Vulnerability Scanner and Meraki MX

njweber
Just browsing

Vulnerability Scanner and Meraki MX

Hello for security compliance we need to run Vulnerability scans on our remote branch locations.  We have MX Hubs and about 400 branch locations with smaller MXs.  We use  leverage autovpn for connection have ADV Security licenses on everything.  We also have vulnerability scanners in your Data Center behind the MX Hubs that reach out over the autoVPN to branch locations to preform vulnerability scans.  Ever since migrating over to Meraki from a DMVPN solution our Tennable vulnerability scans run for ever.  (really they never end)  I worked with support awhile ago to get the IP address of the Tennable vulnerability scanner whitelisted so the IPS engine on the MXs would not be flagged but we are still having issues where it never finishes.  Anyone else having a similar issue or a solution?

 

Thanks  

3 Replies 3
DWATT
Conversationalist

Yes, I have the exact same issue as you have described. Still searching for ways to tune this on both the Meraki and Scanner sides, so I am not babysitting scans that used to kick off according to schedule and complete before running out of the allotted time.

 

Also running into issues with IDS/IPS at times and false positives.

BazMonkey
Getting noticed

Hello,

A bit off topid but, how did you get the IP of the scanner whitelisted? I was sure that was not an option. Can TAC do it in the 'back end'?

 

It's just we are using Rapid7 and need go get through our spoke MX's without installing an agent or switching off IDS/IPS whist we scan.

Crocker
A model citizen

I have the same question. We're looking at enabling IDS/IPS on our AutoVPN spoke MX's, but that has the adverse effect of bricking the vulnerability scans against clients/devices behind the spokes. The only exceptions I thought I saw were for particular rules, rather than particular IP's.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels