NBAR block most event MX84 MX 16.15

sebvasseur
Conversationalist

NBAR block most event MX84 MX 16.15

a lot of event are block, how can i allow  and what is ID 2836 ( blocking access to internal gitlab !!!) 

 

Capture d’écran 2022-01-18 à 12.50.14.png

18 Replies 18
sebvasseur
Conversationalist

I have to suppress all L7 rules to things work again !!! 

CptnCrnch
Kind of a big deal
Kind of a big deal

Strangely enough, I'm unable to find NBAR ID 2836 within the Protocol Pack docs. Not sure if this one is Meraki customized.

sebvasseur
Conversationalist

yes i didn't find it too, it's block some internal site like gitlab, jenkins  but not for everybody but always on high port > 50000 !!

CptnCrnch
Kind of a big deal
Kind of a big deal

Guess your best option here is to give Meraki support a call.

sebvasseur
Conversationalist

thanks i do this 
all my internal site are seen as "Miscellaneous video".  perhaps the problem is here  ( and i block video site ) 

AlexP
Meraki Employee
Meraki Employee

If you have a case number to provide, I would like to do some internal following-up on this if possible

sebvasseur
Conversationalist

case 07511428
AlexP
Meraki Employee
Meraki Employee

Thank you - I will be doing some internal following-up to see if we need to file a bug report about this, because I'm not sure where that errant NBAR classifier is coming from if it's not defined under the previously referenced protocol pack documentation.

AlexP
Meraki Employee
Meraki Employee

For context, we use Cisco protocol packs, so no customized IDs

rhbirkelund
Kind of a big deal
Kind of a big deal

Exactly, but Meraki uses a bit more than what is shown in the Protocol packs. 😉

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
sebvasseur
Conversationalist

Meraki support provide me the link for official documentation of NBAR !!  👍

but i just need an explanation of why my internal site are classified "Miscellaneous video" nbar 2836 or to change this classification.

Capture d’écran 2022-01-18 à 14.44.25.png

sebvasseur
Conversationalist

today all request to https site are classified "Encrypted TCP (SSL)" !!!  ( L7 rules : i will be back  ) 

BHC_RESORTS
Head in the Cloud

We have this issue as well, was blocking RDP traffic and DNS traffic. It flagged it as random things, like P2P. We had to disable most L7 rules for it to go away. Support recommended we upgrade to the latest firmware, but it had no notes about NBAR so we declined.

BHC Resorts IT Department
sebvasseur
Conversationalist

i have false p2p too ( so i disable L7 p2p ), but lot of nbarid 121 "Binary over HTTP" block and no ways to disable this one.

HScar
Here to help

I would also like to recommend that Meraki add more ways to Whitelist NBAR. It's a real pain to have to create group policies for devices and lose our 2 way MX firewall rules. As a school, we can't realistically turn off Peer to Peer and NBAR blocks too many false positives.

sebvasseur
Conversationalist

you are lucky to have whitelist, i have no access to "content filtering " !!!  not in the enterprise licence 

mwiater
Getting noticed

i just went to 16.16 on several networks in an organization and am seeing it misclassify internal and external DNS traffic, and internal Avaya IP Office to IP Office traffic as well.  And for good measure, some internet based line of business applications for a health care facility.   

 

Would be great to be able to more knobs related to NBAR. My choices today seem to be able to remove l7 rules for all social media to make dns work.  I must be missing some docs

 

My ticket is 07775843

dade80vr
Getting noticed

Same things here.

Blocked DNS requests as "XBOX Live" 😞

 

Disabled NBAR in Traffic analysis but i would like to maintain it to "detailed" and "all gaming" L7 rules!

Please fix!

 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels