Group Policy Allow/Deny Question

rwhiteman · ‎06-10-2019

Under Flows we see Allow/Deny for Group Policy, but we don't see an indication of which Group Policy this hits against, or better yet which part of which Group Policy it hits for. Any way to see this, or is it a Meraki limitation?

myron_davis · ‎06-10-2019

Could you email me directly some log entries?

It could be a meraki limitation, but I've been able to solve issues before by building jobs which post lookup tables automatically in order to fill them out.

I'd like to visualize what it is you are seeing.

Thanks,

-Myron

rwhiteman · ‎06-10-2019

Hey Myron,

Thanks for the quick reply. See below

Jun 10 21:45:30 172.16.XXX.XXX 1560203130.462878987 Device flows src=10.0.XXX.XX dst=192.168.XXX.xxx mac=B4:FB:E4:XX:XX:XX protocol=tcp sport=58329 dport=7442 pattern: Group Policy Allow

Jun 10 19:59:58 172.16.XXX.XXX 1560196798.789815839 Device flows src=10.0.XXX.XXX dst=37.18.XXX.XXX mac=B4:FB:E4:XX:XX:XX protocol=tcp sport=36930 dport=80 pattern: Group Policy Deny

myron_davis · ‎06-11-2019

I remember running into this as well! A feature request needs to go into Meraki in order to ask them to exposed the actual group policy that was triggered.

Sorry :(. No hope on this one.

rwhiteman · ‎06-11-2019

Glad I'm not the only one. Put in a feature request yesterday, along with opening a support case. Guess to fill the gap I can hit the Meraki API, pull the Group Policy details, store that in SQL and have Splunk do lookups against that to help piece things together. Should be a good way to kill a morning, right? 😉

Group Policy Allow/Deny Question

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!