12-01-2019 12:05 PM
I can't seem to get the policy right for my Meraki APs to check in with the meraki cloud. I have allowed DNS, Ping, Meraki-cloud-controller using any port and allowed to *.meraki.com and *.opendns.com. Still see stuff hit my deny. Anyone know the correct combo for a policy?
12-02-2019 01:42 PM - edited 12-02-2019 01:46 PM
Meraki will need a static NAT statement so that it doesn't hit any sort of DIPP nat statement; you need that source port to stay the same.
As for the apps that will actually hit the traffic you'll need to actually monitor that Deny policy and really see what's actually being hit. Generally what I will do is simply not limit the application and allow the destination networks mentioned HERE so that any application updates don't break connectivity to the Meraki cloud.
12-03-2019 02:34 PM - edited 12-03-2019 02:35 PM
@BPry wrote:Meraki will need a static NAT statement so that it doesn't hit any sort of DIPP nat statement; you need that source port to stay the same.
I can confirm, DIPP will break your MX's connection to the portal. As to security policies, we have one outbound rule for the meraki-cloud-controller app and another outbound rule for "any" app on UDP ports 32768-61000 in order to make our hubs work. (Your particular configuration/needs may vary from ours.)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
