- About AndreasE
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
AndreasE
Getting noticed
Member since Jun 8, 2018
Community Record
42
Posts
9
Kudos
0
Solutions
Badges
3 weeks ago
I've created two shell scripts that call mxfirewallcontrol.py, the first one is working fine, the second one fails (because it shows no hit which it should indeed): #!/bin/bash
python mxfirewallcontrol.py -k 547***45b -o /all -f "type:network"
#eof #!/bin/bash
python mxfirewallcontrol.py -k 547***45b -o /all -f "type:network,tag:branch"
#eof You can see the code in question is almost a 1:1 copy from mxfirewallcontrol_manual.pdf on page 3 right at the bottom. Still it doesn't work. Why? What did I miss? PS: This is the result I received from first Shell script: @ INFO: Retrieving organization info
@ INFO: Selecting networks and templates according to filters
MX Firewall Ruleset for Organization "abc", Network "def"
LINE:1 protocol:Any, srcPort:Any, srcCidr:Any, destPort:Any, destCidr:Any, policy:allow, syslogEnabled:False, comment:Default rule
MX Firewall Ruleset for Organization "abc", Network "ghi"
LINE:1 protocol:icmp, srcPort:Any, srcCidr:Any, destPort:Any, destCidr:Any, policy:allow, syslogEnabled:False, comment:ping
LINE:2 protocol:Any, srcPort:Any, srcCidr:Any, destPort:Any, destCidr:Any, policy:allow, syslogEnabled:False, comment:Default rule
@ INFO: End of script.
... View more
Labels:
‎11-11-2019
12:21 AM
Hi im, you can use the wildcard "*" (asterisk) in the "Outbound rules", but you cannot use it in the "Cellular Failover rules". That's maybe the reason for confusion. You should either re-open the case (if it's been closed) or insist on a sufficient answer. Rgds, AE
... View more
‎11-07-2019
11:09 PM
Hi Blake, did you mean "Make a Wish" (on that configuration page) or opening a case (what Customer and what kind of bug/support)? Regrettably, you cannot "Make a Wish" on the documentation pages -- even if they deserve it many times from my past experience! Rgds, Andreas
... View more
‎11-07-2019
08:48 AM
1 Kudo
I still like the "FQDN support" feature https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Firewall_Settings#FQDN_Support -- even if it raises some questions (see https://community.meraki.com/t5/Security-SD-WAN/FQDN-Support-How-does-the-wildcard-quot-quot-asterisk-match/m-p/63896#M16175 and https://community.meraki.com/t5/Security-SD-WAN/Restricting-Cellular-data-during-failover-to-business-critical/m-p/33723#M8260). But the documentation is really marginal on it: It doesn't tell you how long the DNS query results ("IP mapping") are cached -- if there is a time limit at all when or how that cache is been cleared how that cache contents can be displayed in order to debug "strange hits"
... View more
‎11-07-2019
08:41 AM
I hoped that my question would deserve a test and reply from @BrechtSchamp or @Nash or @CameronMoody after 3 weeks...?
... View more
‎11-07-2019
08:38 AM
Let's assume for a moment that "Cellular failover rules" simply substitute the native "Outbound rules" (which would a bad idea since they do not support FQDN, but this is another story). Given that, every admin should at least add the following rule as new rule #1 (i.e. BEFORE the default allow-any-any-rule is matched): Otherwise, your SIM card will get a very high bill!
... View more
‎10-14-2019
08:01 AM
On page https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Firewall_Settings#FQDN_Support we learned how FQDN Support works. This feature allows a wildcard character * (= asterisk) in the Destination column which is quite handy for "big" domains like microsoft or windows. But that page does not explain how the pattern matching works exactly. Given one of the following possible strings in Destination column: *.microsoft.com *microsoft.com .microsoft.com microsoft.com my question would be how the following hostnames (extracted from typical URLs) would match: w3.microsoft.com microsoft.com fakemicrosoft.com .microsoft.com I'd hate to test all of these one by one. My favourite would be someone from Meraki to add it to the documentation page.
