Meraki

Community

How to turn Whitelist ON IDS Alert?

Dipen
Getting noticed
‎Oct 24 2022 3:58 AM
‎Oct 24 2022 3:58 AM

How to turn Whitelist ON IDS Alert?

We just found out that we might have been compromised, we have MX 75(3.x network) and MX 105(2.X network) on our network. So on OCT 15th MX 75 Security center reported IDS Alert and blocked the attempt however on OCT 16 MX allowed that attempt and said allowed nothing was changed so at this point not sure why MX would allow because same thing occurred on MX 105 same day and it blocked all the attempts. 

I have two question how to turn on that protection and does MX have anything that could help us find culprit?

 

Labels:
0 Kudos
7 Replies 7
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 24 2022 4:11 AM
‎Oct 24 2022 4:11 AM

Hi,

 

Have you checked your Threst protection configuration?

 

alemabrahao_0-1666609822784.png

What version are you running?

 

Check this:

 

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-meraki-mx-vpn-dos-vnE...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 24 2022 4:42 AM
‎Oct 24 2022 4:42 AM

And on the Security Center page, you can check more details like source, destination, etc.

 

 
alemabrahao_0-1666611726580.png

 

alemabrahao_0-1666612387268.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Dipen
Getting noticed
‎Oct 24 2022 6:05 AM
‎Oct 24 2022 6:05 AM

Thanks for sharing information and revert me back....We are using 17.10 version which makes us not vulnerable to Anyconnect and we don't use AnyConnect we just use ClientVPN services. Also just to add we just turned ON threat protection AMP however when we search for more details seems like it came from valid source to destination. I'm attaching screenshot for reference.

Dipen_0-1666616525177.png

As you can see in the first SS it blocked everything and the next day it allowed that same request.

Dipen_1-1666616699246.png

And NO we didn't change anything as it was weekend.

0 Kudos
In response to Dipen
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 24 2022 6:10 AM
‎Oct 24 2022 6:10 AM

I suggest you open a case with Meraki support.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Dipen
Getting noticed
‎Oct 24 2022 6:25 AM
‎Oct 24 2022 6:25 AM

Thanks

0 Kudos
JF1
Getting noticed
‎Oct 26 2022 4:20 AM
‎Oct 26 2022 4:20 AM

We have seen similar previously. We raised a case with Meraki who advised if the first packet is allowed, the dashboard will report the threat as "allowed", even though all other packets are blocked and therefore the threat is actually blocked. Here are the case notes "After discussing this with the specialist and to add a bit more detail to the explanation I provided. Snort will analyse a copy of the original traffic, once it made a decision about whether the traffic is malicious or not it will look for the "original" traffic in the flow table, but if it's not there is nothing else that can happen. The 'original' traffic will be processed normally, and is subject to all the other elements. it's likely that the packet was discarded before getting to the flow table"

 

Did you receive a response from Meraki? This issue is a real concern for us, we see this scenario regular as ultimately, if Meraki are correct in what they are saying the Dashboard is misrepresenting the truth - surely thats not correct and a design flaw?

In response to JF1
Dipen
Getting noticed
‎Dec 6 2022 7:36 AM
‎Dec 6 2022 7:36 AM

We have reached out to them numerous time and they didn't had any answer except they wanted us to repeat entire scenario to examine which we are not sure how to replicate as wasn't something we triggered. To add salt over the injury they took 2 weeks to respond and now after 2 weeks all the IDS Alert and information is gone because that's what default policy is.. They just left us hanging in middle LOL

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.