We have an MX 100 on the front, tagged a WAN IP with 1:1 NAT to a MX64 (for a second business in same network) and the second business has some remote desktop servers.
On January 30th 2019 in the morning, SNORT released the following rule:
- OS-WINDOWS Microsoft Windows Terminal server RDP bypass attempt
- Rule ID 1-49040
What I just learned from Meraki support, even though the client was white-listed, they are telling me white listing only affects outbound traffic initiated from that device. White listing has nothing to do with external traffic hitting an internal device. I guess not many people are doing what we are doing, and we will be using a layer 3 switch in front moving forward to prevent the 1:1NAT rule.
It did peak my curiosity, can anyone confirm this. It seems that white listing doesn't disable AMP or IDS. Secondly, if you create a custom group policy, it is possible to disable AMP, but you can't disable IDS for a specific device.
In any event, the fix was to white-list the new rule the SNORT released, and everything is working again.
I'm all for options and this sound like a valid feature request! Thanks for posting the workaround.
Edit: Would it be related to the problem @jdsilva experienced. Basically for him the rule is triggered if you use a non-standard port for the RDP session. So another solution would be to keep the port internally and externally the same: