My understanding is that the behaviour is correct and it did allow the traffic because it never got chance to do something with it.   Packet comes in, hits the IDS and the cycle begins. During the check, the firewall itself drops the packet and stops processing it. The IDS lists this as Allowed as the traffic is technically allowed to pass through the IDS. If that is correct, probably better for the status to list the packet as "Dropped".   What interests me the most about the status is the fact that we have never seen the packet allowed. Its always blocked. I presume that will because our IDS gets chance to process it fully before its passed, I get the impression our MX is likely not over worked, I have a habit of buying bigger than we need for overheads.   Meraki really do need to show the status of the hardware usage in the portal. If your MX is flat out most of the time, you'd never really know unless its affecting realtime performance. ... View more

Yep, we have the same ips on our logs too. ... View more

Do we know for sure they are targeting MX devices? Is this not just a case of sending signals out to see who responds in favour of the exploit? My understanding is the packet is exclusively looking at exploiting unpatched Zyxel Routers? The packets we intercepted were looking for the /mips folder that mirrored the Zyxel exploit.  ... View more

We are experiencing the same thing but consistently seeing blocked. We have the VPN offline currently until I understand why we are seeing blocked and others are seeing allowed to quell any doubts.   My understanding from your post would indicate that given I know our VPN is sat on a MX has plenty of bandwidth day to day - We will always have the overhead to have free cycles to analyse the packets.    From a design point of view, having a VPN on an actively and heavily used MX without considering overheads for free cycles seems like you might need to deal with cases like this more often. Would it be better to run a seperate MX for a VPN or atleast upgrade to one that will likely have plenty of overhead.   I agree, having the MX mem/cpu load visible would be a huge advantage to pave the way for better planning.    ... View more