Cisco Meraki

Cisco Meraki has released free software updates that address the vulnerability that is described in this advisory.Customers may only install and expect support for software releases and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco End User License Agreement and applicable Product Specific Terms: customers may only download software for which they have a valid license, procured from Cisco Meraki directly, or through a Cisco Meraki authorized reseller or partner. In most cases, this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.Customers are advised to regularly consult the advisories for Cisco Meraki products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. Cisco Meraki recommends utilizing firmware best practices for firmware updates. If the information is not clear, customers are advised to contact Cisco Meraki Support.Fixed ReleasesCisco Meraki released an update that included the fix for this vulnerability through the Meraki Dashboard on June 12, 2024. Cisco Meraki recommends upgrading to Cisco Meraki SM Agent for Windows Release 4.2.0 or later immediately. Release notes for Cisco Meraki Systems Manager Agent Release 4.2.0 are available at systems where the Agent Version Control in the Meraki Dashboard is set to latest or to Release 4.2.0 or later, the agent deployments will upgrade to a fixed release automatically. Alternatively, see Systems Manager Agent and MDM Profile Enrollment for information

The core block. Figure 16. Secure Campus Proposed Design, part 2 shows how multiple floors can be connected to the distribution layer. Figure 17. Secure Campus Proposed Design, part 3 illustrates multiple buildings connected to the core block. Appendix B - Suggested Components Branch Attack Surface Branch Security Suggested Cisco Components Human Users Identity Identity Services Engine (ISE) Cisco Secure Access by Duo Meraki Management Devices Endpoints Client-based Security Cisco Secure Endpoint Cisco Umbrella Cisco AnyConnect Secure Mobility Client Posture Assessment Cisco AnyConnect Secure Mobility Client Identity Services Engine (ISE) Meraki Mobile Device Management Network Wired Network Firewall Cisco Secure Firewall Integrated Services Router (ISR) Meraki MX Intrusion Prevention Cisco Secure Firewall Cisco Secure Firewall on UCS-E Meraki MX Access Control+ TrustSec Wireless Controller/Catalyst Switch Identity Services Engine (ISE) Meraki MX Analysis Anti-Malware Cisco Secure Endpoint Advanced Malware Protection (AMP) for Networks Advanced Malware Protection (AMP) for Web Security Integrated Services Router (ISR) with SecureX Network Analytics SecureX Malware Analytics Threat Intelligence Talos Security Intelligence SecureX Malware Analytics Cognitive Threat Analytics (CTA) Flow Analytics Cisco Secure Firewall Catalyst Switches ISR with SecureX Network Analytics SecureX Network Analytics (Flow Sensor and Collectors) Wireless LAN Controller Meraki MX WAN Web Security Cisco Secure Firewall Cisco Secure Web Umbrella Secure Internet Gateway (SIG) Meraki MX VPN Cisco Secure Firewall Integrated Services Router (ISR) Aggregation Services Router (ASR) Meraki MX Cloud Cloud Security Umbrella Secure Internet Gateway (SIG) Cloudlock Meraki MX Applications Service Server-based Security Cisco Secure Workload Cisco Umbrella Appendix C - Feedback If you have feedback on this design guide or any of the Cisco Security design guides, please send an email to [email protected]. For more information on SAFE, see www.cisco.com/go/SAFE.

A Warning status to Connected. This is because the Network Tunnel Group is designed to have a Primary and Secondary tunnel connected to each Hub for failover. Traffic will pass to the Primary Hub even if the Network Tunnel Group status is Warning.Run ping tests from the new VLAN to the internet. For more information, see Using the Ping Live Tool.Check the status of the VPN tunnel. For more information, see VPN Status Page.Follow the VPN troubleshooting procedures. For more information, see Troubleshooting Non-Meraki Site-to-site VPN.👍Note: Cisco Meraki does not support policy based routing. It is not possible to do client side routing to determine if specific traffic belongs inside or outside the tunnel. However, it is possible to choose if an entire VLAN is tunneled to Secure Access.Optional ConfigurationsTo create a VLAN for the subnet to redirect to Secure Access, see Configuring VLANs on the MX Security Appliance.To create a new SSID for the VLAN, see Configuring Simple Guest and Internal Wireless Networks.Configure Tunnels with Cisco Secure Firewall < Configure Tunnels with Meraki MX > Manage Resource Connectors and Groups" data-testid="RDMD">Follow these steps to connect a Cisco Meraki MX/Z4 series device to Cisco Secure Access through a Meraki Third Party (non-Meraki) VPN Tunnel (NMVPN) configuration. The two primary uses cases for Secure Access with Meraki Networks are secure internet access and remote access to private applications.To connect to Secure Access, a NMVPN must be established to a Secure Access Network Tunnel Group (NTG). With this configuration in place, internet-bound traffic from Meraki branches will be secured through Secure Access.The same tunnels can be used to securely connect remote users of AnyConnect VPN and Client/Clientless Zero Trust Access modules in the Secure Client to private applications on Meraki networks.PrerequisitesCaveats and Considerations Supported Use Cases and Requirements Step 1: Add a Network Tunnel Group in Secure AccessStep 2: Configure a Tunnel in Meraki MXVerification and TroubleshootingOptional ConfigurationsA Cisco Meraki MX/Z4 device (running MX 18.107+ firmware).A valid Cisco Secure Access account.A network tunnel group configured on Cisco Secure Access; see Add a Network Tunnel Group.This section discusses important caveats and considerations associated with the Meraki Third Party (non-Meraki) VPN tunnel configuration to Secure Access.There is no stateful failover to a Secure Access secondary tunnel.a. The MX only supports active/cold standby to a single headend.b. Traffic from a failed site is required to reestablish the tunnel.Only static routing is supported; BGP is not

