About Ole_Soerensen

Ole_Soerensen · ‎11-23-2020

@Bsalami If your request is still valid, I am more than willing to participate, if it can get us any closer to a solution.

Ole_Soerensen · ‎08-28-2018

Seeing the same issue here... Version 13.33 - It´s almost like a "hickup" everytime it needs to start... Aug 19 17:50:59 Intrusion detection started snort_rules_version: 2.9.8.3, source: ids-vrt-balanced, rules: 828397756caef914fe42dc8bbb53da58b6815a2e Aug 19 17:50:59 Intrusion detection error what: unable to start sniffer, snort_rules_version: 2.9.8.3, source: ids-vrt-balanced more » Aug 19 17:50:59 Intrusion detection rules update snort_rules_version: 2.9.8.3, source: ids-vrt-balanced, rules: 828397756caef914fe42dc8bbb53da58b6815a2e

Ole_Soerensen · ‎08-16-2018

Its kept @ 250Mb/sec by a built in policer (interface is normal 1 Gig offcource). According to Meraki SE, this is implemented because they want to make sure, that the device in question will always perform the guaranteed 250Mb throughput, no matter what type of inspection etc. you throw at it... also they have to keep cpu "overhead" for some of the upcoming features.. So yeah... if you try to do a test with iperf etc... you will se, that it is more than capable of doing +300Mbs, but then the policer kicks in. I would have liked the opportunity to use it at its full capability, but i respect the choice Meraki made instead, guaranteeing performance up to a certain speed... you know what you get.. no tuning or shortcuts needed 🙂 Best Regards Ole

Ole_Soerensen · ‎08-16-2018

Well, I think everybody would agree, that changing the legacy protocol in use, would be "the best thing to do", but it´s not up to me to decide the protocols used and serviced offered by other companys (im a Senior Consultant at a large cisco partner company)... I can advise them, but when the push come to show, its up to the specific customer to choose.. This specific customer is migrating from older, over the counter CPE hardware, that handled the passive ftp inspection... so I was just curious, as to why this protocol inspection was dropped on a next-gen firewall... to my knowledge passive ftp is still used on a very large scale... legacy protocol or not! Regards Ole

Ole_Soerensen · ‎08-15-2018

I had issues with passive FTP from clients outside to a server on the inside... I assumed a NG Firewall like the MX64/65 would do inspection on the Passive FTP to detect and allow the data ports supported (and announced) from the FTP server dynamically. But to my surprise i found info in the online documentation (https://documentation.meraki.com/MX-Z/NAT_and_Port_Forwarding/Active_and_Passive_FTP_Overview_and_Configuration), stating that I needed to open TCP port 1024-65535 towards the server, for passive FTP to work!! Is this really "as is", or are there any fixes that can be applied or in development / pipeline? I did check the server manually, and found out it only needed around 32 specific high ports, so that was what i ended up configuring, and of course it works... but i was surprised to see Meraki stating, that "you should just open all high ports from outside to the specific server"... that is not a really clever thing to advise... especially if you don´t know what other services is running on a server! Best regards Ole

Ole_Soerensen · ‎05-15-2018

We administer many networks for the SMB segment. Small customers are granted "Monitor-only", and if they need Client-VPN access, we also grant them "Guest-Ambassador" priviledge... But why is it not possible for a "guest-ambassador" to do monitoring of the network... is it not possible to "merge" the two profiles in any way? An Administrator with both "Monitoring" and "guest-ambassador" privilege would make sense, as it is a bit hard to explain to customers, that they need two profiles (with different mail addresses).. one for monitoring and one for administering their VPN users. Hope somebody can point me to a "work-around". br/ Ole

Ole_Soerensen · ‎04-19-2018

@PhilipDAth Ok, I haven´t tried it on the new 5506-x, but was kinda expecting the command to work as it did on the 5505.. have you verified the absence of the command on the 5506-x? - Otherwise I will check myself whenI get around to it. br /Ole

Ole_Soerensen · ‎04-18-2018

I might be relativly new to Meraki, but im far from new to the Classic and Security portfolio, and I assure you, That the command “ show switch mac-address-table” is very much an ASA “thing”! On the smaller platforms (Those With a build in switch module) the 5505 as an exampel.. This command is very usefull in remote troubleshooting... to check if Things are attached as expected.. and I miss it on the Meraki MX... especialy since the MS Switches has this kind of info on parade (incl vendor lookup etc 😊

Ole_Soerensen · ‎04-18-2018

The ASA command equivalent to see this sort of info would be " show switch mac-address-table". I can run an arp request on the MX, but that is close to useless since it only list.. well ARP .. ip to mac... no interface info is given. Anyone found a way to display this info, that I am not aware of ? BR /Ole

Ole_Soerensen

Community Record

Badges

Re: MX64 - how to identify which mac addresses is attached to which interfa...

Re: Intrusion Detection Error - Log

Re: MX 64/65 throughput???

Re: Passive FTP inspection

Passive FTP inspection

Network Administrator - Guest-ambassador with monitoring privilege?

Re: MX64 - how to identify which mac addresses is attached to which interfa...

Re: MX64 - how to identify which mac addresses is attached to which interfa...

MX64 - how to identify which mac addresses is attached to which interface

MX64 - how to identify which mac addresses is attached to which interface

Re: Passive FTP inspection

Re: MX 64/65 throughput???

Passive FTP inspection