The Meraki Community
Register or Sign in
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
  • About AndreasE
AndreasE

AndreasE

Getting noticed

Member since Jun 8, 2018

Kudos from
User Count
ospsms
ospsms
1
MeredithW
Community Manager MeredithW
1
tdj7397
tdj7397
1
jdsilva
jdsilva
2
theant
theant
1
View All
Kudos given to
User Count
Greenberet
Greenberet
1
Owen
Owen
1
kruso_tech
kruso_tech
1
PhilipDAth
Kind of a big deal PhilipDAth
4
RohitRaj
Meraki Employee RohitRaj
1
View All

Community Record

45
Posts
11
Kudos
0
Solutions

Badges

CMNA
1st Birthday
First 5 Posts
First 10 Kudos
Lift-Off View All
Latest Contributions by AndreasE
  • Topics AndreasE has Participated In
  • Latest Contributions by AndreasE

Re: mxfirewallcontrol.py does not like tag filter

by AndreasE in Developers & APIs
‎03-23-2021 07:42 AM
‎03-23-2021 07:42 AM
Hi, to all it may concern:   I think I've found the root cause for my issue: It does not work for python2, it needs python3!   Find attached a tar file which contains a full example.   Kind Regards, Andreas   ... View more

Re: Configuration Template: Firmware Upgrade Window

by AndreasE in Security / SD-WAN
‎03-22-2021 04:19 AM
‎03-22-2021 04:19 AM
Hi Greenberet,   you've actually made a good catch here -- if all countries in the world are switching forward to DST during this hour.   But think about US (have done it two weeks before) or countries in the southern hemisphere (either switching back or also having different cycles like US). With respect to CET (= Central European Time) you are certainly right, and the service window Sunday 28 March 2am to 3am does not exist at all, i.e. is virtually skipped this very Sunday!   Nevertheless, I think it would be a very good idea if Configuration Templates would display either no timezone at all or at least UTC, if any. The mapping of this window to a real local time shall be driven by the local network and its configured timezone.   For networks that are configured to CET, the question for this Sunday is: Shall the Firmware Upgrade happen at 1:02am CET (= 2:02am CEST virtually) or at 2:02am CET (= 3:02am CEST) or automatically being postponed to the next Sunday when this window of lowest usage does really exist once again?   Kind Regards ... View more

Configuration Template: Firmware Upgrade Window

by AndreasE in Security / SD-WAN
‎03-22-2021 12:48 AM
1 Kudo
‎03-22-2021 12:48 AM
1 Kudo
One of our Customers has a clear expectation on when any relevant and necessary Firmware Upgrades shall take place.   But I've recently found the following two possible software bugs in the Dashboard concerning this setting for the Configuration Template (CT) under Network-wide > General > Firmware upgrades :   Why does a CT have a local timezone at all? Our CT-Z3 is bound to CET, but has got devices in several timezones all over the world. [see text marked in yellow in screenshot] down Our Customer decided that FW Upgrades shall happen during lowest traffic hour, i.e. Sunday 2am-3am. But the FW upgrade is scheduled to 1:02am, why? [see text marked in red in screenshot down] Kind Regards to all, AndreasE, CMNA, CISSP, CISM     ... View more

mxfirewallcontrol.py does not like tag filter

by AndreasE in Developers & APIs
‎02-11-2021 02:01 AM
‎02-11-2021 02:01 AM
  I've created two shell scripts that call mxfirewallcontrol.py, the first one is working fine, the second one fails (because it shows no hit which it should indeed):   #!/bin/bash python mxfirewallcontrol.py -k 547***45b -o /all -f "type:network" #eof #!/bin/bash python mxfirewallcontrol.py -k 547***45b -o /all -f "type:network,tag:branch" #eof   You can see the code in question is almost a 1:1 copy from mxfirewallcontrol_manual.pdf on page 3 right at the bottom. Still it doesn't work.   Why? What did I miss?   PS: This is the result I received from first Shell script:     @ INFO: Retrieving organization info @ INFO: Selecting networks and templates according to filters MX Firewall Ruleset for Organization "abc", Network "def" LINE:1 protocol:Any, srcPort:Any, srcCidr:Any, destPort:Any, destCidr:Any, policy:allow, syslogEnabled:False, comment:Default rule MX Firewall Ruleset for Organization "abc", Network "ghi" LINE:1 protocol:icmp, srcPort:Any, srcCidr:Any, destPort:Any, destCidr:Any, policy:allow, syslogEnabled:False, comment:ping LINE:2 protocol:Any, srcPort:Any, srcCidr:Any, destPort:Any, destCidr:Any, policy:allow, syslogEnabled:False, comment:Default rule @ INFO: End of script.         ... View more
Labels:
  • Labels:
  • Code Sample
  • Dashboard API

