Im hoping someone can clarify something.
We have a pair of MX250s in an active passive build. These have the Advanced Security Licence.
I recently noticed that in Security Centre a number of "Threats" had been allowed. This was the case even though the Threat wasn't whitelisted, and therefore in my mind the traffic should be blocked. I raised a case with Meraki support who advised " I was analysing these logs and saw that the same signature was showing as blocked previously, so I understand that the dashboard might be misleading in this case. Basically, the MX will look up the flow based on the source and destination information associated with the event along with the flow direction. If the flow that created the event is not found, then the MX would log the flow as "Allowed". This means that it is possible that the flow was dropped before the MX looked for it."
Essentially (if my understanding is correct) the Dashboard and Security Centre is misreporting and these Threats were actually dropped. Essentially false flag alerts. I questioned with Meraki support who advised this is design intent and suggested I raise the good old "make a wish" if a change is needed.
Can anyone explain this in greater detail, does this make sense to you as it doesn't to me....am I missing something or is this a design flaw?
Thanks in advance.