Been working with support on this one for a little while now, and I was curious if anyone else out there has the same thing I have.
MX250 at data center acting as HUB (Passthrough or VPN Concentrator mode), IP of 10.10.10.10 in this example. Remote site (MX67C) as SPOKE.
From the remote site, I noticed that I was able to access the local status page of the MX250 HUB. Figured I don't really want anyone to be able to do that, granted they would need to know the IP, but still.
So I disabled the local status page option under General settings on the MX250 HUB.
Then tested again, however, it still loads, and it shouldn't. Different browsers, incognito mode etc.
So I figured I might be hitting a bug?
So I came up with this option instead, to be applied under the Site-to-Site VPN Firewall rules page (org-wide setting change).
Is anyone else able to test and see if they have the same issue?
The same happens to me.
For local status page: Enable or disable access to the local device status pages at my.meraki.com, switch.meraki.com, wired.meraki.com. For MX's, this disables access from the LAN. Configure MX remote access here.
Since site-to-site VPN has a different virtual interface, it make a lot of sense that the page is still accessible from VPN.
However, for a VPN concentrator which only acts as Wireless concentrator, disabling local status page works as expected.
I can't test it for you but it seems like the good way to solve the challenge. Basically the local IP is just part of the range that is accessible through the site-to-site VPN so I see it as expected behavior.
Double check here Security & SD-WAN > Firewall
Adding IP addresses here allow your to remotely land on an MX's "local" status page.
In addition, the local status page for a Meraki device uses a range of ports beyond 80/443, 8080 is one and there are a few others. You may need to block a wider range of ports to prevent access to the device's page.
Because the MX is in 'Passthrough or VPN Concentrator', under Firewall settings there are no options for 'Security Appliance Services', like you would normally see when its in 'Routed' mode.
See this image of my settings:
@BrechtSchamp - I must be missing something lol. I don't see why it would be expected behavior though. I agree I should be able to reach the IP, my point however is that I'm still able to access the local status page even though I have it disabled. If I do this on a SPOKE site, with direct access to the MX, disabling the local status page works fine. HTTP/HTTPS won't load.
My understanding is that if this setting is set to disabled, as mine is, then my source IP is irrelevant, nobody should be able to access it.
Oh I missed the part where you said you had disabled the local status page. My bad. In that case indeed it shouldn't be loading 😮.
Oh forgive me on that, moving the box into concentrator mode turns it stateless and services disappear in favour of inbound FW rules configuration.
I've tried testing with a Meraki MX as an edge. Even if I disable local status page, if the services had my IP address or ANY in it, and I dropped the edge IP or hostname into a browser, I can gain access to the local status page of the Meraki. So the local status page function just doesn't seem to work at all and seemingly the only way of blocking remote access are FW rules.
Even tried with Local status page enabled but the subsequent control "Remote Status page access" disabled and still was able to resolve access to the Meraki local GUI.
Is this a fault or feature of that network-wide control then? 🙂
Update I got from my support ticket, which confirms it isn't a 'me' issue thankfully.
Firewall rules I mentioned above on the original post worked for the support tech, I will be testing them myself tonight.
I was able to take ownership of an MX250 from the lab, and indeed the issue was reproducible. Despite the local status page being disabled from dashboard, the page was still accessible from remote VPN clients when using the uplink IP of the concentrator.
I'll be in contact with the support product specialist team who will help facilitate a report to the development team.
Just tested and blocking port 80 and 443 to the IP of the MX HUB has indeed worked, under the site-to-site VPN firewall rules. I can ping it, everything still works from the spoke, I just can't access the MX local status page anymore. Hurray !
Just wish the setting under General would have worked like it was supposed to, so I didn't have to figure this out lol.