We just found out that we might have been compromised, we have MX 75(3.x network) and MX 105(2.X network) on our network. So on OCT 15th MX 75 Security center reported IDS Alert and blocked the attempt however on OCT 16 MX allowed that attempt and said allowed nothing was changed so at this point not sure why MX would allow because same thing occurred on MX 105 same day and it blocked all the attempts.
I have two question how to turn on that protection and does MX have anything that could help us find culprit?
Thanks for sharing information and revert me back....We are using 17.10 version which makes us not vulnerable to Anyconnect and we don't use AnyConnect we just use ClientVPN services. Also just to add we just turned ON threat protection AMP however when we search for more details seems like it came from valid source to destination. I'm attaching screenshot for reference.
As you can see in the first SS it blocked everything and the next day it allowed that same request.
And NO we didn't change anything as it was weekend.
We have seen similar previously. We raised a case with Meraki who advised if the first packet is allowed, the dashboard will report the threat as "allowed", even though all other packets are blocked and therefore the threat is actually blocked. Here are the case notes "After discussing this with the specialist and to add a bit more detail to the explanation I provided. Snort will analyse a copy of the original traffic, once it made a decision about whether the traffic is malicious or not it will look for the "original" traffic in the flow table, but if it's not there is nothing else that can happen. The 'original' traffic will be processed normally, and is subject to all the other elements. it's likely that the packet was discarded before getting to the flow table"
Did you receive a response from Meraki? This issue is a real concern for us, we see this scenario regular as ultimately, if Meraki are correct in what they are saying the Dashboard is misrepresenting the truth - surely thats not correct and a design flaw?
We have reached out to them numerous time and they didn't had any answer except they wanted us to repeat entire scenario to examine which we are not sure how to replicate as wasn't something we triggered. To add salt over the injury they took 2 weeks to respond and now after 2 weeks all the IDS Alert and information is gone because that's what default policy is.. They just left us hanging in middle LOL