Register or Sign in
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About Quimax
Quimax
Getting noticed
Member since Feb 19, 2018
2 weeks ago
Community Record
25
Posts
5
Kudos
0
Solutions
Badges
3 weeks ago
So... We have multiple networks, all being updated from firmware 15 to 17 or 18 which has a whole new set of firewall categories and applications to pick from and Deny. Right now, I'm focusing on the L7 rules, but I assume this answer will also apply to L3 and content filtering as well. What we're looking to do is allow only 1 of the VoIP & video conferencing applications; which means we need to list out the rest and deny each one. Wash, rinse, and repeat for each category. API is perfect for this, but the "GET" only gets the items are are already set. Is there a master list of these categories & applications somewhere (that I've been unable to find?) that could be referenced?
... View more
05-05-2022
04:33 AM
2 Kudos
@DarrenOC wrote: Depending on how big your network is you can either manually audit the existing Config and document. Or, use API to pull the Config off and spit back into the dashboard when devices are moved over. Yea, this is probably what we're going to have to do.
... View more
05-05-2022
04:31 AM
It works pretty well for anything that isn't a port-specific setting. I'll probably do this with the content filtering and firewall rule things. L3 isn't configurable without a physical device though, which I have, but can't actually put into this new network without breaking the current network.
... View more
05-04-2022
09:50 PM
We're looking to re-do most of our network firewall and network configurations. Combining separate MX, MS and MR networks into one combined network and re-evaluating our content filtering at the same time. To do this, I've made a new combined network. Thought was to put all the routing rules, most of which won't change, into the new network and then add in the desired setup for the L3/L7 firewall and Content filtering. Once that is all setup, during off-hours, we can move the MX and other equipment from the other networks into this one and be up quickly as all the "hard" work has already been done. Details...details...always the details... Is there a way to "fake" a L3 capable switch so we can add the L3 interfaces and such? Apparently, one can't set any of those until an L3 device is added to the network. We're looking at almost the same setup as this: MX and MS Basic Recommended Layer 3 Topology - Cisco Meraki only most of our "downstream" setup isn't Meraki. I suppose I could do most of the L3/L7 firewall rules and such, but then only add the Layer 3 interfaces & routing during the change over, but really didn't want to fight that at the same time we're taking the bulk of our network down. Thoughts?
... View more
Labels:
- Labels:
-
Other
05-04-2022
09:40 PM
My understanding is that the NBAR categories only function in the "Normal" setting. Group Policy objects do not use the NBAR filtering at this point. The Meraki tech I was talking with didn't know if or when that functionality would arrive. It would be nice though. We generally use group policy to open or close services and having more granularity would be nice to have there.
... View more
06-07-2020
09:51 PM
1 Kudo
Disclaimer...this is "to the best of my understanding" If you want the firewall & content filtering features of the MX60W in front of your wifi, then I'd plug the WAN port of the MX60W into the LAN of your network. So long as the MX60W unit can get to the internet, you'll be able to configure the wireless settings of the MX60W unit. A possibly better solution would be to simply use the MR access points which have firewall, traffic shaping, access control and more functions built-in. They also allow multiple SSID's on multiple vlans so you can allow some users onto the "business" and others into a "guest." Unless you really need a specific feature of the MX-line to apply only to your wireless units, then the MR is a better bet. The MR is also a much better wireless AP anyways.
... View more
06-07-2020
09:45 PM
Good to know that is the case, I was unable to find that listed in any documentation. Seems odd to have crippled/sub-par wifi in the routers when the core of the business has always been excellent wifi.
... View more
06-06-2020
04:45 AM
Some further reading and experimenting since posting. My Windows laptop "sticks" with 2.4GHz, unless I manually change the laptop to use 5.2GHz with the Intel tools. My wife's Linux laptop automatically went to 5.2GHz. I have a couple of devices that are 2.4-only, so I actually don't want to turn off or down the 2.4GHz. At least I know I'm not going crazy.
... View more
06-06-2020
03:57 AM
We're adding a couple of Z3 units to our organization. As I'm testing I noticed that my laptop only connects at 2.4GHz and went looking for the Band Steering settings, but they aren't there. Am I missing something? Or do the Z3 units not support band steering?
... View more
11-27-2019
02:51 PM
So this is how it's set now. Everything on the network, regardless of group policy (normal or otherwise), and connect to remote smtp servers on port 25. If I remove rule #5 (.75 allow access) then nothing and get to port 25. Perhaps I will have to live with this and find how to get this single server to send reports via another method.
