Threat Protection with site-to-site VPN

lordjeffers
Just browsing

Threat Protection with site-to-site VPN

Having set up a site-to-site VPN to an external organisation I'm wondering if traffic entering our network will be protected by Meraki Threat Protection

 

Does Threat Protection scan traffic entering the network via site-to-site VPN (non-meraki peer)?

7 REPLIES 7
Adam
Kind of a big deal

I'm pretty sure that threat protection, content filtering, AMP and all those items only apply to WAN ports.  I believe Site to Site VPN is considered a LAN link and then only those firewall rules that you setup on the Security Appliance>Site to Site VPN apply. Only thing I could find in the documentation is this "In a full tunnel topology, all security and content filtering must be performed on the full tunnel client. The Exit hub will not apply Content Filtering, IPS blocking, or Malware Scanning to traffic coming in over the VPN. However, IDS scanning will be performed for this traffic."

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.

Thanks, I found the same documentation but it doesn't really clear things up.  I'll see if I can get a definitive answer out of Meraki Support...

I received the following from Support:

 

This traffic should still be inspected by the threat protection features on the MX as the MX is required to unencrypt the VPN traffic, so will apply the threat protection features during this. 

 

 

Adam
Kind of a big deal

I'd be interested in others feedback on this also.  I know for sure the MX unencrypts.  But I was definitely unaware that it still applied the threat protections to the VPN tunnel traffic.   I'd be glad if it does but surprised. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
PhilipDAth
Kind of a big deal

I'm with @Adam - I don't believe VPN traffic will be AMP inspected.

 

Perhaps do some tests with the EICAR test virus.  Note you might have to have your settings set to prefer "Security" for the test case virus to be blocked.

http://www.eicar.org/85-0-Download.html

Meraki_Rocks
Here to help

This would be something I hope is clarified soon! -great question

As far as I know, threat protection absolutely scans all site to site VPN traffic. We had an issue where threat protection was blocking QNAP replication between two sites. After weeks of working with support, they confirmed there is no way to stop that from happening at this time. The only fix was to white list all the signatures so it ignored them. That was our fix which worked.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels