Hi, there are a few caveats for using FQDN in L3 firewall rules:   The MX must see the client's DNS request and the server's response in order to learn the proper IP mapping. The communication between the client and DNS server cannot be intra-VLAN . Additionally, in some cases the client device may already have IP information about the web resource it is attempting to access. This could be due to the client having cached a previous DNS response, or a local DNS entry in a host file. The MX will not be able to block communications to the web resource in these cases. You should configure a L3 allow rule for DNS traffic, eg:                       this rule should be placed above the rule containing the FQDN. hope this helps!   ... View more

The packet counter on the interface aren't incrementing so there's nothing happening on the port. A packet capture is empty.  It's behaving in the same way a port would if connected to a media converter with link fault pass through set to off. That is, active connection to the media converter, but no connection beyond . ... View more

Hi @AnotherRon, The main difference is the Netflow data is only the traffic that hits the MX's CPU. If the traffic is hardware switched only, you will not see that in the Netflow collector graphs. As an example if some traffic is send within the same VLAN there is no need to route or NAT it thus is not hitting the MX's CPU and will not show in your Netflow collector. Here is a link to the document describing  how it works. https://documentation.meraki.com/MX/Monitoring_and_Reporting/NetFlow_Overview#NetFlow_Export_Scope   I hope that make sense. ... View more

I think you're right. I just confirmed with the the remote hands support, he had the appliance connected to his home router for the initial firmware upgrade, so the 5G SIM has probably never worked. I never knew that. ... View more