I have just recently switched over to MXs for Firewalls. I assume like most firewalls its recommended to have an implicit deny as your last firewall rule? Trying to plan for any unplanned impact would this impact any connectivity with Meraki switches, AP's, camera's etc from their connection to the cloud.  ... View more

So, I had some information not identified to me correctly on the limitations of NAT/Address Translation with the MX Appliances. I had a basic Site to Site connection I had to build with a 3rd party to access their web application with LDAP credentials. Working with Meraki support it took 3 months to resolve because of Address Translation issues. Essentially 3rd party couldn't use the IP Subnet range I was advertising to them. Eventually this was resolved by enabling an experimental feature for IPv4 translation within Security & SD-WAN > Site to Site VPN and setting the subnet that has that specific LDAP server on it to have a different IP Range (example local 10.1.1.0/24 to 192.168.30.0/24).    But here is where things become tricky that was one 3rd party Site to Site connection. I have at least 6 more that don't use Meraki gear. They may have Cisco ASA's, Fortinet, Sonicwall etc and since the only NAT I can do is once per subnet I have to align with all my 3rd parties that may be sharing IP space in the same VLAN to all use the same NAT IP Range. So example would be 3rd party vendor 2 accesses 10.1.1.5 and 3rd party vendor 3 accesses 10.1.1.10 but they both use NAT as they cannot use the standard subnet I am advertising. So instead then building a NAT per Site to Site I have to essentially work with both 3rd parties at the same time and PRAY I find a subnet that they can both use so I can assign that as the translation subnet in VPN settings.  I've checked with other network engineers and solution architects at other IT Firms, and this is for sure a limitation that they all have ran into. I'm just at this point trying to figure out how I move forward, how to work around this and if anyone has done anything different in similar predicament and how to overcome it.  ... View more

So, is there no way to specifically affect at the user level a different Group Policy? Meraki is instructing me that it is only a VLAN/Client situation.    IE.... John logs into Computer A (main pc) has elevated web browsing rights due to being on Administration VLAN. John later logs into Computer B but doesn't have elevated access due to different VLAN/Client. The only way for that user to get those additional website access would be applying the group policy to that different VLAN/client for Computer B? ... View more

What is the best way to identify what policy a client is associated to within Meraki? Especially if that is a policy set at the VLAN level? Is there something in the logs that I am missing that identifies the Group Policy assigned to that client? I haven't found it as well when looking into a Syslogs server. ... View more

I'm hoping to get some assistance on understanding Content Filtering and Group policies better from the community....   Most users will likely hit the standard content filter but in some situations more restrictive access or less restrictive access I need to have custom content filtering groups. So, I am using Group Policy in Meraki which ties back to an Active directory group. The problem is if I place a user in that active directory group they never show as a client being affected. I even have the group policy associated to the VLAN since I moved my interfaces from layer 3 at the switch up to the MX devices. But I know the user is getting associated to the correct group policy because if I move them out of the AD Group then they go back to the default content filter settings and cannot reach the webpage anymore.    So what I am really needing is more of an understanding of utilizing Group Policies with content filtering. How do you tell for sure that user is applied to that Meraki Group Policy? How do you tell from logs that the user is affected by the default content filter or a specific group policy? Do you only apply the group policy at a client from the dashboard instead then a VLAN? Most importantly how with this content filter do you combat users that may roam between different VLANs and especially different PCs? ... View more

Use the standard global configuration locked down on all categories and very few sites with AD Groups providing less restrictive access? Or use the global/default network filtering for all Company/site wide URL access and categories with additional groups via AD for less or stronger restrictive access? My thoughts was to use the initial setup of the global being most restrict to add another level of restrictions on anything that may try to get on the network that are not domain, then if you are domain you would filter into one of the other less restrictive policies. I have inquired with Meraki support on this and informed me that both methods work, but I was still curious to see from other technicians that setup content filtering in their organization with method did they go with.? ... View more