- When a failover occurs a GARP is not sent for the 1:1 NATs therefore in the case of a failover anything that uses our 1:1's stop working - The hit counters on the firewall rules don't work.  I have verified this and also have confirmation from tech support.     Client VPN.  There isn't a way to apply different rules to users since you can't assign a static IP to a VPN client and the MAC address is not registered on the firewall so you can't apply a group policy to it.  I tried but soon found out that these policies were being randomly assigned to different systems.   No way to positively verify that firewalls rules are working as intended.  We have a large number of rules since we deal with not only our own network but with two clients that connect directly to use and they each have over 10 subnets.  I have spent countless hours trying to make sure that these rules work.  The answer is to send them to syslog but try and work with thousands of syslog messages to determine you haven't missed something.   Cosmetically they are horrible as well.  Firewall rules are hard to read since you can't see everything in the little boxes they have.  I am constantly coping and pasting to and from notepad just to view a firewall rule.   Failover order doesn't make sense.  At least not to me.   Primary WAN1 Primary WAN2 Secondary WAN1 Secondary WAN2 This means that if something happens to the connection on the Primary WAN1 port the system fails over to the WAN2.  Our WAN2 port is our cellular backup, not our first choice.  I don't think many users will have a high-end secondary ISP connection.     It just seems every time I try do something with these firewalls it is either very difficult to implement, it isn't supported or doesn't work.   I have a Meraki firewall in a clients office and it is great there.   It is a small office with very few firewall rules or anything.  It is good if you just want a simple setup.  As soon as you try anything complicated you start running in to problem.s ... View more

Well I have been posting a lot to the forums about trying to get these firewalls to work for me.  I have yet to actually get an answer to any of them that works. ... View more

So I ran a test on the weekend using the following   Primary WAN1 - ISP1 Primary WAN2 - ISP2 Secondary WAN1 - ISP1 Secondary WAN2 - not used.   This did work.  There is an issue though.  When I tried to force a failover from the Secondary to the Primary using the dashboard I got a message stating that I needed to configure the WAN2 port and it would not let me switch.  I had to go in and unplug the cell device, force the failover and plug it back in.   Next I have to try Primary WAN1 - ISP1 Primary WAN2 - ISP1 Secondary WAN1 - ISP1 Secondary WAN2 - ISP2 - we want this as a last resort ... View more

That does not work properly.  I tried that.  What ends up happening since the group policy can not attach to a MAC address the group policy over time gets randomly assigned to different systems.  I have a policy for IT staff.  There are only three of us.  When I go in and look at the client list that policy is currently assigned to 10 different systems. ... View more

So I now know what the issue is.   When a failover occurs Meraki does not do a GARP for the 1:1 NAT addresses.  Therefore the upstream device does not get updated.  This is from the Meraki documents.  Their solution is tell you to reboot the upstream device.   So as far as I am concerned this is a major major flaw in the Meraki failover routine.   It can take hours for the upstream device to refresh its ARP table meaning any services you are offering through those NATs will be down for hours.  Defeats the whole purpose of having a failover. ... View more

I should have mentioned that this was working and then we swapped out the firewall via RMA.   We have been using a virtual IP from the start.   Thanks ... View more

Yes.  And it works on one firewall but not the other. ... View more

That is what I thought at first but then I looked at it again.  The default for layer 3 rules for a group policy is allow any any and you can not remove or disable it.  So that means any processing will stop at that rule.  So in our case we have a number of rules that we want to apply to everyone.  Since there is a default allow any any at the bottom of the group policy rules then all those rules need to be added to each group policy or they never get processed.  To me it would make much more sense to be able to disable the rule and let the processing continue through the normal firewall rules. ... View more

I have been putting some thought in to this and was wondering if either of these would work.  I only want to use ISP 2 as a last resort since it is a cellular device connected to the WAN port. I don't have test environment to try this.   Primary WAN 1 - ISP 1 Primary WAN 2 - ISP 1 Secondary WAN 1 - ISP 1 Secondary WAN 2 - ISP 2 or  Primary WAN 1 - ISP 1 Primary WAN 2 - no used Secondary WAN 1 - ISP 1 Secondary WAN 2 - ISP 2 ... View more

It wasn't the Cisco partner it was Meraki.  The documentation they supplied was wrong and it took two months to convince them of that.  They changed the documentation. ... View more

Well I finally found out how to verify the firewall rules.  It is possible.   The syslog entry contains a keyword called pattern.  After pattern it details the firewall rule that applied to the log entry so you can match it against the actual rule.  It would have been nicer to have something like rule ## but I can work with this.    ... View more

We have 8 internal subnets.  Plus we have 30 routed subnets from our clients.   These are controlled by approximately 60 firewall rules.   It is very easy to make a mistake and end up with traffic going unintended places.  Add to that our syslog server is handling over 300,000 message an hour.   It is very easy to miss something.  I have worked with a number of different firewalls and this is the first time I have had a firewall that I could not through a report, the dashboard find see what traffic was being handled by which firewall rule. ... View more

Yeah.  This just doesn't work for me.   I have about 60 rules on my firewalls.   So when things are not working right I need to know why.   We have a number of subnets on our network plus a number of clients that connect directly to us with a large number of subnets.  So it is essential that I can verify that my firewall rules are working as they are.  This means I need to be able to look at a rule and see what traffic it is allowing or blocking.   Seeing it on my syslog server without any way to determine which rule it came from is not acceptable to us or our clients.   To me this is a huge security issue.  I need to positively verify a rule is working as intended. ... View more

I understand that.  But what if there is a bug in their firewall.  We have no way of knowing.  I already know there is one bug because the rule I have specifically for syslog does not generate any hits and there are literally thousands of packets that should be hitting that rule.  So if there is one bug there is a good chance there is another.   I also realize that with any device or software there can be bugs but without a way to verify it is not good. ... View more

The issue is that it doesn't verify that the rule was the one that generated the log entry.  It just says "a" rule in the list generated the log entry.  So if you have a mistake in your rules you have no way of checking it to make sure it is the correct rule.   ... View more

I don't want to block by country.     The rule states "Deny - countries - Traffic not to/from - list of countries   So that to me means that traffic to a country not on the list is denied and traffic from a country not on the list is denied.   This is much easier than having about 180 countries on a deny list, much easier to manage. ... View more

I see it in the security centre and I have blocked different threats.      It is just if a rule states that traffic not from/to a country is to be denied then, to me that means traffic originating from a country not on the list should be blocked.  And when I check the event logs in the security center it does show that traffic being allowed. ... View more