Meraki

Community

MX84 - Isolate Client Device

Solved
PeterG
Here to help
‎Mar 19 2018 5:20 PM
‎Mar 19 2018 5:20 PM

MX84 - Isolate Client Device

Interested in how the MX84 (or similar) device actually isolates a device it recognizes as having malware.  Does it turn off the switch port (if so how does it do this) or is there some other mechanism it uses to isolate the device and protect other connect devices on the LAN.

0 Kudos
1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 19 2018 6:51 PM
‎Mar 19 2018 6:51 PM

It does not do anything to protect other devices on the LAN.

 

If you use Systems Manager, you can have it check the antivirus/antivirus on the machine and if that reports the machine is infected you can have a group policy applied.

 

If it is plugged into a Meraki switch or connected via Meraki WiFi it could be isolated at that point in time.

View solution in original post

6 Replies 6
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 19 2018 6:51 PM
‎Mar 19 2018 6:51 PM

It does not do anything to protect other devices on the LAN.

 

If you use Systems Manager, you can have it check the antivirus/antivirus on the machine and if that reports the machine is infected you can have a group policy applied.

 

If it is plugged into a Meraki switch or connected via Meraki WiFi it could be isolated at that point in time.

In response to PhilipDAth
PeterG
Here to help
‎Mar 19 2018 7:43 PM
‎Mar 19 2018 7:43 PM

So coupled with a Meraki Switch it can instruct the Switch to turn off the port?

0 Kudos
In response to PeterG
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 19 2018 7:47 PM
‎Mar 19 2018 7:47 PM

No.  You you can have it apply a firewall rule blocking all the traffic.

0 Kudos
In response to PhilipDAth
PeterG
Here to help
‎Mar 19 2018 7:56 PM
‎Mar 19 2018 7:56 PM

I guess my point is the blocking of the device is only out through the firewall so whether the switches are Meraki switches or other Cisco switches (or other Managed switches) the blocking function is still the same and the LAN is still exposed other than manual intervention?

0 Kudos
In response to PeterG
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 19 2018 8:02 PM
‎Mar 19 2018 8:02 PM

I have looked into this further.  L3 and L7 firewall rules for group policy can only be applied to MX and MR, and not MS.  So it can not be done at the switch port level.

https://documentation.meraki.com/MR/Group_Policies_and_Blacklisting/Creating_and_Applying_Group_Poli...

 

You should be able to do this using 802.1x and Cisco ISE, but that is a very complex setup.

You should be able to do this using 802.1x and Microsoft NPS using a health policy, but that is a fairly complex setup.

In response to PhilipDAth
Adam
Kind of a big deal
‎Mar 20 2018 7:36 AM
‎Mar 20 2018 7:36 AM

I assume you are referring to the Advanced Malware Protection (AMP)?  If so, "When enabled, all HTTP traffic will be analyzed for malware. Files determined to be malicious will automatically be blocked before they reach the client. For a description of file types that will be evaluated, visit our  Security Filtering Documentation Page"  

 

So basically it just protects/stops the malware.  It doesn't isolate or, in any way, contain the entire clients traffic.  Only the malware identified traffic that the client is trying to participate in. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.