Solved: HTTPS Inspection on MX

Brash · ‎12-02-2021

I've been looking into HTTPS inspection on Meraki MX's recently.

I found a thread from 2019 indicating that the feature came into Beta firmware and the following document released
https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/HTTPS_Inspection

However the doc now seems to be behind a Meraki login (separate from dashboard/community login).

Has the doc been removed from public access or am I just doing something silly?

And is the feature available in current stable or beta firmware or has it since been removed?

MilesMeraki · ‎12-02-2021

I'm under the assumption that this might be removed/no longer available. The HTTPS feature on the MX's caused severely degraded throughput once enabled plus an array of other issues.

I think the direction now going forward will be to perform the HTTPS/TLS decryption by a SASE security service like Umbrella in-line between the MX and the Internet/SaaS traffic. If you have a look at the updated Sizing guides this also seems to be the "recommended" approach. (https://meraki.cisco.com/product-collateral/mx-sizing-guide/?file).

This isn't necessarily a bad thing. SASE security architectures allow for the same security posture and enforcement to be maintained no matter the user's location. This would effectively mean that their HTTPS/TLS traffic would be still decrypted when either on a trusted network or on an un-trusted/un-managed network. Most vendors are now taking this approach to security.

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)

View solution in original post

inderdeepsingh1 · ‎12-02-2021

@Brash : I think we still dont have any announcement on this feature yet. Yes i am getting the same login as well.

Cisco Awarded Blogs 2020/2021 https://www.thenetworkdna.com/

MilesMeraki · ‎12-02-2021

I'm under the assumption that this might be removed/no longer available. The HTTPS feature on the MX's caused severely degraded throughput once enabled plus an array of other issues.

I think the direction now going forward will be to perform the HTTPS/TLS decryption by a SASE security service like Umbrella in-line between the MX and the Internet/SaaS traffic. If you have a look at the updated Sizing guides this also seems to be the "recommended" approach. (https://meraki.cisco.com/product-collateral/mx-sizing-guide/?file).

This isn't necessarily a bad thing. SASE security architectures allow for the same security posture and enforcement to be maintained no matter the user's location. This would effectively mean that their HTTPS/TLS traffic would be still decrypted when either on a trusted network or on an un-trusted/un-managed network. Most vendors are now taking this approach to security.

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)

Brash · ‎12-02-2021

I thought that might be the case given MiM for HTTPS inspection is beginning to get steered away from.
That said another service means another additional cost 😞

MilesMeraki · ‎12-03-2021

Unfortunately, this is the same for all other vendors as everything moves to SASE or "Cloud delivered". There are some fantastic BUNDLE offers on Meraki + Umbrella at the moment and I'd assume these will only get better over time.

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)