@BrandonS wrote: This is working as designed and as it should as far as I can tell.  If the firewall rules are for all outbound traffic, your VPN clients are part of that outbound traffic when they route to the internet just like any other client.   Yes, true, but the outbound internet traffic is no longer encrypted as part of a tunnel on its way out, which is when it should hit the firewall rules.  at that point, the ports that are being blocked should not be involved in the outbound traffic.     ... View more

I think the point being made here is that Meraki customers are getting tired of discovering very basic functionality that is missing.  Something as basic as displaying the source of denied traffic should absolutely be included in any security appliance.  This isn't something that should need to be "wished".   Tracking down denied traffic is necessary for mitigating possible security issues.  a security appliance should include the ability to display this very basic information. ... View more

here is the answer supplied by Meraki Support:   In order to advertise the addresses from a Meraki client VPN to the non-Meraki devices, go to Security Appliance > Configure > Site to Site VPN, and then under VPN Settings and then Local Networks, you'll see the IP range there(Currently the range is set to 192.168.55.0/24) and then set Use VPN to "Yes".   my issue with the whole thing is how disjointed things are to simply create a vpn tunnel.  I have general complaints about the process with Meraki.  sometimes it is an improvement to do things differently than others, but in the case of VPN, which is built on a standard, its weird and frustrating that the various pieces necessary for building a tunnel are in different places.  Its not built using a straight-foward workflow for the various steps required.   Also a complaint, since I'm already ranting:  when I created the non-meraki tunnel I added two Meraki sites.  this visually appears to be one tunnel with two network ranges.  but that's not what's happening under the hood.  Its actually building two separate tunnels from each device.  That took a lot of time to figure out...and its silly.   thus endeth the rant. ... View more

it was a known client that we work with often, otherwise I would have been all over the person who did that (my boss). ... View more

I just finished the CMNO as well.   it was fine, I suppose.  It wasn't much in the way of actual training.   Also, the lab portion did not at all actually train for the issues that were introduced in the troubleshooting section.   I found that it was artificially hard because they created Meraki-specific problems that were never discussed in the "training" portion of the class.  It seemed like everyone in the class struggled with the same exercise, because it was related to a problem that only happens with Meraki, not a general network/security problem. ... View more

@MerakiDaveThanks for the info.  I reached out to my Meraki sales contact, but his response was to use the wish button, so it seems like we aren't all on the same page with this.   Also, Since rolling out my MX I have contacted support regarding 5 different functions. they are such obvious and common things that I assumed I was just not finding them in the dashboard.  Support responded to all 5 saying that those features/functions didn't exist.   So, I'll continue to use the wish button, my sales contact, and these forums just to be thorough. ... View more

@Twiles- on another thread I recently learned that a more urgent way to request features is via the sales team.  I've sent this idea to him and included a link to this forum thread.   I've also recently installed Meraki, coming from both Sophos XG and SonicWALL.  I've found Meraki to be very limiting in its feature set thus far compared to those products.   on the upside, when I turn things on with Meraki, they just work.  Sophos XG had tons of features, but was buggy and caused tons of outages.  no more of that with the MX device.     I am just frequently left desiring more functionality. ... View more

@MerakiDaveThanks for the explanation.  I've been using the Wish button when I find features that are missing when I compare the Meraki MX to other next-gen security products, including "features" that I would consider to be must-haves for any full-featured security product.    Are you saying these should be going through the sales team to add more urgency than the wish button might provide?   My thinking behind using the community for it was to give some sort of public view as to how many folks are requesting the same things that I am.  Or maybe someone suggests something that I wouldn't even think on my own of but sounds great and I could add my own vote for that feature after seeing it posted.   Maybe this community isn't the best place for technical reasons, but some sort of public view would be awesome in my opinion. ... View more

I would much prefer to see feature requests made here in the forums where we can see how many people are requesting them, rather than through the "make a wish" button   I would think it would be easy to change the button on the dashboard to link to the community ... View more

Adding to this request, and I've already used the silly "wish" button for this as well.    logging in general is terrible on this thing.  "use a syslog server" should never be an appropriate response. ... View more

I understand, they are internal PCs and MS Surface devices for the most part...we don't use an MDM solution.   I'm very disappointed to learn that I can't track sources of traffic based on either the firewall rule that is denying the traffic or the content filter.     How is thing considered a next-gen security device when it doesn't include features that were included in the last 2 generations of other vendors' products?    It's not very secure when there isn't enough logging to track down the source of unwanted traffic on the network.   Thus endeth the rant. ... View more

I don't know what SM is, so probably not ... View more

awesome, I have had that turned on for several weeks.   Also, when I created the outbound rule to block tcp 1723, I saw lots of hits on that rule at first, so I don't think the content filter was blocking all of it.   The hits on that rule have stopped which makes me think the clients for some of these products are smart enough to recognize the port being blocked and are changing ports.     At this point, I'm not super confident we have stopped it, but I'm going to try some packet captures to verify that.   On a side note, a newbie question: how do I see which traffic is hitting/being blocked by a specific rule? ... View more

I appreciate the advice on that...I can certainly do it, but I would consider that a workaround and a missing feature. ... View more

thanks, that gets me close to what I need...can't export it though to provide to non-IT staff.   and I've used some, specifically Fortigate, that do a great job of analyzing the web conversation and grouping all of the requests together...Meraki's is not a very complete solution compared to other products. ... View more

I had several users who couldn't browse the internet.  I wasn't sure where to see if they had violated a web filter policy or if it was a traffic routing issue, firewall rule, etc...   again, i'm brand-new to Meraki and more familiar with full-featured security appliances with more traditional logging abilities. These products feel very limiting right now, but I'm still in the break-in period. ... View more