Re: FQDN Support: How does the wildcard "*" (asterisk) match?

by AndreasE in Security / SD-WAN
‎11-11-2019 12:21 AM
‎11-11-2019 12:21 AM
Hi im,   you can use the wildcard "*" (asterisk) in the "Outbound rules", but you cannot use it in the "Cellular Failover rules". That's maybe the reason for confusion.   You should either re-open the case (if it's been closed) or insist on a sufficient answer.   Rgds, AE ... View more

Re: FQDN Support: How does the wildcard "*" (asterisk) match?

by AndreasE in Security / SD-WAN
‎11-07-2019 11:09 PM
‎11-07-2019 11:09 PM
Hi Blake,   did you mean "Make a Wish" (on that configuration page) or opening a case (what Customer and what kind of bug/support)?   Regrettably, you cannot "Make a Wish" on the documentation pages -- even if they deserve it many times from my past experience!   Rgds, Andreas ... View more

FQDN Support: details about caching?

by AndreasE in Security / SD-WAN
‎11-07-2019 08:48 AM
1 Kudo
‎11-07-2019 08:48 AM
1 Kudo
I still like the "FQDN support" feature https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Firewall_Settings#FQDN_Support -- even if it raises some questions (see https://community.meraki.com/t5/Security-SD-WAN/FQDN-Support-How-does-the-wildcard-quot-quot-asterisk-match/m-p/63896#M16175 and https://community.meraki.com/t5/Security-SD-WAN/Restricting-Cellular-data-during-failover-to-business-critical/m-p/33723#M8260).   But the documentation is really marginal on it: It doesn't tell you how long the DNS query results ("IP mapping") are cached -- if there is a time limit at all when or how that cache is been cleared how that cache contents can be displayed in order to debug "strange hits" ... View more

Re: FQDN Support: How does the wildcard "*" (asterisk) match?

by AndreasE in Security / SD-WAN
‎11-07-2019 08:41 AM
‎11-07-2019 08:41 AM
I hoped that my question would deserve a test and reply from @BrechtSchamp or @Nash or @CameronMoody after 3 weeks...?   ... View more

Re: Restricting Cellular data during failover to business critical applicat...

by AndreasE in Security / SD-WAN
‎11-07-2019 08:38 AM
‎11-07-2019 08:38 AM
Let's assume for a moment that "Cellular failover rules" simply substitute the native "Outbound rules" (which would a bad idea since they do not support FQDN, but this is another story).   Given that, every admin should at least add the following rule as new rule #1 (i.e. BEFORE the default allow-any-any-rule is matched):           Otherwise, your SIM card will get a very high bill! ... View more

FQDN Support: How does the wildcard "*" (asterisk) match?

by AndreasE in Security / SD-WAN
‎10-14-2019 08:01 AM
‎10-14-2019 08:01 AM
On page https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Firewall_Settings#FQDN_Support we learned how FQDN Support works. This feature allows a wildcard character * (= asterisk) in the Destination column which is quite handy for "big" domains like microsoft or windows.   But that page does not explain how the pattern matching works exactly.   Given one of the following possible strings in Destination column: *.microsoft.com *microsoft.com .microsoft.com microsoft.com   my question would be how the following hostnames (extracted from typical URLs) would match: w3.microsoft.com microsoft.com fakemicrosoft.com .microsoft.com   I'd hate to test all of these one by one. My favourite would be someone from Meraki to add it to the documentation page. ... View more

Re: Restricting Cellular data during failover to business critical applicat...

by AndreasE in Security / SD-WAN
‎10-11-2019 05:05 AM
‎10-11-2019 05:05 AM
...and by the way: this rule section would not accept a "FQDN support" type of firewall rule -- neither by GUI nor by API!   Therefore, I requested this feature to be added via "Make a Wish" today: When disaster strikes (i.e. primary internet access WAN1 is gone) you need to be able to control which kind of business critical traffic (most of these are cloud based Web services) you still want to Allow or Deny. ... View more

