Hi PhilipDath,

L7 only block All P2P, Video and Music and Gaming.

Content Filtering only blocks some category that has nothing to do with Microsoft update and Adobe update. ( Unless Microsoft uses P2P Protocol to push update? )

This only happens on my MX100. I have many MX65W with the same config without any issue.

I called Meraki support twice regarding this issue for a month now and they gve me the same answer.

Hope to hear back from some other MX100 users.

Try removing the L7 rules and see if that fixes it. If not put them back. Repeat with the contenting filtering rules.

One of those items should get it working again. Tell us which one it was.

Hello @enchesiah

I have an MX100 sitting as a cold spare to our MX250. I will fire this up and create a test network and try to duplicate the issue. When we had the MX100 in operation AMP was grabbing Console8 updates as malicious. I am assuming AMP is enabled and what are you IDS settings? Prevention and Balanced? Just want to duplicate your settings here.

Thanks for your help. IDS set to Prevention - balance.

Hello Again @enchesiah

I have a spare MX100 running 12.24 that I reset back to factory and I enabled AMP and IDS like you have, see screenshots. I also added the L7 rules you mentioned above. I happen to have an extra connection to the outside world with a public IP, so there is not a double NAT taking place here. I had no problem fetching updates from windows update servers or adobe updates. if this traffic was getting grabbed by IDS or by AMP, there would be a log of that event that is easy to find the in security center.

This very much sound like an issue with Content Filtering, more specifically IP/URL reputation as @Philip D'Ath mentioned.

"In firmware version 13.3, URL reputation was prioritized over IP reputation, as opposed to IP reputation being the deciding factor on previous firmware versions. If, for some reason, the IP has a different categorization then the URL, the client could be allowed through."

I can tell you that I am running MX 14.15 on an MX250 and I have not been adversely affected by this beta firmware in a production environment with 1000+ daily clients.

"If a client is being blocked from accessing a page, the easiest way to tell whether content filtering is blocking the traffic is to check your Event Log. When looking at the Security Appliance's network in the dashboard, navigate to Network-wide > Monitor > Event log. To help narrow down the scope, the event type 'Content filtering blocked URL' can be included in the 'Event type include' field."

I hope this helps.

Ryan

I dont think Event log shows whats being block on AMP. Any Idea what event to sort?

If you go:

Security Appliance/Security Centre/Events

Does anything come up?

And you are saying that if you disable AMP it starts working? If there is nothing in that log then it should mean that AMP is not blocking your traffic.

The beta firmware is pretty good. You are unlikely to find any issues if you upgrade to it.

We can probably solve this now we know the IDS is triggering.

Go:

Security Appliance/Threat Protection/Intrusion detection and prevention

Under "Whitelisted Rules" click "Whitelist an IDS rule". Select the rule that is firing above the in the log.

@enchesiah May I get a screen capture of your content filtering and layer 3 / 7 rules?

You are running MX 12.24 correct?

Ryan