I've got a deny outbound rule set up on my MX and something is hitting it fairly often. Destination is the IP address and I'd like to know what device is trying to connect to that specific IP. How can I find this information?
Also, how can I view all denied traffic on the MX?
Solved! Go to Solution.
Either syslog like @jdsilva says, or leave a packet capture running for a while and you might get lucky.
I would say your best bet when investigating this type of things is carrying out a quick packet capture, filtering by the destination IP that you have restricted, on the LAN side of the MX.
This should allow you to pinpoint the IP addresses attempting to access that destination.
Meraki Insight might help a bit more in helping you track down what is happening.
I would say, however, if you think you'd like to view this type of information more easily on Dashboard, send a request via the Make a Wish button as it might be a feature that more customers are interested in and our engineering team will definitely put it on the table.
I think the point being made here is that Meraki customers are getting tired of discovering very basic functionality that is missing. Something as basic as displaying the source of denied traffic should absolutely be included in any security appliance. This isn't something that should need to be "wished".
Tracking down denied traffic is necessary for mitigating possible security issues. a security appliance should include the ability to display this very basic information.
Thank you for your valuable feedback and I'm sorry to hear you are not very happy with the lack of some functionality.
Meraki tends to be a very customer-centric company and that's why we normally try and encourage people to make the requests via the Make a Wish button. These get actually read and prioritised based on the amount of people that are requesting them. I know finding a feature you deem basic missing can be very frustrating, but we have various types of different industries using our products and a also a number of people that are not technical but still have to manage a network; some customers are not really interested at all in going "in depth" on who is doing what in their network and what we see as crucial is different for them.
On a personal level, being a bit of a security control freak, I tend to agree with you and say that seeing who's being blocked is quite crucial to ensure the appropriate conversations are had with the abusing people. I perceive we have done some progress in this regard with the Security centre, which gives details on what is going when there is security breaches and malware issues. This feature could be expanded to cover firewall rules as well, but the only way to get this on the radar is to flag a need for it.
I think the best way to interact with Meraki is don't get frustrated, but make your voice heard as we definitely listen