Re: Restricting Cellular data during failover to business critical applicat...

by AndreasE in Security / SD-WAN
‎10-10-2019 12:53 AM
‎10-10-2019 12:53 AM
Look here (this screenshot is not taken from the docu, but from the very original page where you configure the rules):                     To me, this now very much looks like the "Cellular failover rules" shall simply substitute the native outbound rules! This would make sense in some respect -- and of course render my last Message obsolete...   ... View more

Re: Restricting Cellular data during failover to business critical applicat...

by AndreasE in Security / SD-WAN
‎10-10-2019 12:21 AM
‎10-10-2019 12:21 AM
Thanks a lot for making this clear to me.   But I would have another very interesting (and at the moment theoretical) question: The documentation says " These firewall rules are appended to the existing outbound rules".   My current ruleset has the following structure:   {"protocol" udp  "srcPort" Any  "srcCidr" Any  "destPort" 53  "destCidr" Any  "policy" allow  "syslogEnabled" false  "comment" DNS for FQDN support} {"protocol" tcp  "srcPort" Any  "srcCidr" Any  "destPort" 80,443  "destCidr" *.microsoft.com  "policy" allow  "syslogEnabled" false  "comment" HTTP[S] to MS} {"protocol" any  "srcPort" Any  "srcCidr" Any  "destPort" Any  "destCidr" Any  "policy" deny  "syslogEnabled" false  "comment" Default catch-all other traffic} {"protocol" Any  "srcPort" Any  "srcCidr" Any  "destPort" Any  "destCidr" Any  "policy" allow  "syslogEnabled" false  "comment" Default rule}   (rule #2 has been capped for demo purposes)   That said my question would be: Where are the Cellular Failover Rules "appended"? Before or after rule #4 (which is the default rule that cannot be changed)? Before or after rule #3 (which I had to insert in order to block unwanted outgoing traffic: I'm not very happy with the default rule #4 -- this is NOT the best practice for firewalls)? How can I control this? How can the Cellular Failover Rules do what they're supposed to do (e.g. deny traffic to microsoft.com, because you don't want to update your device using an expensive cellular service billed by volume)?   Rgds, Andreas ... View more

Re: Rename an administrator?

by AndreasE in Dashboard & Administration
‎07-29-2019 02:35 AM
‎07-29-2019 02:35 AM
Hi Philip, hi all,   I think you can change the admin's name using the Dashboard API. At least, I've successfully done this on one of my Customers this morning using this Windows batch command:   .\curl --max-time 3 --proxy proxy.intra.company.com:8090 -L -H "X-Cisco-Meraki-API-Key:***mykey***" -H "Content-Type:application/json" -X PUT --data-binary "{\"name\":\"Michael Fox (newco)\"}" "https://n213.meraki.com/api/v0/organizations/<orgID>/admins/<adminID>" Of course, you need to install curl and all required certs first and insert some details (name of proxy server, your API key, orgID, adminID), but it worked for me!   Regards, AE ... View more

List of MQTT topics

by AndreasE in Smart Cameras
‎06-11-2019 02:10 AM
‎06-11-2019 02:10 AM
Hiya,     is there a complete list of all MQTT "topics" that any MV sense can/will publish to its broker?   I found all other interesting articles in "documentation", "create.io", and this community referring to that space, but no topics description.   Who can help?   Rgds, AndreasE ... View more

Re: IP conflict with two or more devices, but single MAC address

by AndreasE in Security / SD-WAN
‎05-09-2019 04:44 AM
‎05-09-2019 04:44 AM
so it's worth opening a case? ... View more

Re: IP conflict with two or more devices, but single MAC address

by AndreasE in Security / SD-WAN
‎05-09-2019 02:45 AM
‎05-09-2019 02:45 AM
Yes, I'm pretty sure, checked twice.   (I just removed the hyperlinks from the post) ... View more

IP conflict with two or more devices, but single MAC address

by AndreasE in Security / SD-WAN
‎05-09-2019 02:40 AM
‎05-09-2019 02:40 AM
Hi all,   a few mins ago I've received the following mail from Meraki:   ----- The security appliance in the <xyz> network has detected an IP conflict with two or more devices.   The IP 10.23.180.69 is claimed by clients with the following MAC addresses: 00:0D:AC:10:F6:7D -----   Any idea how that may happen?   Regards, AE ... View more

