The Meraki MX64 provides unlimited VPN users We love the Cisco Meraki VPN at Telnexus. The MX security appliance is a powerful guardian and gateway between the wild Internet and your private Local Area Network (LAN). Meraki Client VPN uses the Password Authentication Protocol (PAP) to transmit and authenticate credentials. PAP authentication is always transmitted inside an IPsec tunnel between the client device and the MX security appliance using strong encryption. The MX appliances elegantly create a framework for Cisco SD-WAN powered by Meraki by securely auto-provisioning IPsec VPN tunnels between sites. The Meraki dashboard automatically negotiates VPN routes, authentication and encryption protocols, and key exchange for all Meraki MX appliances in an organization to create hub-and-spoke or mesh VPN.
About the connector
Cisco Meraki MX VPN Firewall gives administrators the ability to add firewall rules to restrict the traffic flow through the VPN tunnel for a Cisco Meraki MX Security Appliance.
This document provides information about the Cisco Meraki MX VPN Firewall connector, which facilitates automated interactions, with a service-based URI of Cisco Meraki MX VPN Firewall using FortiSOAR™ playbooks. Add the Cisco Meraki MX VPN Firewall connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving a list of firewall rules for an organization's site-to-site VPN and updating the firewall rules of an organization's site-to-site VPN.
Version information
Connector Version: 1.0.0
Authored By: Fortinet
Certified: No
Installing the connector
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:
yum install cyops-connector-cisco-meraki-mx-vpn-firewall
Prerequisites to configuring the connector
- You must have the Service-based URI of Cisco Meraki MX VPN Firewall to which you will connect and perform automated operations and the API key configured for your account for using the Cisco Meraki API.
- To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.
Configuring the connector
For the procedure to configure a connector, click here
Configuration parameters
In FortiSOAR™, on the Connectors page, click the Cisco Meraki MX VPN Firewall connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | Service-based URI to which you will connect and perform the automated operations. |
| API Key | API key configured for your account for using the Cisco Meraki API. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
Actions supported by the connector
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
| Function | Description | Annotation and Category |
|---|---|---|
| Get Organization VPN Firewall Rules | Retrieve a list of firewall rules for an organization's site-to-site VPN based on the Organization ID you have specified. | get_vpn_firewall_rules Investigation |
| Update Organization VPN Firewall Rules | Updates the firewall rules of an organization's site-to-site VPN based on the Organization ID and rules you have specified. | update_firewall_rules Investigation |
operation: Get Organization VPN Firewall Rules
Input parameters
| Parameter | Description |
|---|---|
| Organization ID | ID of the organization for which you want to retrieve the list of MX VPN firewall rules. |
Output
The output contains the following populated JSON schema:{ 'policy': ', 'srcCidr': ', 'comment': ', 'srcPort': ', 'destCidr': ', 'destPort': ', 'protocol': ', 'syslogEnabled': ' }
operation: Update Organization VPN Firewall Rules
Meraki Mx64 Ssl Vpn
Input parameters
| Parameter | Description |
|---|---|
| organization ID | ID of the organization whose VPN firewall rules you want to update. |
| Rules | An ordered array of the MX VPN firewall rules that you want to update on the specified organization. You require to specify the following parameters:
Harry potter watch online usa. An example of a defined rule: |
Output
The output contains the following populated JSON schema:{ 'policy': ', 'srcCidr': ', 'comment': ', 'srcPort': ', 'destCidr': ', 'destPort': ', 'protocol': ', 'syslogEnabled': ' }
Included playbooks
The Sample - Cisco Meraki MX VPN Firewall - 1.0.0 playbook collection comes bundled with the Cisco Meraki MX VPN Firewall connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in CyOPsTM after importing the Cisco Meraki MX VPN Firewall connector.
- Get Organization VPN Firewall Rules
- Update Organization VPN Firewall Rules
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
Syslog Configuration
A syslog server can be configured to store messages for reporting purposes from MX security appliances, MR access points, and MS switches. The MX Security Appliance supports sending four categories of messages/roles: Event Log, IDS Alerts, URLs, and Flows. MR access points can send the same roles with the exception of IDS alerts. MS switches currently only support Event Log messages.
To begin setting up a Syslog server on the Meraki dashboard, first, navigate to Network-Wide > Configure > General. Here you will see a section for Reporting, with the option for Syslog server configurations. Click on the Add a syslog server link to define a new server. Configure an IP address of your syslog server, the UDP port the server is listening on, and the roles you wish to be reported to the server.
If the Flows role is enabled for Meraki MX reporting, logging for individual firewall rules can be enabled/disabled on the Security appliance > Configure > Firewall page, under the Logging column as shown below:
Additional Considerations for Syslog
Storage Allocation
Syslog messages can take up a large amount of disk space, especially when collecting flows. When deciding on a host to run the syslog server, make sure to have enough storage space on the host to hold the logs. Consult the syslog-ng man page for further information on only keeping logs for a certain amount of time.
Expected Traffic Flow
Meraki Mx Ssl Vpn Free
Syslog traffic may flow to the syslog in one of three scenarios depending on the route type that is used to reach the syslog server. Samsung easy printer manager mac os. Below are example scenarios and a detailing of expected traffic behavior.
Scenario 1 - Reachable via LAN
Ssl Vpn Download
The MX will source traffic from the VLAN interface that the server resides in if the syslog server is located on the LAN of the MX. The transit VLAN interface would be used if the device is only accessible via static route.
Scenario 2 - Reachable via Public Interface
The MX will source traffic from the public interface (WAN) if the syslog server is accessible via the WAN link.
Scenario 3 - Reachable via AutoVPN
Meraki Mx Ssl Vpn Login
The MX will source traffic from the interface of the highest VLAN that is participating in AutoVPN if the syslog server is accessible via AutoVPN.
Meraki Vpn Client
If the traffic passes through the site-to-site AutoVPN connection the traffic will then be subject to the 'Site-to-site outbound firewall' rules and as such an allow rule may be required. This can be configured in Security appliance > Configure > Site-to-site VPN > Organization-wide settings > Add a rule as shown below.