Showing results for 
Search instead for 
Did you mean: 

Umbrella SIG and Meraki MX FQDN rules

Brian McPhillips



We are deploying Meraki MX and Autovpn and using Umbrella with Anyconnect to filter clients with SIG.


Our customer wants to lockout the Corporate Clients in the event that someone plugs in without Anyconnect with Umbrella installed and getting unfiltered internet. I have FQDN rules for all Umbrella exempt domains but this seems intermittent. Meraki is stating that for FQDN rules to work the MX needs to sniff the DNS requests to resolve the IP destination for the rules. If Anyconnect encrypts this DNS request, this might break the FQDN rules if I am reading this correctly. 


Anyone came across this?


Status, States, and Functionality (

MX Firewall Settings - Cisco Meraki


In order to ensure successful operation, DNS traffic must be allowed by the MXs layer 3 firewalls. Blocking DNS will result in the MX being unable to learn hostname and IP address mappings and, subsequently, from blocking or allowing traffic as expected. 

Additionally, hostname visibility should be enabled on the network for the FQDN-based firewall rules to take effect correctly.

0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers