For our company, we believe Meraki MX will replace our traditional VPN concentrators running Advanced License. We are now testing this across 10 sites across the globe and recommend everyone to make this into a template: 1. Segregate corporate LAN and guest network into different VLAN and do not publish in VPN for the latter 2. For network ports please do consider setting up Access Policy (with on-prem Radius server or try JumpCloud) and you can use a combination of 802.1x and MAB to identify untrusted connected clients then associate them in guest VLAN ** We did not enable Splash Page for Guest VLAN but may be worth considering ** 3. Content Filtering with Full List (better coverage) and apply whitelisted URL patterns for any needed 4. Enable both AMP and IDP/IPS under threat protection When you have a new site, you may create a network and clone from the above template. This way you save a lot of time especially on Content Filtering which took us about 30 minutes for the first time. After deployment you may also want to perform the following for daily operations: a. Setup an upgrade window like Sunday 3am local time so that you get the latest firmware before start of business week automatically b. Setup Alerts and send to 24/7 ServiceDesk via Service-Now to assign tickets: - Rogue DHCP Server is detected - Warm Spare failover occurs - Malware is block - Malware is downloaded c. Schedule Email Report We receive weekly summary report and from there we also know top blocked sites by URL & Categories plus top security threats by signature. On demand you will also receive MX Security Report which informs about security events, affected clients, threats, affected operating systems, and source of threats. With MX Security Report received, Security Administrators should immediately review Security Centre in Meraki Dashboard to perform a number of mitigation tasks. (My personal favorite : Block IP in Security Centre automatically creates firewall rules with comments so that rollback is easy. ) Apart from the above, we also know there is a team of friendly Meraki Support folks who we can email / ring up from the Advance Security hotline found in Get Help of Meraki Dashboard.
... View more