I had just never did firewall rules for the site-to-site tunnel. My first inclination was to blame Meraki- surely this stupid box must have issues! Except it didn’t… about the only thing Meraki could have done is perhaps mentioned on the 元 Firewall Page that there is a seperate firewall rule set on the VPN configuration page for site-to-site rules. I simply could not tame the NTP beast to/from the two hosts, and it was making me feel silly. That image represents like three stages of desperation in getting rules right- as nothing I did worked. This is an area in the MX I’ve probably manipulated maybe a couple of dozen times, for everything from stopping phantom ringing on 3rd-party hosted IP phones to simple outbound protocol blocks. I pulled up the Firewall page on the MX and set to work. We needed to cabash NTP between the remote site and the main network. The device vendor was of absolutely no help (go figure), and our security team asked if we could help from the Meraki side. In one remote site that connects to the main network with site-to-site VPAN, an NTP vulnerability was flagged on a couple of audio visual devices.
Despite my experience, I was recently reminded that I don’t know it all about a product that I feel extremely comfortable calling myself an expert on. ( Here’s an old- and I mean old- case study that gets into the early appreciation of the MX line.) I’ve probably set up maybe 65ish total MX devices through the years in multiple states and countries, doing site-to-site VPN, stand-alone, and also some pretty creative configurations. Going way back to the MX-70, I have found tremendous value in what the MX products can do for my far-off sites. I’m a long-time user of the Meraki MX security appliance product line.
0 kommentar(er)
