Cisco Meraki

Review configuration options for Cisco Meraki firewalls in RocketCyber

 

Reputation lookup on connecting IPs

Meraki firewalls report events based on different types. HTTP GET requests will monitor traffic and inform you only of unexpected traffic or traffic coming from unusual locations (e.g. countries on the Enabled Countries list)

Rogue SSID, SSID spoofing

Monitors for attempts to hijack network traffic by convincing packets that the malicious device is part of the legitimate network
IDS signature match Finds a variety of dangerous traffic such as known viruses
Packet flood Warns of Denial of Service attacks against your network, as well as certain types of network reconnaissance

VPN change, IP session initiated

Changes in VPN connectivity and IP session initiations can provide useful information, but on most systems create far too much noise

Log Format

The expected format for Meraki logs is space-separated.  For example

<134>1 1571411707.115137436 Meraki_HQ_appliance urls src=192.168.17.127:58837 dst=173.193.237.179:443 mac=70:E2:84:AA:AA:AA request: UNKNOWN https://r1cm.r1soft.com/...


<134>1 url=http://www.eicar.org/download/eicar.com.txt src=192.168.128.2:53150 dst=181.10.231.251:80 mac=98:5A:EB:AA:AA:AA name=EICAR sha256=275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f disposition=malicious action=block