Meraki

Community

Question about MX and Sonic WAll from POS company

Solved
EliseNemeth
Getting noticed
‎Jul 7 2023 9:04 AM
‎Jul 7 2023 9:04 AM

Question about MX and Sonic WAll from POS company

 

 

Question team,

A customer is using a Sonic Wall that is provided by their payment vendor, and the POS machine can be the ONLY device behind it.  If the customer was to use an MX for SDWAN /FW/threat protection features for all their other devices could it be turned off for a specific port for the Sonic Wall? 

 

 

0 Kudos
1 Accepted Solution
DHAnderson
Head in the Cloud
‎Jul 7 2023 10:41 AM
‎Jul 7 2023 10:41 AM

@EliseNemeth 

 

Are you talking about putting the MX in front of the Sonicwall?  If so, you can specify a unique VLAN for the port the Sonicwall is connected to.  You cannot disable the MX threat protection features by port though.  There should be no drawbacks to having the Meraki Threat protection ahead of the Sonicwall.  You can also do port forwarding to the Sonicwall port, if the payment vendor is remotely managing it.

 

PCI compliance has a concept called Scope.  Basically anything on the same network as a PCI device (typically a card reader or POS) should be PCI certified.  That would not be possible if the PCI devices were on the same VLAN as computers, printers and other devices.  So typically I set up a PCI specific VLAN that all PCI devices are on. 

 

The other thing I do to secure the PCI VLAN, is that I tighten outgoing rules so the only destination is the IP address or URL of the processing company.  Doing this has two benefits:

  • This means any non-PCI device that gets on that VLAN will not work. 
  • Any malware or skimming device in or on a PCI device will not be able to talk home.

If you do all this, you may not need the Sonicwall.

 

-Dave

Dave Anderson

View solution in original post

2 Replies 2
DHAnderson
Head in the Cloud
‎Jul 7 2023 10:41 AM
‎Jul 7 2023 10:41 AM

@EliseNemeth 

 

Are you talking about putting the MX in front of the Sonicwall?  If so, you can specify a unique VLAN for the port the Sonicwall is connected to.  You cannot disable the MX threat protection features by port though.  There should be no drawbacks to having the Meraki Threat protection ahead of the Sonicwall.  You can also do port forwarding to the Sonicwall port, if the payment vendor is remotely managing it.

 

PCI compliance has a concept called Scope.  Basically anything on the same network as a PCI device (typically a card reader or POS) should be PCI certified.  That would not be possible if the PCI devices were on the same VLAN as computers, printers and other devices.  So typically I set up a PCI specific VLAN that all PCI devices are on. 

 

The other thing I do to secure the PCI VLAN, is that I tighten outgoing rules so the only destination is the IP address or URL of the processing company.  Doing this has two benefits:

  • This means any non-PCI device that gets on that VLAN will not work. 
  • Any malware or skimming device in or on a PCI device will not be able to talk home.

If you do all this, you may not need the Sonicwall.

 

-Dave

Dave Anderson
EliseNemeth
Getting noticed
‎Jul 10 2023 10:22 AM
‎Jul 10 2023 10:22 AM

thank you for that information

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.