Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
About PaulHenry
PaulHenry
Here to help
Member since Jan 16, 2019
May 11 2020
Community Record
15
Posts
4
Kudos
1
Solution
Badges
May 7 2020
5:29 AM
Our MX-250 shows % utilized rarely over 50%. However, MX-250 keeps failing over to our warm spare. Meraki support says that the CPU is pegged at 100% and that this is causing our problems. Does this make sense? How can we view and monitor CPU? Why is this not shown in the Summary Report?
... View more
Apr 9 2020
8:43 AM
Yes, it runs on a specific server and I can see that as the source of the IDS events. The problem is that it is intermittent. I have never seen portscan events before in the IDS and I do not see these consistently. They appear in massive numbers occasionally, but not always. We run port scans all the time, but they only appear in the IDS sometimes.
... View more
Apr 9 2020
5:38 AM
Environment: We are running MX-250 with firmware MX 15.25. IDS is on with mode "Prevention" and ruleset "Security" We are using Lansweeper across our network to manage our PCs. Problem: Sometimes the IDS reports on "Filtered Portscan", "Filtered Distributed Protocol Scan", "Filtered Portsweep" and others. All are listed as "Allowed", even though our mode is "Prevention". I am happy to see these in the reports, so that I can verify that these portscans are appropriate, but why did it just start recently and why does it seem to be intermittent? Any ideas? Thanks, and stay healthy everyone.
... View more
Apr 30 2019
4:53 AM
Wow! That looks great. I enjoy using my 30-year-old awk, grep and regex skills, but I want to put something more robust in place. I will look at LogRhythm. One last question: Where do you store your logs? Thanks,
... View more
Apr 29 2019
7:18 AM
@NolanHerring This is a line of output from the MX250 log: 2019-04-29T10:13:45.512222-04:00 alb-mx250 1556547225.512287760 MENANDS_MX1 flows src=10.2.100.24 dst=10.1.100.144 mac=A0:3D:6F:C7: 70:11 protocol=tcp sport=60935 dport=80 pattern: allow (dst 10.1.3.0/24 || dst 10.1.5.0/24 || dst 10.1.10.0/24 || dst 10.1.100.0/24 || dst 10.1.250.0/24 || dst 10.2.100.0/24 || dst 10.3.100.0/24) && (src 10.1.3.0/24 || src 10.1.5.0/24 || src 10.1.10.0/24 || src 10 .1.100.0/24 || src 10.1.250.0/24 || src 10.2.100.0/24 || src 10.3.100.0/24) I parse, chop and summarize this into a report.
... View more
Apr 29 2019
6:51 AM
1 Kudo
Haydn, Thanks for the quick reply. This a sample of the output that I get from my scripts. Can you get something similar from LogRhythm? It took me some time to figure out how to cut the correct columns from the syslog output. count protocol Source IP Dest IP Dest Port allow/deny Rule 69 protocol=tcp src=10.1.100.134 dst=10.1.201.101 dport=8443 allow tcp&&(dst10.1.201.0/24)&&(dstport8080||dstport8443)&&(src10.1.100.0/24) 13811 protocol=tcp src=10.1.200.10 dst=10.1.201.100 dport=8080 allow tcp&&(dst10.1.201.0/24)&&(dstport8080||dstport8443)&&(src10.1.200.0/24) 5315 protocol=tcp src=10.1.200.10 dst=10.1.201.101 dport=8443 allow tcp&&(dst10.1.201.0/24)&&(dstport8080||dstport8443)&&(src10.1.200.0/24)
... View more
Apr 29 2019
6:40 AM
3 Kudos
I am pulling firewall hits out of of the syslog output and then loading to Excel for analysis. The MX logs go to a Linux syslog server and then I use awk to process and format the hits on the rules. I plan to summarize the results and send it out via email to our security team. This is really helpful when we get a call asking if the firewall is blocking traffic. I can quickly tell whether they are hitting a rule, and which rule they are hitting. Is anyone doing anything like this?
... View more
Feb 5 2019
1:57 PM
The blocks are from our outbound firewall rules on our primary MX-250. Thanks,
... View more
Feb 5 2019
5:49 AM
Our network consultant analyzed the issue and made changes to the configuration of our VPN concentrator. It is now working as expected. Sorry that I do not have any more detailed information on why we were getting the weird traffic from the VPN concentrator. Maybe he had it installed upside down. ha ha.
... View more
Feb 4 2019
1:30 PM
We are configuring an MX-250 as a VPN Concentrator. It will handle client VPN connections and authenticate against a RADIUS server. It is set up with port forwarding from our primary MX-250. However, we are seeing blocks from our internal firewall rules. For example, I get a tcp block on the source IP of 204.79.197.200 and source port of 443, with a target IP of 10.1.250.192 and target port of 61702. It looks like the blocks are somehow reversed. The VPN client is at 10.1.250.192 and is trying to create a 443 connection to 204.79.197.200, but I get a block in the opposite direction. Another example: According to our firewall, Google at 8.8.8.8 is trying to hit our VPN client for a DNS lookup on udp port 53. It is backwards! Any ideas would be welcome. When we finally find the problem, I will post the answer. Thank you.
... View more
Jan 25 2019
1:40 PM
That is exactly what is happening! It is the syslog server that is setting the hostname, not the MX-250 All I had to do was put an entry in /etc/hosts and restart rsyslog Thank you. -Paul
... View more
Jan 25 2019
12:44 PM
We have multiple MX-250 devices on the network and I am using rsyslog to collect my logs. As of now, the hostname in the logs shows as "_gateway". If I send logs from an Ubuntu host, I get the correct hostname in the log file,but not when the logs come from the MX-250. Our MX-65 shows in the the syslogs with its IP address, as do all the access points. Where is the "_gateway" name coming from for the MX-250? Is there a place to set this in the configuration screens? This is what the log entry looks like: 2019-01-25T15:38.16986678-5:00 _gateway 1548448.1704225745 ip_flow_end src=... Thanks in advance for any ideas.
... View more
Jan 16 2019
1:57 PM
My original assumption was faulty. I assumed that I would be able to block everything except for Zscaler traffic. This did not work. Even though the traffic is bound for Zscaler, it still gets blocked by the MX. The Meraki firewall must still see the url and blocks it. I think that BrechtSchamp is right. I would have to block traffic at the L3 firewall for this to work. Thanks for the help.
... View more
Jan 16 2019
12:57 PM
Thanks for the suggestion. I will add zscaler.net to the whitelist and see if that works.
... View more
Jan 16 2019
11:15 AM
We use the Zscaler app on our desktops and we want to fall back to "block all" if Zscaler fails or is disabled. We tried to set up a group policy that limits outbound access to the Zscaler IP addresses. We want to block all URL patterns and allow a list of IP addresses in the Whitelist. Is there a way to use CIDR IP addresses instead of URL patterns in the Whitelist.
... View more
My Accepted Solutions
| Subject | Views | Posted |
|---|---|---|
| 4280 | Jan 25 2019 1:40 PM |
My Top Kudoed Posts
© 2024 Cisco Systems, Inc.
