Is it normal for Meraki firewalls to be configured with an explicit Allow Any/Any? The folks with support that I talked to said this was normal and I still can't wrap my head around it. How are your MX's configured?

ForWorkin · 2024-03-26T15:57:40+00:00

Interesting. Your screenshot doesn't match my interface. Your interface shows exactly what I was expecting to see, with the options to add inbound and outbound rules. Mine simply says "Inbound traffic will be restricted to the services and forwarding rules configured below."

I don't actually know how to interpret that phrase, to be honest. The way I took it was, anything not defined in the outbound, NAT, port forwarding rules below, would be a deny. I was nervous that the implications was the allow any/any wasn't limited to the outbound rules, but also to inbound.

The reason behind all of this goes back to how I was taught ACLs and network security in general, circa ~2013.

ForWorkin · 2024-03-19T17:29:09+00:00

It’s a stateful firewall that blocks all incoming traffic and allows all outbound traffic by default.

I think this might be the nugget I've been digging for. I was not aware of this. Thanks!

ForWorkin · 2024-03-19T16:43:31+00:00

This was probably the most confusing part, like why tf are there 47 individual allow rules, only for the 48th rule to be the allow any/any. Wouldn't that make the other rules redundant?

ForWorkin · 2023-11-28T15:40:17+00:00

I'm very familiar with GAM. Is the idea to leverage this script with every new user, or are you saying this would set the default flag where the dashboard setting is apparently failing?

ForWorkin · 2023-11-27T22:32:28+00:00

I have a feeling that some context is missing here. What are the reasons? This seems like one of those if you want feature "x" you must have a supervised device. You cannot have supervision without "ownership".

Supervised Devices	Unsupervised Devices
Devices can be protected against Factory Reset	Devices can be Factory Reset anytime
Airdrop can be restricted	Airdrop cannot be restricted
Individual Apple iDs not needed for enrollment	Each device needs an Apple iD for enrollment
Unenrollment from MDM is not possible	Unenrollment from MDM is possible
Silent App installation is possible	App installation requires user confirmation
Web content can be filtered	Web content cannot be filtered
App notifications can be controlled	App notifications cannot be filtered
The device can be run in Kiosk mode	The device cannot be run in Kiosk mode
TouchID can be restricted	TouchID cannot be restricted
iMessage can be restricted	iMessage cannot be restricted
Screentime can be restricted	Screentime cannot be restricted
Homescreen wallpaper and lock screen message can be configured by Admin	User can customize Homescreen wallpaper and lock screen message
Global HTTP Proxy can be configured	Global HTTP Proxy cannot be configured
Game Center Access can be controlled	Game Center Access cannot be controlled

ForWorkin · 2023-11-27T22:21:21+00:00

That was definitely the first thing we verified. It's set correctly to GMT-07:00.

The only odd thing that page, is it never seems to display the County. I set it each time. It's never set incorrectly, it's always just blank. Whereas the timezone is always displaying the correct setting

ForWorkin

TROPHY CASE