more easily on Dashboard, send a request via the Make a Wish button as it might be a feature that more customers are interested in and our engineering team will definitely put it on the table.

 

Thanks!

 

Giacomo

 

 

Please keep in mind that what I post here is my personal knowledge and opinion. Don't take anything I say for the Holy Grail, but try and see!
Appreciate who helps and be respectful of every opinion and every solution offered.
Share the love, especially the Meraki one!
Getting noticed

Re: How to find out what is hitting a deny rulle on the MX

I think the point being made here is that Meraki customers are getting tired of discovering very basic functionality that is missing.  Something as basic as displaying the source of denied traffic should absolutely be included in any security appliance.  This isn't something that should need to be "wished".

 

Tracking down denied traffic is necessary for mitigating possible security issues.  a security appliance should include the ability to display this very basic information.

Zane D - IT Manager in Sin City NV
Meraki Employee

Re: How to find out what is hitting a deny rulle on the MX

Hey @ZDonaldson

 

 

Thank you for your valuable feedback and I'm sorry to hear you are not very happy with the lack of some functionality. 

 

Meraki tends to be a very customer-centric company and that's why we normally try and encourage people to make the requests via the Make a Wish button. These get actually read and prioritised based on the amount of people that are requesting them. I know finding a feature you deem basic missing can be very frustrating, but we have various types of different industries using our products and a also a number of people that are not technical but still have to manage a network; some customers are not  really interested at all in going "in depth" on who is doing what in their network and what we see as crucial is different for them. 

 

On a personal level, being a bit of a security control freak,  I tend to agree with you and say that seeing who's being blocked is quite crucial to ensure the appropriate conversations are had with the abusing people. I perceive we have done some progress in this regard with the Security centre, which gives details on what is going when there is security breaches and malware issues. This feature could be expanded to cover firewall rules as well, but the only way to get this on the radar is to flag a need for it. 

 

I think the best way to interact with Meraki is don't get frustrated, but make your voice heard as we definitely listen 🙂

 

Thanks!

 

Giacomo

 

Please keep in mind that what I post here is my personal knowledge and opinion. Don't take anything I say for the Holy Grail, but try and see!
Appreciate who helps and be respectful of every opinion and every solution offered.
Share the love, especially the Meraki one!
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.