Intrusion detection and prevention

ITDUDE
New here

Intrusion detection and prevention

does VPN to VPN traffice pass though the Intrusion detection and prevention threat proteection  or does it bypass this?

6 Replies 6
KarstenI
Kind of a big deal
Kind of a big deal

IPS is done on the MX where the traffic enters the AutoVPN system; not on the Hub if you have Spoke -> Hub -> Spoke traffic.

But if I remember right, IDS would still be done on the Hub.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Jinbe
Meraki Employee
Meraki Employee

That is correct, security inspection such as Content Filtering and Threat Protection is done locally on the MX. The hub/concentrator MX will not inspect traffic from the remote VPN subnets.

 

You can find this information referenced here: https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Content_Filtering_and_Th...

 

 

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
pdeleuw
Getting noticed

Sorry for the late reply ... But there is a discrepancy between your answer and Karsten's answer. My understanding is, that Threat Protection includes IPS/IDS and AMP. Karsten mentions, IDS is done on the hub/concentrator. Your answer says, there is no inspection with Content Filtering and Threat Protection on the hub/concentrator. Please, clarify: Is IDS/IDS done on the concentrator for the remote subnets?

KarstenI
Kind of a big deal
Kind of a big deal

There doesn't have to be a discrepancy. IPS is always done on the ingress MX. The second sentence was about pure IDS. I remember seeing alerts from the hub device when there was no IPS on the Spoke, but I could have remembered this wrong. Most importantly, for real protection, the Hub is not used and the function has to be implemented on the spoke.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
KarstenI
Kind of a big deal
Kind of a big deal

Just found it, it's even documented:

KarstenI_0-1733337292702.jpeg

 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
pdeleuw
Getting noticed

Thank you, Karsten. IDS and IPS have different behaviors. Very new finding for me ...

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels