what is  VPN full-tunnel exclusion now includes source-based and NBAR application-based exclusion definitions. ... View more

  "But in my case, I want the http and https traffic to go through a dedicated tunnel. How would this integration help me?" ... View more

Cisco ai awnser me  Need to route only HTTP/HTTPS over Non-Meraki VPN Tunnel AI Assistant 08:45 AM To route only HTTP/HTTPS traffic (TCP ports 80 and 443) over a Non-Meraki VPN tunnel on a Meraki MX, use the VPN Full-Tunnel Exclusion feature. This allows you to define application, IP, or URL-based rules for local internet breakout or VPN routing. Here’s how you can achieve this: Go to Security & SD-WAN > Configure > Site-to-site VPN in the Meraki Dashboard. Under Non-Meraki VPN peers, add your VPN peer and set the "Private subnets" to 0.0.0.0/0 if you want to send all internet-bound traffic through the tunnel. To route only HTTP/HTTPS, use the VPN Full-Tunnel Exclusion feature: Navigate to Security & SD-WAN > Configure > SD-WAN & traffic shaping. Create a VPN exclusion rule for all traffic except HTTP/HTTPS, so only HTTP/HTTPS is routed over the VPN tunnel, and other traffic uses the local internet breakout. This approach allows you to selectively route only HTTP/HTTPS traffic over your Non-Meraki VPN tunnel while keeping other traffic on the local WAN. For detailed steps and best practices, refer to the following documentation: VPN Full-Tunnel Exclusion (Application and IP/URL Based Local Internet Breakout) Site-to-Site VPN Settings If you need step-by-step configuration guidance or have a specific scenario, let me know. Positive feedback Negative feedback You yes pls AI Assistant 08:51 AM Here is a step-by-step guide to route only HTTP/HTTPS traffic over a Non-Meraki VPN tunnel using VPN Full-Tunnel Exclusion on Meraki MX: Step 1: Configure the Non-Meraki VPN Peer Go to Security & SD-WAN > Configure > Site-to-site VPN in the Meraki Dashboard. Under Non-Meraki VPN peers, click Add a peer. Enter the peer details (Name, Public IP, etc.). For Private subnets, enter 0.0.0.0/0 to allow all internet-bound traffic to be routed through the tunnel. Step 2: Enable VPN Participation for Relevant Subnets In the same Site-to-site VPN page, select the subnets that should participate in the VPN. Step 3: Configure VPN Full-Tunnel Exclusion Go to Security & SD-WAN > Configure > SD-WAN & traffic shaping. Scroll to the VPN traffic section. Add a VPN exclusion rule: Set the rule to match all traffic except HTTP/HTTPS (TCP ports 80 and 443). This ensures only HTTP/HTTPS traffic is routed over the Non-Meraki VPN tunnel, while other traffic uses the local internet breakout. Step 4: Save and Apply Changes Review your configuration and click Save. Step 5: Verify Tunnel Status Go to Security & SD-WAN > Monitor > VPN Status to confirm the tunnel is active. Reference Documentation: VPN Full-Tunnel Exclusion (Application and IP/URL Based Local Internet Breakout) Site-to-Site VPN Settings If you need help with the exact rule syntax or screenshots, let me know. Positive feedback ... View more

Yes, it is different. In this case, I am dealing with two devices within the same organization, and they are connected via Auto VPN, unlike the previous instance. ... View more

Thanks for the clarification. Since S2S AutoVPN isn’t an option, I wanted to ask specifically about port forwarding — would it be possible to set it up on S1 to achieve similar functionality? ... View more

Unfortunately, I cannot place both MX appliances in the same organization as they belong to two different companies. However, I do have access to both devices. ... View more

One quick question — do IPS and AMP on the MX67/MX85 only inspect traffic going to/from the internet (WAN), or do they also work on internal routed traffic (LAN-to-LAN), such as traffic between users and servers? Just trying to understand what kind of protection applies within the LAN when using a Layer 3 switch for internal routing. ... View more

Thanks for the explanation, but I’m still having trouble fully understanding the setup — especially the part about the /30 between the firewalls and avoiding NAT internally. Would it be possible for you to clarify it further with a simple diagram or drawing? I have an MX67 and an MX85, and I’m trying to understand the best way to separate internal traffic from internet-bound traffic without doing NAT between them. ... View more

This issue happened to me with the same model, and the solution was that they processed an RMA for me. ... View more

Do we really pay thousands of dollars just to manually block things ourselves? What's the point? It seems like I'll be switching to FortiGate. What is this firewall even? They don't even care about HTTPS inspection. This isn't a firewall; it's just a high-end router with extra features ... View more

Hello everyone, thank you so much for your help! I just noticed that I’m getting older links and outdated topics. We’re in 2025 now, and I’ve done quite a bit of searching before reaching out here." ... View more

but i want for windows not android ... View more

I want to protect the servers from the user. This is a requirement from a state security institution to have a firewall placed before the servers, not the internet. I also have an MX67 as an edge device.   ... View more