That's not quite true. Traffic between VLANs on the MX does go through the IPS engine. https://documentation.meraki.com/MX-Z/Content_Filtering_and_Threat_Protection/Threat_Protection#Intrusion_Detection_and_Prevention
... View more
Place a Mx device with advanced license in every office Setup site to site vpn, block subnets from accessing subnets they don't need to (i.e. branch office to branch office, when they just need branch office to HQ) Utilize VPN for office to HQ (datacenter) communications rather than the open internet. Set up client vpn to HQ for users who need to remotely access servers Find out that Meraki's windows split tunnel implementation is not reliable and prone to failures on a regular basis. Deploy Z1/Z3 to home users or find another VPN client solution as the one built in leaves much to be desired. Turn on advanced features like AMP, IDS, etc. Turn off AMP for all those users who run into false positives and find that AMP blocks the download of routine PDF files and similar. Put in support tickets, await resolution in a future version of firmware, try out new firmware, go back to not using AMP as it's still broken. Set the firewall to block traffic to countries/domains/categories that you don't need users to access White-list those sites that have been misclassified by BrightCloud (Webroot) that Meraki uses on for their categorization Submit mis-categorized urls to Brightcloud so that they aren't a problem going forward Unblock countries / categories that you routinely have problems with because of the way that webroot classifies them and doesn't allow for the whitelisting of certain URLs/IP Debate with yourself and support whether or not full list or default is the correct setting. Contacting support about a problem with this usually results in them suggesting you pick the opposite setting of whatever you have selected. Expect to be told that you are overloading the device by running it in full list mode. Have the Meraki classify sites not only based on domain, but also based on underlying IP address - creating lots of false positives for things like Content Delivery Networks and others that often use the same IP to deliver different sites. Copy those rules to other offices. Curse the fact that there is no way to reliably have a global whitelist or blacklist. Create groups of users that need exceptions to the default categories blocked, i.e. HR people who need access to job search sites. Hope that a firmware update doesn't break something else that used to work without a problem. Hope when an office internet connection drops out for a bit that the site to site vpn set's itself back up automatically. If not watch out for the email alerts that it failed and reboot the MX device. Monitor Meraki logs using another program Learn that Meraki doesn't log things like a power cycle as such, and learn the terminology used to indicate a reboot. Contact support with the bugs you find Deploy end point protection to pick up on what the meraki didn't catch Use openDNS family safe and friendly filtered servers 18.104.22.168, 22.214.171.124 (vs their open ones). Wish that they had an easy one click integration with a company that Cisco Owns. FamilyShield will always block domains that are categorized in our system as: Tasteless, Proxy/Anonymizer, Sexuality and Pornography. Ponder why it doesn't block malware and a few other categories Deploy Systems Manager on a few endpoints for testing. Find out it is lacking in most areas of what you need a systems management solution Trial out other RMM solutions Pick another all the while wondering why it can't integrate with your firewall. If you are looking into MXNNw lines - i.e. the ones with wireless built in - stop - buy an MX device and a separate access point. The built in wifi on the MX64W is terrible. Replace those wifi networks you rolled out with an MX64W with another brand access point. All in all while Meraki does a lot, it's by no means a one stop solution for what you need. It is a great way to have a site to site vpn setup super easy. You can also block a lot of stuff really quickly, but plan on having the support phone number stored in your speed dial and memorizing your support pin code.
... View more