Cisco Meraki Security Appliance Review

0

Recently, I have been looking to revamp my home lab network with something a little more power and newer technology. I have been running the Sophos UTM x86 product for this purpose for a couple of years now and it has been rock solid. However, being the tinkerer that I am at heart, trying something new is always the desired path forward. After getting my hands on a Meraki MX64 security appliance and not really having that much experience with one up until now, it seems like a good project to at least beta test the appliance for its worthiness as a replacement firewall moving forward. After a few days of running on the appliance, I wanted to detail by way of a Meraki MX Security Appliance Review what I like about the product and things that I don’t like.

Meraki MX Security Appliance Review

The Meraki claim to fame is the ability to be controlled and configured from the cloud. This is its bread and butter. So, you have to understand what the strength of the product is before drawing conclusions. At the beginning it is a huge let down to not have all the knobs and switches that you are used to being able to configure with a full fledged firewall product. I am familiar and have used most of the big named firewalls so having that fine tuning control is hard to swap out for something different.

That was the initial let down that I had – with the Meraki appliance you don’t have the ability to tweak and fine tune settings to your liking. This I had to get used to and I will detail more of the specific tunability that I am talking about later in the post

However, one of the things that I absolutely love is the cloud connectivity and visability of the Meraki appliance. With the official Meraki app available for IOS/Android you can have all the critical statistics, real time, available to you on your mobile device.  The things I hated about the appliance at first were softened by the cloud monitoring, etc.

Likes

What I would say that I like extremely well about the Meraki security devices is the efficiency and ease that you can setup a security perimeter, VPNs, etc.  The whole architecture is very easy to learn and most operations are point and click in the cloud interface.  Although you have to wait just a bit for the config to sync up locally from the cloud, this usually happens within a few seconds from what I have seen.

Cloud integration is where this product line shines.  Let’s take a look at a few of the configuration pages as well as the mobile app.

With the cloud integration, we can see real time uplink status on the ports, connectivity, usage as well as config “up-to-dateness” all in the dashboard.

merakisec01 Cisco Meraki Security Appliance Review

VLANs and routing is easily configured after selecting the mode you want the device to operate in.

merakisec02 Cisco Meraki Security Appliance Review

Routes are easily added as well as VLANs.

merakisec03 Cisco Meraki Security Appliance Review

You have built-in dynamic DNS which keeps your public IP matched to the DNS name Meraki provides.

merakisec04 Cisco Meraki Security Appliance Review

With the Advanced Security license, you get the threat protection and Intrusion detection and prevention modules.

merakisec07 Cisco Meraki Security Appliance Review

Client VPN is amazingly simple.  You select the options you want, subnet, DNS settings, as well as a secret key.  You can choose your authentication mechanism which includes Meraki cloud, Active Directory, and RADIUS.  Meraki provides a very detailed guide on how to setup client side VPN from a multitude of OS choices.

merakisec08 Cisco Meraki Security Appliance Review

One of the coolest things about the cloud integration is that you can packet capture from anywhere.  You can start a packet capture remotely and either view the capture real time or download the pcap file for Wireshark, etc.

merakisec09 Cisco Meraki Security Appliance Review

Also, you get built in WAN alerting as the Meraki cloud monitors your appliance.  So, this is something you don’t have to rely on a 3rd party for as you get this for free (at least free with the Meraki appliance license). Along with getting alerts on the WAN link, you have valuable alerts built in such as DHCP conflicts, pool problems, rogue DHCP alerts, monitored client alerts (configurable hosts you are watching on the LAN side), malware alerts and others.

merakisec10 Cisco Meraki Security Appliance Review

Mobile App

The mobile App is really great as well as it provides you with most of the pertinent information you want to see coming from your network.  Below are a few screenshots from the mobile app.  Notice how you can reboot the appliance, ping, traceroute, DNS, throughput tests, LED blink, etc.

meraki01 Cisco Meraki Security Appliance Review

With the mobile app, you have network usage statistics at your fingertips, realtime.


meraki02 Cisco Meraki Security Appliance Review

Another handy feature I think is that you can check support cases with the mobile app if you have any.  The event log is also available in the tools.


meraki03 Cisco Meraki Security Appliance Review

The application usage summary and device summary is also very good information to have.

meraki04 Cisco Meraki Security Appliance Review

Live usage, port activity, connectivity – good stuff!


meraki05-1 Cisco Meraki Security Appliance Review
meraki05 Cisco Meraki Security Appliance Review

The mobile app is really killer.  However, I would like to see the capabilities expanded.  A bummer here is that you can’t really do any configuration changes – no adding firewall rules, etc.  The app is really only good for viewing.

The “Don’t Likes”

There are things I don’t like about the Meraki MX security devices.  As I mentioned early on in the post – the tweakable settings are very watered down.  You don’t really have the control that you may be used to or need for a particular environment.

Perhaps the most major down side to me with the Meraki appliances is that you have no built in visibility into what is happening.  You can’t see hits on firewall rules!  You have to use another solution to pull syslogs from the device and then consume the data that way.  Major bummer!

A few headaches I ran into also.  With DHCP, you only have the option to either proxy DNS or use public providers – OpenDNS, Google, etc.  It seems you can’t do both.  If you select a public provider, it seems this turns off the functionality of the device to proxy DNS requests.  So any statically assigned hosts you have, you must go back through and reassign DNS settings.  This was a pain for me.  However, I may have missed something that a Meraki ninja might know here, but the settings are fairly simple and don’t leave much room for configuration here.

merakisec05 Cisco Meraki Security Appliance Review

The Layer 7 rules are nice, but there were a few weird things here to me.  If you want to Deny countries with geolocation, you only have the options for all or nothing.  You can’t create a rule that allows to but denies from.

merakisec06 Cisco Meraki Security Appliance Review

Also, if you are used to firewall appliances that allow you to create groups of services which make things much easier as you build firewall rules, you can’t do that here.  Only simply firewall rules can be created that can combine ports as long as you don’t mix and match ranges and single ports.

Also, the Achilles heel of the cloud DNA and reliance on the cloud during configuration can be challenging.  Make sure you have another connection to the Internet on site.  If you have a configuration that isn’t working, that means you can’t get to the Internet to configure the device rules, etc.

Thoughts

Hopefully, this high level Cisco Meraki Security Appliance Review will help shed light on a few of the quirks of the Meraki platform.  However, I have to say that the more I use the platform the better I like it.  The cloud connectivity really does kick butt once you have things setup and configured.  The mobile apps that are just built into the Meraki platform are stellar and I can see these getting better.  If Meraki would provide built in visibility and real time logging on the firewall side of things to begin with, I think they could make a good product really great and competitive.  Most admins want the visibility and control they get with other firewall vendors.  All in all though this is a good product.  This post will continue to be updated on any additional thoughts and/or findings.