... View more
‎10-11-2019
05:05 AM
...and by the way: this rule section would not accept a "FQDN support" type of firewall rule -- neither by GUI nor by API! Therefore, I requested this feature to be added via "Make a Wish" today: When disaster strikes (i.e. primary internet access WAN1 is gone) you need to be able to control which kind of business critical traffic (most of these are cloud based Web services) you still want to Allow or Deny.
... View more
‎10-10-2019
12:53 AM
Look here (this screenshot is not taken from the docu, but from the very original page where you configure the rules): To me, this now very much looks like the "Cellular failover rules" shall simply substitute the native outbound rules! This would make sense in some respect -- and of course render my last Message obsolete...
... View more
‎10-10-2019
12:21 AM
Thanks a lot for making this clear to me. But I would have another very interesting (and at the moment theoretical) question: The documentation says " These firewall rules are appended to the existing outbound rules". My current ruleset has the following structure: {"protocol" udp "srcPort" Any "srcCidr" Any "destPort" 53 "destCidr" Any "policy" allow "syslogEnabled" false "comment" DNS for FQDN support} {"protocol" tcp "srcPort" Any "srcCidr" Any "destPort" 80,443 "destCidr" *.microsoft.com "policy" allow "syslogEnabled" false "comment" HTTP[S] to MS} {"protocol" any "srcPort" Any "srcCidr" Any "destPort" Any "destCidr" Any "policy" deny "syslogEnabled" false "comment" Default catch-all other traffic} {"protocol" Any "srcPort" Any "srcCidr" Any "destPort" Any "destCidr" Any "policy" allow "syslogEnabled" false "comment" Default rule} (rule #2 has been capped for demo purposes) That said my question would be: Where are the Cellular Failover Rules "appended"? Before or after rule #4 (which is the default rule that cannot be changed)? Before or after rule #3 (which I had to insert in order to block unwanted outgoing traffic: I'm not very happy with the default rule #4 -- this is NOT the best practice for firewalls)? How can I control this? How can the Cellular Failover Rules do what they're supposed to do (e.g. deny traffic to microsoft.com, because you don't want to update your device using an expensive cellular service billed by volume)? Rgds, Andreas
... View more
‎07-29-2019
02:35 AM
Hi Philip, hi all, I think you can change the admin's name using the Dashboard API. At least, I've successfully done this on one of my Customers this morning using this Windows batch command: .\curl --max-time 3 --proxy proxy.intra.company.com:8090 -L -H "X-Cisco-Meraki-API-Key:***mykey***" -H "Content-Type:application/json" -X PUT --data-binary "{\"name\":\"Michael Fox (newco)\"}" "https://n213.meraki.com/api/v0/organizations/<orgID>/admins/<adminID>" Of course, you need to install curl and all required certs first and insert some details (name of proxy server, your API key, orgID, adminID), but it worked for me! Regards, AE
... View more
‎06-11-2019
02:10 AM
Hiya, is there a complete list of all MQTT "topics" that any MV sense can/will publish to its broker? I found all other interesting articles in "documentation", "create.io", and this community referring to that space, but no topics description. Who can help? Rgds, AndreasE
... View more
‎05-09-2019
04:44 AM
so it's worth opening a case?
... View more
‎05-09-2019
02:45 AM
Yes, I'm pretty sure, checked twice. (I just removed the hyperlinks from the post)
... View more
‎05-09-2019
02:40 AM
Hi all, a few mins ago I've received the following mail from Meraki: ----- The security appliance in the <xyz> network has detected an IP conflict with two or more devices. The IP 10.23.180.69 is claimed by clients with the following MAC addresses: 00:0D:AC:10:F6:7D ----- Any idea how that may happen? Regards, AE
... View more
‎05-07-2019
11:33 PM
Hi Brecht, tx for your list, this is very helpful. Although I need to admit that the only model I'm missing in this list is just the one I was asking for... Z3C! Regards, Andreas.
