Site-to-site VPN MX400 and Z1 - no security events generated

GR99W
Here to help

Site-to-site VPN MX400 and Z1 - no security events generated

Site-to-site hub and spoke configuration betw MX400 and several Z1 (default route set to the hub). I noticed no security events have been generated (the Z1 sites are configured similarly as our MX65 sites, Z1s have only about 3-4 users). They're browsing and accessing the Internet (as recorded by our syslogs), but can't imagine there are no security events at all logged in the MX400 (expecting to see similar events like those in MX65 sites). AMP and other security features enabled on the MX400 hub. Anything else I need to check or configure?  Thanks.

6 REPLIES 6
PhilipDAth
Kind of a big deal
Kind of a big deal

It is not clear to me that VPN traffic from another site heading out to the Internet goes through the AMP engine.  I have something in the back of my mind saying it does not (that it does WAn to LAN traffic), but I can't back that up with anything.  I could be wrong.

 

What makes you think that VPN traffic does go through AMP?

 

The easiest option would be to get a test, like EICAR, and try and download it at the main site, and if it triggers then test an a Z1 site.  You might need to use content filtering to block the EICAR.  Not sure.

 

Let us know the answers.

Thanks for the reply.

 

I must have misinterpreted the "however, IDS scanning ... " in this Meraki site documentation that says:

Security features over full-tunnel VPN

In a full tunnel topology, all security and content filtering must be performed on the full tunnel client. The Exit hub will not apply Content Filtering, IPS blocking, or Malware Scanning to traffic coming in over the VPN. However, IDS scanning will be performed for this traffic

 

If this is the case, Z1 teleworker does not really offer any security to my Z1 users, not much use of pointing them to my MX400 .

 

Will try to the EICAR test as suggested and will let you know.

 

Thanks again. 

The EICAR test file download was NOT detected or even triggered an event at all in our the MX400 hub. The file was caught/blocked only by the endpoint protection software on the desktop. My conclusion here is the site-to-site hub-spoke setup between MX400 and Z1 is good only for VPN but does NOT provide any added protection at all to my Z1 users! Will have to re-consider now any further deployment of these devices in our remote users/smaller sites. 

ITzhak
Getting noticed

Hi,

 

In your sites with the Z1, does all traffic go through the MX400 or is it split so that VPN traffic goes to the MX400 and breakout is local?

All traffic from the remote Z1 (corporate email and file share access including Internet) passes to the MX400 hub in our Data Center.

We thought that making the MX400 as its default gateway, there will be some level of protection for our users in those remote sites. We were obviously mistaken. I'm surprised Meraki considered or categorized the Z1 (or the new Z3) as a 'security' device alongside the MX models when it only provides site-to-site VPN ...  

ITzhak
Getting noticed

Well, I'd assume they call it a security device because although it doesn't have what they call "advanced" security (AMP etc), it still does have a firewall(layer-3 and layer-7). Maybe Site-to-Site VPN is also a type of security.

 

I know, not what you were hoping for, but perhaps still some value.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels