Layer 7 rules are Deny only because....   I have no reason why except to say lunacy.  They apply top down so i expect something like... 1 Accept P2P Skype 2 Deny P2P All This would allow Layer 7 rules to allow Skype and block all other P2P traffic like file sharing networks but for as much money as Meraki costs they apparently just like to have the benefit of touting that they HAVE Layer 7 features but not actually making them useful whatsoever.  Layer 7 isn't really available in this product as far as I can tell because all you can do is block individually so it's pretty much useless... unless you just want to block one thing then, whatever floats your boat.  For all the press Meraki gets about having amazing security I don't see one iota of security in this thing.  I feel like my network is wide open to attacks.  I mean, yeah! There's a SPI firewall.  Whoop-dee-doo. ... View more

Breaking SSL security to scan for malware about to enter at the edge of the network is a VERY GOOD thing.  A real SSL inspection service will allow trusted connections to bypass SSL encryption like data traversing to and from banks, or to trusted cloud services like Google Search, but can be selectively implemented on new or unknown services to help protect the user from downloading backdoors and trojans.  It doesn't have to be an on/off service, but how can you call ANY network secure without having some semblance of SSL inspection or deep packet inspection?  You can't.  Don't believe me?  Go to Eicar.org and test the efficacy of your edge security.  Without packet inspection you're not going to be able to stop viruses from entering your network.  If your local AV software is alerting about the download then that's your last line of defense and your security posture is crap. ... View more

Which means that in an attempt not to break things we can't decrypt traffic to scan for viruses, backdoors etc... So in the name of functionality let's disable a feature that keeps the network safe.  See, all an attacker needs to do now is use a cheap GoDaddy SSL cert or upload their payload to a product or service that's already credible and secured and voila! they've just bypassed all our enhanced security and the entire network is now targeted for bad actors.  I hear what you're saying about usability, yet somehow Fortinet has solved this challenge and we've successfully deployed working networks without SSL inspection on trusted services while keeping SSL inspection on for less than trusted services.  It can be done on target IP, or up to Layer 7 application aware.  Right now I can't even seem to get Meraki to disallow P2P but allow Skype which uses P2P.  I'm pretty disappointed with Meraki.  Massive cost and a great WiFi platform, but the licensing costs are astronomical for missing on so many security points.  How does a real network even get secured using this platform?  Must be lots and lots of third party products running to give any kind of semblance of network security because Cisco just doesn't cut it at all these days.  Can't believe this company is as big and complex as they are considering they can't handle basic security needs of customers. ... View more