We push URLs via syslog into graylog which allows us see what time each request was made. ... View more

We tend to just go into "clients" and look at the "last 2 hours" graph, often the user with the highest bandwidth over the last 2 hours is the user who is hogging the connection at the present time. Although it's quite rare we have to look at it now we have decent bandwidth and QoS rules, there should be more real-time visibility. ... View more

Brilliant news. However i'm not sure why it specifies "Changes to how keys are handled in TLS 1.3 mean that services that only allow TLS 1.3 will not work properly." Given all the links online that suggest TLS1.3 can actually be inspected with a full man-in-the-middle setup, why can't meraki's implementation handle it? There's a link to a Symantec whitepaper on how it works in this thread. "With TLS 1.3 in place, if a device wants to look at the certificate it must intercept the session and decrypt it to see that information. And to do that, the network security device must fully support TLS 1.3." https://www.fortinet.com/blog/business-and-technology/tls-is-here-what-this-means-for-you.html It sounds like if the device implements a full MITM SSL proxy, it is possible to still do SSL-interception after TLS 1.3 comes along, but some devices are still attempting to do selective interception, which isn't compatible. ... View more

Once the second MX is added to the HA pair, the licensed devices count will drop to 1, so your second MX license will double the time of the "one MX" https://www.youtube.com/watch?v=oHmR1DPI4cY ... View more

Windows DHCP client does accept static routes from any DHCP server configured with the right options.   We use it to work around the lack of LAG group support in the MX devices, by pushing inter-vlan traffic through a L3 switch. ... View more

Check the previous techs mailbox for meraki emails, if they made it on their work address then you can send the password reset email to their work email address and get into it that way. (Assuming they didn't use a personal email).   I've never tried going the "evidence of ownership" route with meraki support, your mileage may vary with that. ... View more

Do you have *.apple.com in the walled garden list on your Guest WiFi? If you do, remove it.   If the iPhone can get to apple.com it doesn't show the splashpage until the user opens a browser and tries to go to a non-HTTPS website (which are surprisingly tricky to find these days).   I don't know why meraki added this as a default entry, it makes the experience worse for apple devices. ... View more

Done. This was the message in the ticket after I went back to them:   "Hi Christian, Our documentation was just updated and I'm seeing there is another back-end change I need to add which will disable the inbound firewall for the WAN for a specific MX. Since you've put this device back into production, please let me know if you would still like me to add this and please verify which MX to add it too since this change will be specific to a single device. Thanks! Chris Kordus Cisco Meraki Support" ... View more

It's ridiculous this seems to be the situation that they are only setting up 50% of NO NAT when you ask for it. If they come back to you and are still clueless I can PM you my ticket number.   Kind Regards, Christian ... View more

This is how the firewall page looks after they have made the additional change to allow inbound connections:     As you can see the "inbound rules" default rule is "allow any". It has been changed from a stateful firewall to just a firewall.   It sounds like you have the "incorrect" partial configuration that I had (and managed to get resolved) when I initially asked to be included in the NO-NAT beta. It's a very new feature and it's clear that not all meraki case support are experienced with setting it up yet.   I'd ask the meraki support person you are talking with to check their internal NO-NAT documentation which one of the people I was dealing with confirmed has been updated to include instructions on how to do disable the inbound firewall too.   Apparently, they have to apply this change to the serial number of the device rather than the network at the moment (which is odd, as it appears as a difference in the network firewall user interface). It's very strange that they have separated the two features as the vast majority of people disabling outbound NAT are also going to want to be able to connect to devices behind the LAN interfaces from some place upstream on a WAN link. Strictly speaking, a true L3 router should have no WAN/LAN distinction.   I've not tested out the VLAN based exceptions yet although they are present in the UI so I had assumed they will work. I have been seeing an issue where I can't ping any of the the LAN interfaces of the meraki from any place upstream of it (ICMP is allowed from any remote IP as you can see). However, I can access the client devices in my meraki created vlans from the upstream router (and our other locations) so it's working for us. ... View more

