NAT is only done when the communication is done through the WAN-port. The MX does not have this flexibility as ist is available for example on the Cisco ASA/FTD. ... View more

Did you change your Umbrella-Setup recently? And who sends the DNS-requests to Umbrella? The client, the MX, a VA? I would first look at the Umbrella dashboard and/or the MX-Umbrella-config if your domain names (the domains that should be processed by your DNS) are configured correctly.  ... View more

- Do the WLAN clients receive the right DNS-server? - Is it only DNS and the rest is working as expected? If nothing works, Did you perhaps forgot to allow the WLAN clients access to local LAN under Wireless -> Firewall? ... View more

Yes, sadly there is no WCCP. Is your L3-switch also Meraki? If it's a "traditional" Catalyst, that one could support WCCP. Although not optimal, you could use WPAD-files and provide the location of the files through DNS. ... View more

A default route is always 0.0.0.0/0 and not /24. What is your topology. The other gateway is connected to a LAN-Port and not the WAN port? In general, the Internet should be connected to WAN. ... View more

If you are not aware of your license, then it is very likely that you run the stable version. v15 is Beta and typically only used when a specific function is needed. You see the versions on Security-Appliance -> Appliance status.   For the license, there are Enterprise, Advanced Security and SD-WAN. You need at least Advanced Security to integrate Umbrella into MX. You see your license under Organisation -> License Info.   I would go a phased approach: 1) Buy the Umbrella DNS Essentials license for the amount of users in your organisation. 2) Enroll two Umbrella VMs in your main office and configure them in regards to the Umbrella Documentation. When finished, all users in the Headquarter are protected. 3) Do you have Meraki APs? Then the next step is to integrate Umbrella into your SSID. 4) Now some more months are gone and you can decide how to go on for your branches. Either with dedicated Umbrella VMs or you decide that it is safe enough to go to MX15 and activate the native integration.   ... View more

OpenDNS does not have any solution for enterprise customers. That is what Umbrella offers and what matches your use case. You can integrate it with the MX when you run MX version 15 and have the security-license (SD-WAN is not needed). Or for all sites with VM-hosts, there are lightweight VMs that control the DNS-handling. ... View more

First: OpenDNS are the free and publicly usable DNS servers operated by Cisco. Umbrella is a product that you can subscribe to from Cisco, same as subscriptions like "OpenDNS Prosumer". You are probably asking for the difference of buying Umbrella separately or combined with the Meraki License. It's really easy to operate Umbrella with the Meraki license that includes Umbrella. You only have one Dashboard and the configuration is super easy. The downside is, up to now you only have the possibility to protect wireless users connected to your MRs. With the "regular" Umbrella license you can protect also your wired- or VPN-Users. And you have much more flexibility in your Umbrella configurations. Another drawback with the MR Advanced license (that is the one including Umbrella). You have to use single device licensing which again can be a little more complex for your organisation. ... View more

" VPN Subnet Translation " is only needed if you have sites with identical IP networks and you can't renumber any of them. Based on you addressing, I assume that the MX is configured as one-armed concentrator in an ASA-DMZ? You say that data rom remote-to-main flows. Does this mean you have bidirectional communication? Then there is obvious no routing-problem. It still could be an access-control-problem on the ASA and/or MX. Capture the traffic along the way from source to destination. I would start with: 1) ASA outgoing interface 2) main MX VPN Tunnel 3) Branch MX ... View more

est way for that is using the Apple Device Enrollment Program (DEP) in case you are talking about iOS devices: https://documentation.meraki.com/SM/Device_Enrollment/Enrolling_and_Supervising_iOS_Devices_using_Apple_Configurator_2.0   For Android, there is a specifi setup routine that the user can use. ... View more

Yes, that was a faulty assumption. Content-filtering is not done when the traffic reaches the MX over the VPN-Tunnel. Best solution (IMO): Deploy Cisco Umbrella to the branches and configure Content-filtering there. ... View more

Whitelisting of rules is a part of a process named "IPS tuning". Typically it is done (not a complete list) when a rule causes a false positive and or processing the rule is a waste of resources because they are not relevant in the environment. All whitelisted rules, the same as with firewall rules, should be evaluated from time to time to see if they are still implemented correctly. At least I have seen lots of whitelisting that was added when troubleshooting problems. Based on "oh, there is an event in the IPS dashboard, let's disable this rule" the rule was disabled, but regardless if this was the problem or not, the whitelisting stayed in the config.   Given that the MX-IPS is meant to be more or less a "black box" without extensive tuning possibilities, I would look up the rules in the Snort documentation and enable them if it is likely that they will not harm you.   Another approach (but with more risk), switch from Prevention to Detection, and delete the whitelist. If no events will show up, you can go back to Prevention. If Events still show up, it will get harder if it is traffic that is needed for operation. But then, there are no easy rules on how to proceed. ... View more

@Cain wrote: Indeed this is my current work around.  I have a webhook that fires off a Python script that modifies the layer 7 rules when the WAN link changes. Do you have a blog? Would be worth publishing your solution. ... View more

From all possible solutions, that would probably the most expensive one with the least features. As mentioned, a small MX or even a Z3 with an attached LTE-dongle would be probably much better. ... View more

If you have some dollars of the budget left, look at Cisco Umbrella. In my experience, the Blocking of inappropriate content is more powerful than the MX-built-in content filter. ... View more

"Expensive and extreme" is relative if there is a business need for wireless on this one gun ... And probably more will be added later, right? I would look for a company specialised in Warehouse Wifi. There is too much that can go wrong there. And don't focus on specific APs to use. With RF-Guns, you will never need one of the High-End APs with many spatial streams, but you will likely need one with external antennas. ... View more

Yes, a "ping tcp" or similar would be great. Did you add a wish for that? I just did. 😉 ... View more

It's under Organization -> License Info. Could look similar to this:     ... View more

Each device will consume one license: https://documentation.meraki.com/zGeneral_Administration/Licensing/Systems_Manager_Licensing ... View more

Before planning for templates, make sure that you understand what they are and how they work. Especially, look at the way IP addressing is done. If you come from a traditional setup with summarized networks for your branches, you will be a little bit "shocked" how addressing is done here. And you should be aware that every change of the addressing in the template will renumber the addressing in the networks.  At least for me, these are too many drawbacks and I only use individual networks. For automation, the Meraki API will help you to keep your networks consistent.   https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/Best_Practice_Design_-_MX_Security_and_SD-WAN/MX_Templates_Best_Practices   ... View more

Never used them myself, but have heard good things about http://www.acceltex.com/skins/ ... View more