Nash,   What preemptive measures are you taking to secure your network? Maybe I am thinking this through the wrong way.One of my core reasons for utilizing Geo Filtering is because the amount of 1:1 and many:1 we are doing from our firewall. Unfortunately having these devices open has left them exposed to the world and leaves them open to a constant hammering. My security center reports show hits on a continuous basis and because of this it has brought me to Geo-filtering specific regions of the world which are utilizing systems to consistently hammer our environment.    I haven't found the U.S. to be a problem yet but when we do we will be sure to handle that as it comes.   Turning on Geo Filtering to protect our NAT statements is a way to increase their security from being hit from regions or countries where they are being hammered but that doesn't mean the firewall shouldn't be flexible to allow a few remote IP ranges from that country as long as you know and trust the IPs from that provider/vendor.  ... View more

if this is the answer should it be acceptable? Theoretically we should be able to put remote IP range rules above the hierarchy of geo filtering Layer 7 rules  and the would take precedence over remainder of policies because it would see an allow and then let the traffic pass-through without it ever reaching the geo filter rule.    There are other firewalls with this capability today. I began to dig through the forums here as well and it appears this has been a requested feature for at least 2 years now.  ... View more

I second this motion is Meraki doing any dev work on getting a permit setup for Layer 7 rules?  ... View more

Do you utilize Meraki to Meraki VPNs as well? Just curious. It does appear to be what @PhilipDAth stated. But another issue ive had is you must limit the non meraki VPN to the specific network you want and you also cannot have subnets set to yes on your VPN settings to share if the non meraki end is not setup with them on their phase 2 selectors as well. If you do have this the meraki will constantly have issues with Phase 2 due to the Meraki trying to share subnets with the non meraki peer that it doesn't know about.  ... View more

Older firmware i have had buggy AMP. I actually spoke with a representative at one time who told me they were making big changes to AMP because at one point in time the Whitelisted URLs did not actually work when and if in their and listed. One of the newer updates was supposed to help resolve those issues.  ... View more

@jdsilva I do want to redact my previous statement. I had forgotten that i built a group policy specifically for this clien(Spam Filter) I created the rule in the group policy it stopped sending or receiving from the blacklisted public IP.... and began sending through as another public IP. So now im working through stopping the malicious attacks in general.    Its hard to lock down SMTP when you are an MSP and your clients are utilizing it as a relay.   ... View more

@jdsilva earlier after setting the rule on L7 and outbound i believe that it was blocking the traffic after i built the rule.  Im watching it again now though and i see no packets hitting that rule now.... Luckily i have IP reputation turned on for my Spam Filter so it knows the IP is malicious and blacklisted. But the logs are piling up because i cant get my meraki firewall to block this on the front end.  ... View more

exactly my concern!  ... View more

already had this as well. Sorry forgot to mention it.  and i actually believe the layer 7 is still for outbound only as i can see the rogue device still hitting my spam filter. But i can see responses from my spam filter being blocked.  ... View more

The MX/s do not participate in spanning tree so it may be possible it was the cause of your issue. Just an idea as ive had issues with multiple uplinks going from MX to LAN if spanning tree isnt working properly.  ... View more

Can you explain a bit further?    If I am understanding your right you have 2 remote sites and 2 Main sites.   You want to have it setup so that if Site 1 goes down the remote sites will all begin pointing to site 2 for all adfs? and what part of site 1 goes down all of it or just internet?      ... View more

Have you talked to Meraki support? This may be a known bug. I've run into this issue a few times where bright cloud and meraki are not syncing properly causing web filter issues. There fix was usualy a firmware update or to whitelist with a wildcard.  ... View more

It appears with Passthrough mode the same manner of what i mentioned before applies.    You will build a route on the edge router to point back to the IP address of the Z and it will send the traffic over the remote site afterwards. Difference is that you will not be doing any NAT from the Z.    Meraki documentation link for passthrough: https://documentation.meraki.com/MX/Networks_and_Routing/Passthrough_Mode_on_the_MX_Security_Appliance_and_Z1_Teleworker_Gateway  ... View more

Does their current firewall have the ability to do routing? If so why not set the device behind the network. LAN and WAN (do not prefer to double NAT but it works.)   After that give the Z3 a LAN IP address and setup a static route in current firewall for any traffic destined to the local LAN on remote office to the Z3 LAN IP address.    Make sure site to site VPN is on for the Z3 and the other site as well.    Voila you still are using your Verizon internet connection with the current firewall that is able to utilize the throughput verizon gives and if the client needs to reach their office they are able to as well as all traffic to the clients other office will be destined to the Z3.          ... View more

It sounds like your best option if your MX is also acting as your switch is to do the following.   Enable VLANs under routing of the addressing and vlans tab. (Make sure the current vlan is still setup properly afterwards, Check DHCP and make sure it is proper as it was before also.)   Create a new VLAN/Subnet for this specific device. Change the interface that the device is connected to and give it the native VLAN of the new VLAN you have just setup.    Setup DHCP also so the device grabs proper IP and DNS.    After this and the device is up and working properly...   You can then go into firewall rules and create rules to block the device/subnet from communicating to the other devices/subnet that you are trying to achieve.  ... View more

Any update on Visio stencils. I dont see MX250 as a device in the stencils today.  ... View more

Awesome! Thank you! ... View more

If we want to talk about storage space for Meraki swag I have some at my office in Arizona haha 😀 ... View more

Is there a way to had unanswered topics shown on the main page of the community when logged in?  ... View more

@Zach   Can you clarify what you mean by they are the same subnet on each side?   What are the subnets and networks for each side today?  ... View more

@Griz Yea sorry I cant think of a good way to do it with a Meraki product. Im hoping they allow for a bit more customization of routing in the future on the Meraki firewalls and switches. I think the only reason they don't is it could cause major issues communicating to Meraki Cloud if not programmed properly.  ... View more

Hi, @Griz What interface does the point to point connect to on the firewalls is it only a layer 2 point to point? In order to route (internet) traffic out the MX firewalls it must be connected to a WAN interface or so ive been told.  ... View more

@smccloud. Have you already tried to reboot it by disconnecting and reconnecting to see if it can initiate connection to Meraki Cloud again? If so and that did not work try factory default.   Factory Reset Button If the button is pressed and held for at least five seconds and then released, the MR33 will reboot and be restored to its original factory settings by deleting all configuration information stored on the unit. https://documentation.meraki.com/MR/Installation_Guides/MR33_Installation_Guide    If all else fails call Meraki support (415)-937-6671 as you may have a faulty device.   Please let me know the results im interested to see if the default works. Ive had APs do this a few times but factory default always seemed to fix the problem.  ... View more