Brilliant news. However i'm not sure why it specifies "Changes to how keys are handled in TLS 1.3 mean that services that only allow TLS 1.3 will not work properly." Given all the links online that suggest TLS1.3 can actually be inspected with a full man-in-the-middle setup, why can't meraki's implementation handle it? There's a link to a Symantec whitepaper on how it works in this thread. "With TLS 1.3 in place, if a device wants to look at the certificate it must intercept the session and decrypt it to see that information. And to do that, the network security device must fully support TLS 1.3." https://www.fortinet.com/blog/business-and-technology/tls-is-here-what-this-means-for-you.html It sounds like if the device implements a full MITM SSL proxy, it is possible to still do SSL-interception after TLS 1.3 comes along, but some devices are still attempting to do selective interception, which isn't compatible. ... View more

Once the second MX is added to the HA pair, the licensed devices count will drop to 1, so your second MX license will double the time of the "one MX" https://www.youtube.com/watch?v=oHmR1DPI4cY ... View more

Do you have *.apple.com in the walled garden list on your Guest WiFi? If you do, remove it.   If the iPhone can get to apple.com it doesn't show the splashpage until the user opens a browser and tries to go to a non-HTTPS website (which are surprisingly tricky to find these days).   I don't know why meraki added this as a default entry, it makes the experience worse for apple devices. ... View more

Done. This was the message in the ticket after I went back to them:   "Hi Christian, Our documentation was just updated and I'm seeing there is another back-end change I need to add which will disable the inbound firewall for the WAN for a specific MX. Since you've put this device back into production, please let me know if you would still like me to add this and please verify which MX to add it too since this change will be specific to a single device. Thanks! Chris Kordus Cisco Meraki Support" ... View more

It's ridiculous this seems to be the situation that they are only setting up 50% of NO NAT when you ask for it. If they come back to you and are still clueless I can PM you my ticket number.   Kind Regards, Christian ... View more

This is how the firewall page looks after they have made the additional change to allow inbound connections:     As you can see the "inbound rules" default rule is "allow any". It has been changed from a stateful firewall to just a firewall.   It sounds like you have the "incorrect" partial configuration that I had (and managed to get resolved) when I initially asked to be included in the NO-NAT beta. It's a very new feature and it's clear that not all meraki case support are experienced with setting it up yet.   I'd ask the meraki support person you are talking with to check their internal NO-NAT documentation which one of the people I was dealing with confirmed has been updated to include instructions on how to do disable the inbound firewall too.   Apparently, they have to apply this change to the serial number of the device rather than the network at the moment (which is odd, as it appears as a difference in the network firewall user interface). It's very strange that they have separated the two features as the vast majority of people disabling outbound NAT are also going to want to be able to connect to devices behind the LAN interfaces from some place upstream on a WAN link. Strictly speaking, a true L3 router should have no WAN/LAN distinction.   I've not tested out the VLAN based exceptions yet although they are present in the UI so I had assumed they will work. I have been seeing an issue where I can't ping any of the the LAN interfaces of the meraki from any place upstream of it (ICMP is allowed from any remote IP as you can see). However, I can access the client devices in my meraki created vlans from the upstream router (and our other locations) so it's working for us. ... View more

Meraki have to do a separate device-specific change on the backend to the add the "allow any" incoming connection rule.   I had exactly the same situation where I had the no-NAT options enabled but the device was still preventing inbound connections. Once you have the additional change done the firewall tab of the web UI then changes to be similar to the "passthrough mode" UI where it defaults to allow any and you create your restrictions, rather than locking you out of the inbound rules settings.   This was a separate feature and you have to go back to meraki support to get the inbound firewall disabled after the v15 firmware and no-NAT enablement. We have been using this as our main office router since February with no issues and recently had the v15.7 upgrade which hasn't caused any problems either. It's going to be deployed to another remote site of ours soon because it has worked so well for us.   Now lets hope they can get LAN side link aggregation/LACP support added too and the MX will start to be a useful router! ... View more

Cisco have announced some interesting products that can detect malware in encrypted traffic without decrypting it: https://blogs.cisco.com/security/detecting-encrypted-malware-traffic-without-decryption   The whitepaper says it's going to be in Cisco IOS XE 16.6 & it provides a list of models gaining the functionality: https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/enterprise-network-security/nb-09-encrytd-traf-anlytcs-wp-cte-en.pdf   Are any of these features moving over to the Meraki MX series? ... View more

@GreenMan - It is making some pretty specific claims on this link: https://www.symantec.com/products/ssl-visibility-appliance "Enable the secure inspection of TLS 1.3 encrypted traffic" "Enables the inspection of all ports and protocols of traffic including TLS 1.3 draft versions 18 - 21" @BlakeRichardson - The Fortigate routers I linked to were $900 and $1800, so it is possible to get SSL inspection on products that are comparable in cost to the Meraki MX Security Appliances. ... View more

@BlakeRichardson By 'cost' do you mean price or performance?   Fortigate's entry-level NGFW 115 firewall range achieve throughput of 100 Mbps with SSL Inspection on low end Intel Atom CPUs: https://www.forcepoint.com/sites/default/files/resources/files/datasheet_forcepoint_ngfw_appliances_specs_en.pdf Their NGFW 321 doesn't specify the CPU used but it has a lower power draw than a Meraki MX84 and it achieves 150 Mbps throughput with SSL Inspection enabled. https://www.forcepoint.com/sites/default/files/resources/files/datasheet_forcepoint_ngfw_300_series_en.pdf ... View more

Interesting link. I found that Symantec is selling a security appliance that can decrypt the draft standard of TLS 1.3, so the measures must still allow some implementations of MITM: https://www.symantec.com/theme/secure-decryption I disagree with the assumption that because TLS 1.3 exists that this isn't worth looking into. Many big websites, e.g. PayPal have only just moved over to TLS 1.2 this year, which can be proxied. TLS 1.2 is not due to be depreciated at any point in the immediate future. Plus an SSL Proxy could be implemented with the existing transparent proxy software that the MX already runs on (squid), with some configuration changes. I feel there is a huge missed opportunity here. The Meraki Systems Manager agent could massively simplify the deployment of a trusted SSL certificate to the client PCs and devices. It could be a complete security solution, at the moment it has a giant hole of 50% of the web through the middle of it (and growing). ... View more

Completely agree. This is really essential and it makes a mockery of many of the features that the MX line claims it can do.  - The advertised "Intrusion Prevention/IDS" feature (powered by SNORT) can't prevent any exploits from SSL enabled servers. - Neither can the anti-malware feature (the MX will happily let you download a virus executable from an SSL enabled website - The google search filtering doesn't work as they have moved to SSL. - The "URL logging" feature (in beta) is completely unable to show the URLs for SSL websites. So we can't even view a history of a users google searches. The majority of the web uses SSL now, and the MX appliance is therefore not fit for the purposes it advertises. I've not heard anything about SSL Intercepting Proxy servers stopping working with a new version of TLS, do you have a link or some more information on that? ... View more

Yeah you can pass alerts to SolarWinds using meraki dashboard SNMP: https://documentation.meraki.com/zGeneral_Administration/Monitoring_and_Reporting/SNMP_Overview_and_Configuration You can also enable SNMP on individual devices to monitor uptime. ... View more