All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Group Policy Allow/Deny Question

rwhiteman
Engager
‎06-10-2019 02:33 PM

Under Flows we see Allow/Deny for Group Policy, but we don't see an indication of which Group Policy this hits against, or better yet which part of which Group Policy it hits for. Any way to see this, or is it a Meraki limitation?

0 Karma
Reply

myron_davis
Path Finder
‎06-10-2019 02:45 PM

Could you email me directly some log entries?

It could be a meraki limitation, but I've been able to solve issues before by building jobs which post lookup tables automatically in order to fill them out.

I'd like to visualize what it is you are seeing.

Thanks,

-Myron

0 Karma
Reply

rwhiteman
Engager
‎06-10-2019 02:50 PM

Hey Myron,

Thanks for the quick reply. See below

Jun 10 21:45:30 172.16.XXX.XXX 1560203130.462878987 Device flows src=10.0.XXX.XX dst=192.168.XXX.xxx mac=B4:FB:E4:XX:XX:XX protocol=tcp sport=58329 dport=7442 pattern: Group Policy Allow

Jun 10 19:59:58 172.16.XXX.XXX 1560196798.789815839 Device flows src=10.0.XXX.XXX dst=37.18.XXX.XXX mac=B4:FB:E4:XX:XX:XX protocol=tcp sport=36930 dport=80 pattern: Group Policy Deny

0 Karma
Reply

myron_davis
Path Finder
‎06-11-2019 10:03 AM

I remember running into this as well! A feature request needs to go into Meraki in order to ask them to exposed the actual group policy that was triggered.

Sorry :(. No hope on this one.

Reply

rwhiteman
Engager
‎06-11-2019 10:18 AM

Glad I'm not the only one. Put in a feature request yesterday, along with opening a support case. Guess to fill the gap I can hit the Meraki API, pull the Group Policy details, store that in SQL and have Splunk do lookups against that to help piece things together. Should be a good way to kill a morning, right? 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...