How to find out what is hitting a deny rule on the MX

SOLVED
Kristof
Here to help

How to find out what is hitting a deny rule on the MX

Hi,

I've got a deny outbound rule set up on my MX and something is hitting it fairly often. Destination is the IP address and I'd like to know what device is trying to connect to that specific IP. How can I find this information?

Also, how can I view all denied traffic on the MX?

Thanks

1 ACCEPTED SOLUTION
jdsilva
Kind of a big deal

You can see the connections being made through the box via Syslog. There's no way to view this information through the dashboard, only via external logging. 

View solution in original post

6 REPLIES 6
jdsilva
Kind of a big deal

You can see the connections being made through the box via Syslog. There's no way to view this information through the dashboard, only via external logging. 

PhilipDAth
Kind of a big deal
Kind of a big deal

Either syslog like @jdsilva says, or leave a packet capture running for a while and you might get lucky.

Wow, I can't believe such as a basic firewall feature is missing! How can we troubleshoot firewall rules?

Hey Kristof,

 

I would say your best bet when investigating this type of things is carrying out a quick packet capture, filtering by the destination IP that you have restricted, on the LAN side of the MX. 

This should allow you to pinpoint the IP addresses attempting to access that destination.

 

Meraki Insight might help a bit more in helping you track down what is happening.

 

I would say, however, if you think you'd like to view this type of information more easily on Dashboard, send a request via the Make a Wish button as it might be a feature that more customers are interested in and our engineering team will definitely put it on the table.

 

Thanks!

 

Giacomo

 

 

Please keep in mind that what I post here is my personal knowledge and opinion. Don't take anything I say for the Holy Grail, but try and see!
Appreciate who helps and be respectful of every opinion and every solution offered.
Share the love, especially the Meraki one!

I think the point being made here is that Meraki customers are getting tired of discovering very basic functionality that is missing.  Something as basic as displaying the source of denied traffic should absolutely be included in any security appliance.  This isn't something that should need to be "wished".

 

Tracking down denied traffic is necessary for mitigating possible security issues.  a security appliance should include the ability to display this very basic information.

Zane D - IT Manager in Sin City NV

Hey @ZDonaldson

 

 

Thank you for your valuable feedback and I'm sorry to hear you are not very happy with the lack of some functionality. 

 

Meraki tends to be a very customer-centric company and that's why we normally try and encourage people to make the requests via the Make a Wish button. These get actually read and prioritised based on the amount of people that are requesting them. I know finding a feature you deem basic missing can be very frustrating, but we have various types of different industries using our products and a also a number of people that are not technical but still have to manage a network; some customers are not  really interested at all in going "in depth" on who is doing what in their network and what we see as crucial is different for them. 

 

On a personal level, being a bit of a security control freak,  I tend to agree with you and say that seeing who's being blocked is quite crucial to ensure the appropriate conversations are had with the abusing people. I perceive we have done some progress in this regard with the Security centre, which gives details on what is going when there is security breaches and malware issues. This feature could be expanded to cover firewall rules as well, but the only way to get this on the radar is to flag a need for it. 

 

I think the best way to interact with Meraki is don't get frustrated, but make your voice heard as we definitely listen 🙂

 

Thanks!

 

Giacomo

 

Please keep in mind that what I post here is my personal knowledge and opinion. Don't take anything I say for the Holy Grail, but try and see!
Appreciate who helps and be respectful of every opinion and every solution offered.
Share the love, especially the Meraki one!
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels