To be fair, if one of the resources is at 100%, that graph should be showing that imo. I know that having more insight into resource percentages has been requested by others before. I'd definitely make a wish and leverage my local Meraki SE & AM. ... View more

The reason why they're still getting through is likely because of the configuration details of sfportscan in the MX. The problem with IDS in Meraki is that it isn't very finetunable and details like this are also not documented.   Why they're intermittent, I'm not sure. Maybe the scans Lansweeper does have an element of randomness, and maybe sfportscan behaves differently when the first IP/service/whatever scanned results in a positive result rather than negative.   More info about sfportscan here: https://www.snort.org/faq/readme-sfportscan   I wouldn't worry too much about it as you know the result is legitimate and the threat isn't. ... View more

Our LogRhythm appliance is physical so all logs get sent to that 🙂  ... View more

The blocks are from our outbound firewall rules on our primary MX-250.   Thanks, ... View more

My original assumption was faulty.  I assumed that I would be able to block everything except for Zscaler traffic.  This did not work.  Even though the traffic is bound for Zscaler, it still gets blocked by the MX. The Meraki firewall must still see the url and blocks it.   I think that BrechtSchamp is right.  I would have to block traffic at the L3 firewall for this to work.   Thanks for the help. ... View more