... View more
‎05-07-2019
05:26 AM
Hi all, I know that all serial numbers of Z3 model devices start with "Q2TN". But what prefix is used for Z3C model devices? Is there a "tool" or other thing that maps such prefixes with models? Rgds, AndreasE
... View more
‎04-04-2019
04:35 AM
Ha, I would be so glad if I could configure it manually at all -- not to dream of a template...
... View more
‎04-03-2019
12:26 AM
Hi, I'm working for a big MSP and we're delivering services based on Meraki to several Customers. After I logged in into Dashboard, I'm presented with a list of Organisations (= Customer names) where my mail address is linked to (as an admin). But that means if I'm presenting the 2FA login procedure to one specific Customer, he could see the names of the other Customers as well -- which is privacy-sensitive information. Is there a specific type of URL (augmented with Organisation name etc.) which would directly select this Organisation and don't present the list of all Organisations I'm bound to? Kind Regards, Andreas
... View more
‎03-22-2019
05:48 AM
Hi, can I create a certain "Port tag" and then customize the "Summary Report" in such a way that it will report any traffic on ports tagged like these (e.g. as Anomalies)? Rgds, Andreas.
... View more
‎03-15-2019
03:52 AM
Hi all, if an MX device needs to be replaced (RMA case), would the replacement device get the same MTU size setting that the broken one had configured (by Meraki Support)? Or do we have to open a new case right after the device has actually been replaced? Rgds, Andreas
... View more
‎03-14-2019
03:40 AM
1 Kudo
Hi Ajit, I think you can only make "LAN4" to be "WAN2". Your screenshot suggested that "LAN1" could be "WAN2" which IMHO can not be configured on the local status page. Btw: Would be great if Dashboard would reflect that configuration change in the "Status" picture, like 1 2 3 WAN2 WAN1 Rgds, Andreas. PS: The page "Security & SD-WAN"->"Monitor"->"Appliance status" shows "WAN2" IP address as "Not connected" even in the case you have NOT done the local status page config change -- as soon as the Configuration Template's Traffic Shaping setting implies this!
... View more
‎03-14-2019
03:31 AM
how? example?
... View more
‎03-14-2019
12:47 AM
Hi BrechtSchamp, tx for your quick reply. And yes, you seem to be absolutely right. Meanwhile I'm receiving such mails (it didn't happen yesterday when I switched it on, but by magic it works now), but detected some software bugs in this feature quickly: I'm receiving a mail that tells me "The following 1 Bluetooth client on the xyz- wireless <https://n146.meraki.com/xyz-wireless/n/qw0j9abc/manage/bluetooth_clients/> network has gone out of range. <https://n146.meraki.com/xyz-wireless/n/qw0j9abc/manage/bluetooth_clients/1234> - Cisco Meraki" -- none of the clients seen in the list is called "Cisco Meraki", and it wouldn't make sense to use that very name for a client (!), wouldn't it? When I open any "Bluetooth client" details page ("Bluetooth Device" window title) and tried to hop to the original configuration template the wireless network is bound to (e.g. in order to change the Alert settings), I always receive a "Server Error" message. My company phone is a "Microsoft Lumia 640 LTE" with Windows 10 Mobile Enterprise. I'm generally able to use Bluetooth, but the Meraki Wireless Bluetooth Scanning seems to not recognize it. Seems the functionality is not very mature? Rgds, Andreas
... View more
‎03-14-2019
12:01 AM
Hi all, I have found this feature yesterday and tried it. But regrettably, I'm not seeing any mail alert coming through. The mask doesn't allow me to configure a recipient, you can just switch on or off 2 types of alerts, that's all. What mail address is it using? Rgds, Andreas
... View more
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 3 | 1077 | |
| 1 | 473 | |
| 1 | 22144 | |
| 1 | 1529 | |
| 1 | 1548 |
