Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 5823 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Track ATP event through Meraki NAT

Joe Plunkett

I have an XG reporting that there is an ATP event. The address it is giving me is for the source is our Meraki AP. I do not think the Meraki is infected but more likely one of the clients connecting to that AP is. 

The Meraki is Natting addresses, so I am unable to actually determine which device is the culprit. Is there anyway I can track this through the XG? I am pretty new to Meraki does anyone know of a way to track it through the Meraki if not the XG? 



This thread was automatically locked due to age.
Parents
  • 0

    Joseph,

     

         For this scenario you will need to remove the Source NAT in place on the Meraki, when rewriting the source addresses of your wireless clients it removes the flexibility and grainularity of our ability to create firewall policies and we're left with creating global policies centered around the single NAT IP... I would recommend utilizing the Sophos AP's as these devices are completely managed and controlled within the WebAdmin of your Sophos XG Firewall, this will not only simplify management but also help you achieve your goal. In the event that this ins't practical which is okay, simply remove the NAT and allow the Sophos device to issue DHCP to your wireless network / zone, you may have to configure the Meraki in some form of bridge or IP passthrough mode or utilize VLAN's so that the Sophos can provide DHCP and filter all wireless client traffic. Would strongly recommend the consideration of the Sophos AP's.

    Regards,

     

    Firewalls.com Inc.

    Get Secure. Stay Secure.

Reply
  • 0

    Joseph,

     

         For this scenario you will need to remove the Source NAT in place on the Meraki, when rewriting the source addresses of your wireless clients it removes the flexibility and grainularity of our ability to create firewall policies and we're left with creating global policies centered around the single NAT IP... I would recommend utilizing the Sophos AP's as these devices are completely managed and controlled within the WebAdmin of your Sophos XG Firewall, this will not only simplify management but also help you achieve your goal. In the event that this ins't practical which is okay, simply remove the NAT and allow the Sophos device to issue DHCP to your wireless network / zone, you may have to configure the Meraki in some form of bridge or IP passthrough mode or utilize VLAN's so that the Sophos can provide DHCP and filter all wireless client traffic. Would strongly recommend the consideration of the Sophos AP's.

    Regards,

     

    Firewalls.com Inc.

    Get Secure. Stay Secure.

Children
  • 0 in reply to Firewalls.com Inc

    Firewalls.com, 

     

    I kinda figured that this is what I would have to do. I am trying to avoid going through the process of reconfiguring the networks, but I may have too. 

  • 0 in reply to Joe Plunkett

    Unknown said:
    I kinda figured that this is what I would have to do. I am trying to avoid going through the process of reconfiguring the networks, but I may have too. 

    I support about 2 dozen Meraki access points behind Sophos XG/UTM.  All you have to do is configure the Client IP assignment on the SSID to Local LAN.  This removes the necessity for the Meraki access point to do it's own DHCP so you're giving more resources up for it to use to do it's primary function of serving WiFi.  Also, it lets you add additional WiFi access points on the same subnet.  That's the only change you should have to do - unless you had some sort of WiFi zone protection in mind you needed to accomplish.