This is the Scenario that you are most likely experiencing. Meraki MX appliance received packets from the source IP address 95.214.52.173. The packets were copied to the IDS process for further analysis. The IDS flagged the flow as potentially harmful, as it matches the pattern of a known attack vector. Before the IDS could take preemptive action to drop the flow, the Meraki MX's inbound firewall rules had already dropped it. In your case, if it was enabled, Client VPN could've been the process that dropped the flow as the destination port is port 500 As a result of the firewall's prompt action, the IDS process could not apply its own measures, which is why the Meraki Dashboard indicated the action as "Allowed." It is important to note that despite this indication, the flow was effectively blocked by the MX. Key Takeaways: The swift response by the firewall prevented any action from being required on the part of the IDS. An "Allowed" status on the Meraki Dashboard could sometimes mean that the threat was blocked by other security layers, not that the traffic was permitted through the network.
... View more