Skip to content

Meraki

DEFEND can collect logs both via Syslog and from the Meraki Dashboard.

We recommend collecting the majority of Meraki logs via syslog over IPSec, as this can provide Flows logs and more details than are provided by the Dashboard APIS. However, some logs are only available through the dashboard, so this should also be configured.

IPSEC VPN

Create a Site to Site Non-Meraki VPN Configuration with the following settings.

  • IKEv2
  • Remote Peer ID:
  • Custom Policy:
    • Phase 1:
      • Encryption: AES-256
      • Authentication: SHA256
      • PRF: SHA256
      • DH Group: 14
      • Lifetime: 86400
    • Phase 2:
      • Encryption: AES-256
      • Authentication: SHA256
      • PFS PRF: SHA256
      • PFS Group: 14
      • Lifetime: 28800

Firewall Rules

If you have a restrictive outbound Site-to-Site firewall policy, configure a Site-to-Site VPN firewall to allow syslog traffic:

From: Desired source subnets:  To: 10.227.0.10 TCP/UDP 514

Syslog

https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Server_Overview_and_Configuration

Follow the instructions above to send syslog messages of all types to: 10.227.0.10

Meraki Dashboard

Through the Dashbard API the SOC will collect:

  • Audit trail of changes to Meraki settings
  • Organisation-wide security Events

To create an API key, follow the Meraki documentation linked below, and provide this to the SOC together with your Meraki Organisation ID.

https://documentation.meraki.com/General_Administration/Other_Topics/Cisco_Meraki_Dashboard_API

If you’re not using the Meraki Dashboard API for anything else, we recommend configuring the Dashboard to only allow API requests from the FoxTech DEFEND IP. This is the same Public IP used for IPSec or Agents.