Re: Serial Number Lookup

by AndreasE in Security / SD-WAN
‎05-07-2019 11:33 PM
‎05-07-2019 11:33 PM
Hi Brecht,   tx for your list, this is very helpful.   Although I need to admit that the only model I'm missing in this list is just the one I was asking for... Z3C!   Regards, Andreas. ... View more

Serial Number Lookup

by AndreasE in Security / SD-WAN
‎05-07-2019 05:26 AM
‎05-07-2019 05:26 AM
Hi all,   I know that all serial numbers of Z3 model devices start with "Q2TN".   But what prefix is used for Z3C model devices?   Is there a "tool" or other thing that maps such prefixes with models?   Rgds, AndreasE ... View more

Re: change mtu on wan interface

by AndreasE in Security / SD-WAN
‎04-04-2019 04:35 AM
‎04-04-2019 04:35 AM
Ha, I would be so glad if I could configure it manually at all -- not to dream of a template... ... View more

MSP: Dashboard Login directly into specific Organisation (= Customer)

by AndreasE in Dashboard & Administration
‎04-03-2019 12:26 AM
‎04-03-2019 12:26 AM
Hi,   I'm working for a big MSP and we're delivering services based on Meraki to several Customers.   After I logged in into Dashboard, I'm presented with a list of Organisations (= Customer names) where my mail address is linked to (as an admin).   But that means if I'm presenting the 2FA login procedure to one specific Customer, he could see the names of the other Customers as well -- which is privacy-sensitive information.   Is there a specific type of URL (augmented with Organisation name etc.) which would directly select this Organisation and don't present the list of all Organisations I'm bound to?   Kind Regards, Andreas ... View more

Re: Traffic Analytics by VLAN or L2/L3 topology?

by AndreasE in Full-Stack & Network-Wide
‎03-22-2019 05:48 AM
‎03-22-2019 05:48 AM
Hi,   can I create a certain "Port tag" and then customize the "Summary Report" in such a way that it will report any traffic on ports tagged like these (e.g. as Anomalies)?   Rgds, Andreas. ... View more

Re: change mtu on wan interface

by AndreasE in Security / SD-WAN
‎03-15-2019 03:52 AM
‎03-15-2019 03:52 AM
Hi all,   if an MX device needs to be replaced (RMA case), would the replacement device get the same MTU size setting that the broken one had configured (by Meraki Support)?   Or do we have to open a new case right after the device has actually been replaced?   Rgds, Andreas     ... View more

Re: Meraki mx64 with two Internet connections

by AndreasE in Security / SD-WAN
‎03-14-2019 03:40 AM
1 Kudo
‎03-14-2019 03:40 AM
1 Kudo
Hi Ajit, I think you can only make "LAN4" to be "WAN2". Your screenshot suggested that "LAN1" could be "WAN2" which IMHO can not be configured on the local status page. Btw: Would be great if Dashboard would reflect that configuration change in the "Status" picture, like 1 2 3 WAN2 WAN1 Rgds, Andreas. PS: The page "Security & SD-WAN"->"Monitor"->"Appliance status" shows "WAN2" IP address as "Not connected" even in the case you have NOT done the local status page config change -- as soon as the Configuration Template's Traffic Shaping setting implies this! ... View more
Kudos from
User Count
ospsms
ospsms
1
MeredithW
Community Manager MeredithW
1
tdj7397
tdj7397
1
jdsilva
jdsilva
2
theant
theant
1
View All
Kudos given to
User Count
Greenberet
Greenberet
1
Owen
Owen
1
kruso_tech
kruso_tech
1
PhilipDAth
Kind of a big deal PhilipDAth
4
RohitRaj
Meraki Employee RohitRaj
1
View All
My Top Kudoed Posts
Subject Kudos Views

lowercase vs UPPERCASE in "Search Dashboard"

Dashboard & Administration
3 1893

Re: Dashboard SW bug: Cloning a Config Template "looses" Site-to-Site VPN s...

Security / SD-WAN
2 3299

Configuration Template: Firmware Upgrade Window

Security / SD-WAN
1 992

FQDN Support: details about caching?

Security / SD-WAN
1 1133

Re: Meraki mx64 with two Internet connections

Security / SD-WAN
1 36875
View All
Powered by Khoros
custom.footer.
  • Community Guidelines
  • Cisco Privacy
  • Khoros Privacy
  • Privacy Settings
  • Terms of Use
© 2023 Meraki