We are deploying Meraki MX and Autovpn and using Umbrella with Anyconnect to filter clients with SIG.
Our customer wants to lockout the Corporate Clients in the event that someone plugs in without Anyconnect with Umbrella installed and getting unfiltered internet. I have FQDN rules for all Umbrella exempt domains but this seems intermittent. Meraki is stating that for FQDN rules to work the MX needs to sniff the DNS requests to resolve the IP destination for the rules. If Anyconnect encrypts this DNS request, this might break the FQDN rules if I am reading this correctly.
In order to ensure successful operation, DNS traffic must be allowed by the MXs layer 3 firewalls. Blocking DNS will result in the MX being unable to learn hostname and IP address mappings and, subsequently, from blocking or allowing traffic as expected.
Additionally, hostname visibility should be enabled on the network for the FQDN-based firewall rules to take effect correctly.