Meraki

Community

Security Center incorrect hostnames

KenLux
Here to help
2 weeks ago
2 weeks ago

Security Center incorrect hostnames

Because it is full of incorrect information, I rarely use the Security Center.

 

One of the big issues I've noticed is that it reports the wrong hostname for clients, and wanted to see if anyone knew how to remedy this.

 

For example, I saw a bunch of malicious traffic that supposedly came from a workstation (call it WORKSTATION) on VLAN 1 to multiple IP addresses on our VOIP VLAN 2. This made no sense since all traffic is blocked between these two VLANs except for  DHCP and DNS relays (via the MX) and a single host on VLAN 1 that is a vulnerability scanner (call it SCANNER).

 

When I clicked on "WORKSTATION" in the MX events, it gave the following host info:

 

WORKSTATION

IP: <IP address of SCANNER>:<port number>

MAC: <MAC of WORKSTATION>

 

If I click on "View client details", it takes me to the client page for WORKSTATION. This shows information about WORKSTATION, and the IP address and MAC are that of WORKSTATION.

 

So, instead of reporting that SCANNER was generating this traffic, it reported that WORKSTATION was generating it. This made me think that WROKSTATION might be compromised, and the MX as well since it was saying that WORKSTATION was able to bypass the MX firewall rules for the VLANs!

 

It also appears to randomly pick a hostname to report each time a scan occurs. A previous scan reported that its hostname was that of our AD Domain Controller! It almost sounds like a reverse arp lookup for the ip address fails and it reports the MAC hostname of whatever happened to be in some buffer at the time.

 

I would note that in the client list, for SCANNER it reported the "Description" as its MAC rather than the hostname. I've since changed the description of the client, so will see if that fixes things.

 

I'll also note that we are not using the MX for DHCP or DNS, and SCANNER has both forward and reverse DNS records.

 

Thanks

Labels:
0 Kudos
7 Replies 7
alemabrahao
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

Meraki devices identify hostnames using NetBIOS, Bonjour, and DHCP. The hostname can be manually overridden in the Meraki dashboard if needed. 

 

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Rename_a_Client%27s_H...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
KenLux
Here to help
2 weeks ago
2 weeks ago

I saw that, but it doesn't explain why Security Center randomly reports that an IP is associated with a random existing MAC and hostname.

 

Changing the hostname on the clients page of the dashboard fails to change the hostname reported in Security Center for past detections (before the hostname was overridden).

 

It appears that Security Center inspects the packets for IP address, tries to get the MAC associated with that IP address, and then looks up the MAC in the list of clients to get the hostname. I don't know why it returns a random existing MAC instead of the actual MAC. 

0 Kudos
In response to KenLux
cmr
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

I do have the MX as the DNS server and in my case all hosts indicated in security centre do match up properly.  Interestingly the only alert I have of note is from an MV, talking to the Meraki cloud... 🤔

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
a week ago
a week ago

If your MX is the default gateway for the network, or do you have a layer 3 switch?

0 Kudos
In response to PhilipDAth
KenLux
Here to help
a week ago
a week ago

MX is the default gateway, but it is not running a DHCP or DNS server, our domain controller is running those.

 

FYI, I started another scan after specifying the client name and after what looks like a reboot. Now the security center just lists the IP address, no hostname or MAC.

 

If I could whitelist by IP that would be good, but it appears that I can only whitelist by rule, and it sounds like a rule applies to all IP addresses. 

0 Kudos
In response to KenLux
PhilipDAth
Kind of a big deal
Kind of a big deal
a week ago
a week ago

Can you use the MX to relay DHCP traffic, or is everything in a single VLAN?

 

If the MX gets in the path of the DHCP traffic, it can grab the hostname specified in the DHCP request.

 

Another option is to move DHCP to the MX.

0 Kudos
In response to PhilipDAth
KenLux
Here to help
a week ago
a week ago

We have 3 VLANs (default, VOIP, and DMZ). The default VLAN uses the DHCP on our Domain Controller. On the MX, we have this VLAN's DHCP set to Do not respond. I suppose that we could try changing it to Relay (we do this for the VOIP VLAN, and the MX is able to pull the correct hostnames).

 

In the meantime, I've added the vulnerability scanner to the list of trusted IP addresses under Security & SD-WAN-->Threat Protection to see if that also applies to the security center.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.