All Apps and Add-ons

Group Policy Allow/Deny Question

Engager

Under Flows we see Allow/Deny for Group Policy, but we don't see an indication of which Group Policy this hits against, or better yet which part of which Group Policy it hits for. Any way to see this, or is it a Meraki limitation?

0 Karma

Path Finder

Could you email me directly some log entries?

It could be a meraki limitation, but I've been able to solve issues before by building jobs which post lookup tables automatically in order to fill them out.

I'd like to visualize what it is you are seeing.

Thanks,

-Myron

0 Karma

Engager

Hey Myron,

Thanks for the quick reply. See below

Jun 10 21:45:30 172.16.XXX.XXX 1560203130.462878987 Device flows src=10.0.XXX.XX dst=192.168.XXX.xxx mac=B4:FB:E4:XX:XX:XX protocol=tcp sport=58329 dport=7442 pattern: Group Policy Allow

Jun 10 19:59:58 172.16.XXX.XXX 1560196798.789815839 Device flows src=10.0.XXX.XXX dst=37.18.XXX.XXX mac=B4:FB:E4:XX:XX:XX protocol=tcp sport=36930 dport=80 pattern: Group Policy Deny

0 Karma

Path Finder

I remember running into this as well! A feature request needs to go into Meraki in order to ask them to exposed the actual group policy that was triggered.

Sorry :(. No hope on this one.

Engager

Glad I'm not the only one. Put in a feature request yesterday, along with opening a support case. Guess to fill the gap I can hit the Meraki API, pull the Group Policy details, store that in SQL and have Splunk do lookups against that to help piece things together. Should be a good way to kill a morning, right? 😉

0 Karma