Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1034
Views
10
Helpful
1
Replies

Umbrella SIG and Meraki MX FQDN rules

Brian McPhillips
Level 1
Level 1

‎02-28-2022 12:36 PM

Hi,

 

We are deploying Meraki MX and Autovpn and using Umbrella with Anyconnect to filter clients with SIG.

 

Our customer wants to lockout the Corporate Clients in the event that someone plugs in without Anyconnect with Umbrella installed and getting unfiltered internet. I have FQDN rules for all Umbrella exempt domains but this seems intermittent. Meraki is stating that for FQDN rules to work the MX needs to sniff the DNS requests to resolve the IP destination for the rules. If Anyconnect encrypts this DNS request, this might break the FQDN rules if I am reading this correctly. 

 

Anyone came across this?

 

Status, States, and Functionality (umbrella.com)

MX Firewall Settings - Cisco Meraki

 

In order to ensure successful operation, DNS traffic must be allowed by the MXs layer 3 firewalls. Blocking DNS will result in the MX being unable to learn hostname and IP address mappings and, subsequently, from blocking or allowing traffic as expected. 

Additionally, hostname visibility should be enabled on the network for the FQDN-based firewall rules to take effect correctly.

1 person had this problem
Labels:
1 Reply 1

Chandrashekhar More
Level 1
Level 1

‎09-10-2023 11:35 PM

I have this problem too. Found any permanent solution so far?

Temporary solution can be - Add those excluded domains in "internal domains" in Umbrella dashboard so that DNS queries for these domains will be sent to the DNS server configured on user machines over UDP 53.

0 Helpful
Customers Also Viewed These Support Documents