Meraki have to do a separate device-specific change on the backend to the add the "allow any" incoming connection rule.   I had exactly the same situation where I had the no-NAT options enabled but the device was still preventing inbound connections. Once you have the additional change done the firewall tab of the web UI then changes to be similar to the "passthrough mode" UI where it defaults to allow any and you create your restrictions, rather than locking you out of the inbound rules settings.   This was a separate feature and you have to go back to meraki support to get the inbound firewall disabled after the v15 firmware and no-NAT enablement. We have been using this as our main office router since February with no issues and recently had the v15.7 upgrade which hasn't caused any problems either. It's going to be deployed to another remote site of ours soon because it has worked so well for us.   Now lets hope they can get LAN side link aggregation/LACP support added too and the MX will start to be a useful router! ... View more

Cisco have announced some interesting products that can detect malware in encrypted traffic without decrypting it: https://blogs.cisco.com/security/detecting-encrypted-malware-traffic-without-decryption   The whitepaper says it's going to be in Cisco IOS XE 16.6 & it provides a list of models gaining the functionality: https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/enterprise-network-security/nb-09-encrytd-traf-anlytcs-wp-cte-en.pdf   Are any of these features moving over to the Meraki MX series? ... View more

It is reinventing the wheel for Meraki to produce their own Meraki OS's while the Cisco mothership already have their own mature IOS platform.   I'd also love to see Meraki build a portal that lets you configure and manage a Cisco ASA for example. All it would have to do is generate a config file for the device. Unfortunately, it seems the direction the meraki ship is heading in is slow incremental improvement. ... View more

@GreenMan - It is making some pretty specific claims on this link: https://www.symantec.com/products/ssl-visibility-appliance "Enable the secure inspection of TLS 1.3 encrypted traffic" "Enables the inspection of all ports and protocols of traffic including TLS 1.3 draft versions 18 - 21" @BlakeRichardson - The Fortigate routers I linked to were $900 and $1800, so it is possible to get SSL inspection on products that are comparable in cost to the Meraki MX Security Appliances. ... View more

Well, SSM is just a term for IGMPv3 over IPv4, or MLDv2 over IPv6. With IGMPv3 the router and end OS all have to take part in the multicast group, so it's router and OS dependent. ASM (the older, more usual form of multicast) uses IGMPv2 or MLDv1. It sounds like the problem is that IGMPv3 isn't implemented on some of the non-ISP provided routers you have tried. I can't find any info claiming that the MX range does implement this, so it's likely this is the case. https://documentation.meraki.com/zGeneral_Administration/Other_Topics/Multicast_support#IGMP_Support_on_the_Cisco_Meraki_Security_Appliance "MX Security Appliances will forward IGMP traffic for a single broadcast domain. It does not forward multicast traffic upstream, between VLANs, or over a VPN." This sounds to me to be talking about the older ASM IGMP versions, not IGMPv3 / SSM. I'd still suggest trying the ISP-provided router (which will implement IGMPv3 for your network) for the NAT, and use the MX in bridge-mode (which as long as it doesn't have a firewall rule in place shouldn't block the traffic). You don't lose any MX advanced security features in passthrough-mode, it will still provide client tracking, AMP, IDS, AV, and firewall capability to your devices. ... View more

The problem is not that there are a number of beta releases, (they would need to make those builds even to just perform traditional in-house testing on them, i'm glad they let us have them), it's the overly cautious approach to the stable releases that is frustrating, and it's quite shocking that it's held up critical security vulnerabilities being patched on an appliance sold as a security appliance! ... View more

Have you tried the MX in passthrough mode rather than NAT mode? (I.e BT Router > Meraki MX > Switch) The meraki support page for IPv6 States: https://documentation.meraki.com/zGeneral_Administration/Other_Topics/IPv6_Device_Compatibility "Cisco Meraki security appliances can pass IPv6 traffic in pass-through mode" ... View more

The current v13 build is stable enough and has been out for ages, it fixes a number of critical bugs, people should be encouraged to install it, not put off by calling it a beta.   Given that the a v12 release has gone out with all the security patches from v13/v14; why not make the latest v13 the "stable release candidate", and release the v14 builds to the beta channel? Anyone currently on a v13 "beta" could then be moved to the "stable release candidate" channel. If Meraki support is comfortable enough calling the v13 build stable, then the product managers should be acting in a consistent way with that view. ... View more

@BlakeRichardson By 'cost' do you mean price or performance?   Fortigate's entry-level NGFW 115 firewall range achieve throughput of 100 Mbps with SSL Inspection on low end Intel Atom CPUs: https://www.forcepoint.com/sites/default/files/resources/files/datasheet_forcepoint_ngfw_appliances_specs_en.pdf Their NGFW 321 doesn't specify the CPU used but it has a lower power draw than a Meraki MX84 and it achieves 150 Mbps throughput with SSL Inspection enabled. https://www.forcepoint.com/sites/default/files/resources/files/datasheet_forcepoint_ngfw_300_series_en.pdf ... View more

Interesting link. I found that Symantec is selling a security appliance that can decrypt the draft standard of TLS 1.3, so the measures must still allow some implementations of MITM: https://www.symantec.com/theme/secure-decryption I disagree with the assumption that because TLS 1.3 exists that this isn't worth looking into. Many big websites, e.g. PayPal have only just moved over to TLS 1.2 this year, which can be proxied. TLS 1.2 is not due to be depreciated at any point in the immediate future. Plus an SSL Proxy could be implemented with the existing transparent proxy software that the MX already runs on (squid), with some configuration changes. I feel there is a huge missed opportunity here. The Meraki Systems Manager agent could massively simplify the deployment of a trusted SSL certificate to the client PCs and devices. It could be a complete security solution, at the moment it has a giant hole of 50% of the web through the middle of it (and growing). ... View more

Completely agree. This is really essential and it makes a mockery of many of the features that the MX line claims it can do.  - The advertised "Intrusion Prevention/IDS" feature (powered by SNORT) can't prevent any exploits from SSL enabled servers. - Neither can the anti-malware feature (the MX will happily let you download a virus executable from an SSL enabled website - The google search filtering doesn't work as they have moved to SSL. - The "URL logging" feature (in beta) is completely unable to show the URLs for SSL websites. So we can't even view a history of a users google searches. The majority of the web uses SSL now, and the MX appliance is therefore not fit for the purposes it advertises. I've not heard anything about SSL Intercepting Proxy servers stopping working with a new version of TLS, do you have a link or some more information on that? ... View more

I think you're confusing Received Signal Power (which is a negative value measured between -99dBm and 0dBm) and RSSI (which is a positive value between 0 & 255 and has massive variances in implementation between manufacturers). Maybe you've used some products that report RSSI in dBm but they are incorrect in their use of this term for that measurement. Due to the massive variances in implementation between manufacturers, a true RSSI value is not at all suitable for AP placement. There's probably a case for implementing received signal power, measured in dBm, but that might lead to poor AP placement as people don't realise that a device with a low signal strength may be perfectly usable in an area of low background noise. Similarly, a client with a high receive power might not be at all usable in a noisy environment. SNR is the correct metric to display in a signal quality bar graph. It's true most devices show both signal strength and signal quality bars, but signal quality is the one that actually matters so overall it probably leads to better AP placement if used exclusively. ... View more

Why not just put in place traffic shaping rules rather than blocking things? If the rules are set well enough they will prevent any noticeable impact on your network or your users. If you try and make a rule specific enough that it only catches the apple Apple App Store, it will probably stop working at some point when Apple make changes to their servers, or it may unintentionally break something your users require. We have this rule set up in one of our offices which only has a 20 Mbps connection and 30 users:   gvt1.com is the Google Play Store update server so everything is covered. Then just make sure you tell the appliance the WAN connection speed in Security Appliance > Traffic Shaping  ... View more

Where is the meraki reply to this? The current products are vulnerable. An explanation is required. ... View more