Today another Whitelisted event got blocked - Disable and re-enable it made the traffic work again. Event was "1-15511 Oracle WebLogic Apache Connector buffer overflow attempt". Legal traffic from clients to a license server for a CAD application which was whitelisted over a year ago. That's really annoying. Can't check hundreds of firewalls if something is not working as configured ...   ... View more

Hi, we saw the same events on some appliances - not all we manage. Also created a layer 7 rule to block the ip. We also have the same thoughts about this topic - why was the traffic allowed? Is there any kind of compromise?  And so on ... Kind regards   ... View more

Sorry for late reply. Got a reply on my ticket yesterday evening. "I checked that for you and it looks like this is a known issue on our side where some of the whitelisted IDs are still getting blocked. Our engineering team is working on a solution for it and I will update you as soon as I hear from them." No solution until now and printers still not working 😞 ... View more

Hi, we got the equal issue and already raised a ticket. But at our systems this event was whitelisted round about a year ago and nothing changed. Seems to be something very wrong with IDS as there are more threads about IDS - https://community.meraki.com/t5/Security-SD-WAN/Security-Center/td-p/224281     I'm a bit worried seeing IDS events allowed out of nowhere and whitelisted events getting blocked.   Kind regards ... View more

Reply of Meraki support: IPS/SNORT blocking Microsoft traffic   Dear Giacomo, i can't accept this explanation of Meraki. There are even problems with big services like Microsoft Exchange Online and so on. So nobody is able to fix this beside Microsoft themselves.  I understand there is some kind of security issue but it was released hours ago and now breaking traffic for a lot of customers is not the right way to handle it. Does the whitlisting work or is it dropped as there answers already said after 5-10 minutes? Turning off the IDS is NO solution ... View more

I think there is some correlation to latest Exchange-server updates, where Microsoft recommended to activate Extended Protection. This changes a lot in the SSL configuation of the IIS. And maybe someone on snort tried to create a IDS rule to block this kind of attack and finally configured some bad preferences to identify a real attack instead of normal traffic to an IIS with SSL ... View more