To be explicit here, yes, ECH will pose a problem for some features on MX. Explicitly, Content Filtering relies on being able to see the domain the client is attempting to communicate with, which is contained in the Server Name Information (SNI) field of a TLS header during the initial handshake.   This works just fine for TLS 1.2, and TLS1.3 when ECH is NOT in use, but any extensions to TLS1.3 that obfuscate this information will prevent it from functioning. ... View more

It sounds like you're thinking of applying static IP's to known devices and dynamic IP's to unknown devices in a completely flat network, and setting firewall rules based on whether it's a 'static range' or 'dynamic range' within the same overall subnet.. If that's the case, it's theoretically possible but pretty poor from a design perspective and I'd probably advise against it.   From a high level, there's probably a few better ways you could do this.   The cleanest way I can think of that would cover both wired and wireless clients is RADIUS 802.1x authentication. Essentially, your devices authenticate to the RADIUS server and are placed into a VLAN (based on a designated filter). You can then apply the rules to the VLAN.   For your scenario, on the RADIUS server you can setup MAC address whitelisting  for your known clients, and then send all other clients to a separate VLAN using CoA. Clients can then be 'transitioned' from unknown to known by adding the MAC address to the whitelist.   References: MS Switch Access Policies (802.1X) - Cisco Meraki Configuring RADIUS Authentication with WPA2-Enterprise - Cisco Meraki     Otherwise, you can simply separate known from unknown by applying separate VLAN's, and separate SSID's (or using Identity PSK with group policies if the same SSID is required). ... View more

Hi Janice,   Was wondering if you had any more information on using both Meraki and Stealthwatch together. ... View more

As @BlakeRichardson - use MFA everywhere.   And don't use TXT based authentication if you can avoid it - especially if you are in the USA where the Telco networks have poor security.   For the Meraki dashboard: https://documentation.meraki.com/General_Administration/Other_Topics/Two-Factor_Authentication#Using_Google_Authenticator_for_Two-factor_Authentication_in_Dashboard    If you use Office 365, I would enable MFA in that, and then get everything using SAML against that to provide wide protection. ... View more

The purpose of port forwarding is different. It's meant to be used for traffic coming in to the MX's WAN interface.   Let's say for example you have a webserver running in your local network on port 80 on a server with the local IP address of 192.168.50.1. You would then setup port forwarding like this:   It doesn't work like that for outgoing traffic.   You could configure the firewall to only allow DNS traffic to your DNS server and block everything else. Then your users would be obliged to use your DNS server (unless they proxy/VPN their way out).   ... View more