All Apps and Add-ons

Group Policy Allow/Deny Question

rwhiteman
Engager

Under Flows we see Allow/Deny for Group Policy, but we don't see an indication of which Group Policy this hits against, or better yet which part of which Group Policy it hits for. Any way to see this, or is it a Meraki limitation?

0 Karma

myron_davis
Path Finder

Could you email me directly some log entries?

It could be a meraki limitation, but I've been able to solve issues before by building jobs which post lookup tables automatically in order to fill them out.

I'd like to visualize what it is you are seeing.

Thanks,

-Myron

0 Karma

rwhiteman
Engager

Hey Myron,

Thanks for the quick reply. See below

Jun 10 21:45:30 172.16.XXX.XXX 1560203130.462878987 Device flows src=10.0.XXX.XX dst=192.168.XXX.xxx mac=B4:FB:E4:XX:XX:XX protocol=tcp sport=58329 dport=7442 pattern: Group Policy Allow

Jun 10 19:59:58 172.16.XXX.XXX 1560196798.789815839 Device flows src=10.0.XXX.XXX dst=37.18.XXX.XXX mac=B4:FB:E4:XX:XX:XX protocol=tcp sport=36930 dport=80 pattern: Group Policy Deny

0 Karma

myron_davis
Path Finder

I remember running into this as well! A feature request needs to go into Meraki in order to ask them to exposed the actual group policy that was triggered.

Sorry :(. No hope on this one.

rwhiteman
Engager

Glad I'm not the only one. Put in a feature request yesterday, along with opening a support case. Guess to fill the gap I can hit the Meraki API, pull the Group Policy details, store that in SQL and have Splunk do lookups against that to help piece things together. Should be a good way to kill a morning, right? 😉

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!