Follow these steps to connect a Cisco Meraki MX/Z4 series device to Cisco Secure Access through a Meraki Third Party (non-Meraki) VPN Tunnel (NMVPN) configuration. The two primary uses cases for Secure Access with Meraki Networks are secure internet access and remote access to private applications.To connect to Secure Access, a NMVPN must be established to a Secure Access Network Tunnel Group (NTG). With this configuration in place, internet-bound traffic from Meraki branches will be secured through Secure Access.The same tunnels can be used to securely connect remote users of AnyConnect VPN and Client/Clientless Zero Trust Access modules in the Secure Client to private applications on Meraki networks.Table of ContentsPrerequisitesCaveats and Considerations Supported Use Cases and Requirements Step 1: Add a Network Tunnel Group in Secure AccessStep 2: Configure a Tunnel in Meraki MXVerification and TroubleshootingOptional ConfigurationsPrerequisitesA Cisco Meraki MX/Z4 device (running MX 18.107+ firmware).A valid Cisco Secure Access account.A network tunnel group configured on Cisco Secure Access; see Add a Network Tunnel Group.Caveats and ConsiderationsThis section discusses important caveats and considerations associated with the Meraki Third Party (non-Meraki) VPN tunnel configuration to Secure Access.There is no stateful failover to a Secure Access secondary tunnel.a. The MX only supports active/cold standby to a single headend.b. Traffic from a failed site is required to reestablish the tunnel.Only static routing is supported; BGP is not supported.Requires traffic to be generated from the LAN side of an MX through the non-Meraki VPN to establish connection.a. Remote application access on Meraki networks through an MX is not possible until traffic is initiated from the application side of the MX through the non-Meraki VPN.b. Traffic will also need to be consistently generated from the LAN side of the MX over each non-Meraki VPN to keep the tunnel from timing out.ECMP/Load balancing is not supported. Only a single IPSec tunnel is supported between a single Meraki network and a Secure Access network tunnel group.A unique public uplink IP is required for each network.a. The public uplink IP is used as the MX peer device IP, and this cannot be changed.In the Secure Access dashboard, the network tunnel group will display the status as Warning. This is because the Meraki network cannot build a standby tunnel to the Secondary Hub in the network tunnel group that is provided for intra-region redundancy.Supported Use Cases and RequirementsThe following sections describe supported use cases for Meraki Third Party (non-Meraki) VPN

‎Jan 28 2021 7:18 AM MX Events download Hello,I would like to know if there is the possibility to increase the maximum number of events downloadable from the security center.Currently the maximum limit is 1000.Thanks. 1 Accepted Solution ‎Jan 28 2021 7:54 AM Would a syslog server not suffice to capture all events Darren OConnor | [email protected] not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field. All forum topics Previous Topic Next Topic 6 Replies 6 ‎Jan 28 2021 7:45 AM Hi @FrancescoTCS90 ,not something I’ve ever needed to do but is it worth a call into support to see if they can amend the value for the network/Org in question? Darren OConnor | [email protected] not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field. ‎Jan 28 2021 7:50 AM Hi @DarrenOC it is a request made by a (very large) client that I follow.Let's say that in my opinion it is not necessary but, since they have asked me, I would like to hear assistance and understand if there is the possibility of intervening.Thx. ‎Jan 28 2021 7:54 AM Would a syslog server not suffice to capture all events Darren OConnor | [email protected] not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field. ‎Jan 28 2021 8:12 AM The API is your best bet here. ‎Jan 29 2021 4:20 AM Thanks to all,I will propose to the client the configuration of a syslog server.Greetings Get notified when there are additional replies to this discussion.