Could you email me directly some log entries?
It could be a meraki limitation, but I've been able to solve issues before by building jobs which post lookup tables automatically in order to fill them out.
I'd like to visualize what it is you are seeing.
Thanks for the quick reply. See below
Jun 10 21:45:30 172.16.XXX.XXX 1560203130.462878987 Device flows src=10.0.XXX.XX dst=192.168.XXX.xxx mac=B4:FB:E4:XX:XX:XX protocol=tcp sport=58329 dport=7442 pattern: Group Policy Allow
Jun 10 19:59:58 172.16.XXX.XXX 1560196798.789815839 Device flows src=10.0.XXX.XXX dst=37.18.XXX.XXX mac=B4:FB:E4:XX:XX:XX protocol=tcp sport=36930 dport=80 pattern: Group Policy Deny
I remember running into this as well! A feature request needs to go into Meraki in order to ask them to exposed the actual group policy that was triggered.
Sorry :(. No hope on this one.
Glad I'm not the only one. Put in a feature request yesterday, along with opening a support case. Guess to fill the gap I can hit the Meraki API, pull the Group Policy details, store that in SQL and have Splunk do lookups against that to help piece things together. Should be a good way to kill a morning, right? 😉