... View more
11-22-2019
08:56 PM
So, I've been trying to block port 25 on our network. If I don't have rules 5 & 6 then everything is indeed blocked on port 25. With rule 5 or rule 6 or both, then port 25 works for any system on the network. I'm confused, but also assuming that the issue is with me, not the MX. Help?
... View more
10-21-2019
02:51 PM
@Aaron_Wilson - I'm so glad I'm not the only one thinking it's strange that you can't set an "Allow" in the layer 3.
... View more
10-21-2019
02:49 PM
The caching server is on a whitelist already. The challenge is every client also has to get to iTunes to authenticate with Apple servers before pulling down payload. Since these systems constitute a dynamic list, assigning a special policy just to them isn't really feasible. So it's an all or nothing thing.
... View more
10-20-2019
04:02 PM
Due to severe bandwidth limitations we use a lot of blocking and content filtering. As such, we block video & music as a Layer 7 firewall rule. However...we're configuring an Apple Caching server. Idea is that the caching server has more bandwidth allocated to it, the clients sign-in with Apple on a throttled connection then are redirected to the caching server for the payload. However, we have to unblock iTunes everywhere for it to work. (Ug) I'd like to block this category, but allow only iTunes. The only way I've seen so far is to add the individual items in the group separately. However, this also defeats the purpose of the Meraki magic of dynamically updated lists. I don't suppose anyone has other ideas.
... View more
04-24-2019
06:51 AM
In the global section, I can't set the limit higher than the per-client limit that's set. So, I set it in the Group Policy and we'll see what happens.
... View more
04-24-2019
06:28 AM
I can't test this from where I am, so I have to wait until tomorrow. Does this work best in the "global" traffic shaping rules or in the Group policy?
... View more
04-24-2019
05:45 AM
We have a global bandwidth set to 7Mbps. I want to set a 2nd VLAN, on the same WAN1 connection, to use no more than 3Mbps; it's not per client. Whether there is 1 client or 30, no more than 3Mbps on that vlan. Is this doable in any way, shape or form? Group policy when applied to a VLAN seems to be a per-client limit for each device in that VLAN. I'm not sure what else to try.
... View more
04-18-2019
12:39 AM
We have a rather extensive list of content filtering, both allowed and blocked. Is there a way to add a comment into these boxes without breaking things? I'm thinking something like: #Block Google - Not needed in our company google.com #Block Microsoft - leadership's decision microsoft.com #Block this cause the manager said to lego.com
... View more
04-18-2019
12:36 AM
Curiosity...when should we expect a reply after filling in the form?
... View more
08-21-2018
03:36 PM
1 Kudo
I've looked into this myself and found this page for reference: http://technet.microsoft.com/library/hh373144.aspx That said, I'm not sure the best way to get all of that into Meraki's firewall.
... View more
08-15-2018
02:16 AM
That would be great...except I don't have licensing for 3 MX84 units and no budget to purchase the hardware.
... View more
08-14-2018
08:57 PM
We have a scenario where we are that there is no single reliable internet provider in our area. Currently, we have a main provider and 3 backup providers. The 3 backups could be used for other purposes as well, but I'm only able to put 2 WAN connections on the MX84. Technically, I know it should be possible to reassign the LAN ports as WAN, but nothing like that is exposed into the main interface. It would be very helpful if we could reassign some of the ports as WAN ports. We are only using 1 of the 10 LAN ports anyways...
... View more
07-19-2018
10:28 PM
I've been wishing to do this same thing for an eternity now. We even bought a Meraki switch for our core thinking we could then have the L3 routing on that switch and the Meraki mojo would allow us to do filtering by MAC on the MX. It doesn't. I want to do the same thing that you're doing and filter the internet by VLAN, each VLAN gets different levels of access by default. I have yet to find a way without having every vlan terminate on the MX, which doesn't work so well...
... View more
02-19-2018
05:18 PM
1 Kudo
Our organization is on a very (like, think slower than you probably already are thinking) slow internet connection. For the most part our organization only uses the MX units in 3 locations. 1 Wireless AP. We don't need the google maps in the dashboard and they seem to greatly lengthen the time it takes for any given page to load. Is there a way to turn the maps off? Wether it's per-user or organization wide?
... View more
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 2 | 448 | |
| 1 | 982 | |
| 1 | 7275 | |
| 1 | 1849 |
