Meraki - MX SD-WAN SASE

V1
CISCO TECHNOLOGY LAB

Provided by Comstor
Meraki MX - SASE
Welcome to the world’s most trusted secure
SD-WAN fabric.
Empowered with Secure Access Service Edge (SASE) converge networking and
security to deliver seamless, secure access—anywhere people work.
Meraki MX SD-WAN
Umbrella SIG - SASE
1 The LAB
1.1 Solution: Meraki MX
Deliver best-in-class network security and experiences for any workload, from anywhere.
CONNECT ANYONE, ANYWHERE:

Connect users at any location to public and private cloud environments or the data center.
ALL THE SECURITY:

Choose between powerful on-premises and cloud network security capabilities.
ANALYTICS, POWERED BY ML:

Get visibility of app performance across the LAN, WAN, ISP, and app server.
1.2 Solution: SASE

Hybrid workforces and multi-cloud environments increase operational complexity and can put
security resilience at risk.
- Network complexity is at odds with business agility and IT teams need more dynamic
solutions to get fast, flexible connectivity
- Without centralized control over policy, access, and identity, security teams can’t deliver
trusted, secure experiences at scale
- Unified SASE solutions provide rich visibility, proactive insight, and comprehensive control
for seamless IT management
Page |1
Meraki MX SD-WAN
Umbrella SIG - SASE
1.3 LAB: Meraki MX + SASE

We invite you to work on real gear and perform real live tests using our stacks you can access from
anywhere
Join us in this lab where we will empower your branch with security.
Furthermore, we will make sure your team can connect securely at home, in the office, anywhere.
First, we control and automate the wan with Meraki SD-WAN

- VPN topologies
- Wan failover & SD-WAN traffic control & shaping
- Analytics & Insights
Second, we protect the branch with the MX ‘s built-in security

- Firewall engine
- Content filtering & Threat protection
Third, apply SASE through a redundant cloud security engine Umbrella

- Deploy SASE Umbrella connector on SD-WAN
- Protect the branch
- Protect the hybrid worker
Lastly, we empower your teleworkers to work from home

- Umbrella (Deploy & dCloud)
- Duo (dCloud)
INFO -- Lab exercises: Every exercise in the lab is preceded by EX –
Page |2
Meraki MX SD-WAN
Umbrella SIG - SASE
Contents
1 The LAB ........................................................................................................................................................................................................................ 1
1.1 Solution: Meraki MX............................................................................................................................................................................................ 1
1.2 Solution: SASE ......................................................................................................................................................................................................... 1
1.3 LAB: Meraki MX + SASE................................................................................................................................................................................... 2
2 Your playground .................................................................................................................................................................................................. 5
2.1 Webex - Your playground: Webex App ............................................................................................................................................. 5
EX -- Log in on Webex ....................................................................................................................... 5
2.2 Meraki - Your playground: Meraki Dashboard............................................................................................................................. 6
EX -- Log in on Meraki Dashboard .................................................................................................... 6
2.3 PC - Your playground: Take control over your test PC .......................................................................................................... 8
EX -- Log in on your test pc ............................................................................................................... 8
2.4 Umbrella - Your playground: Umbrella Dashboard ................................................................................................................ 9
EX -- Log in on Umbrella Dashboard................................................................................................. 9
3 Prep your lab ........................................................................................................................................................................................................ 10
3.1 WAN Setup: Route traffic through WAN Emulator ............................................................................................................... 10
EX – Enable your WAN emulator .................................................................................................... 10
3.2 WLAN Setup........................................................................................................................................................................................................... 12
EX – Update WLAN : Bridging ......................................................................................................... 12
4 MX SD-WAN .......................................................................................................................................................................................................... 14
4.1 Establish VPN ....................................................................................................................................................................................................... 14
EX – Establish VPN .......................................................................................................................... 14
4.2 Dynamic WAN fail-over .................................................................................................................................................................................17
EX – Establish WAN Failover ........................................................................................................... 17
EX – Voice & Video SLA ................................................................................................................... 18
4.3 SD-WAN Traffic control & shaping ......................................................................................................................................................22
EX – HQ traffic: Low priority file downloads .................................................................................. 22
EX – SaaS traffic: Low priority file downloads ............................................................................... 24
4.4 Insight ....................................................................................................................................................................................................................... 26
4.5 Web App Health ................................................................................................................................................................................................27
EX – Investigate Web applications ................................................................................................. 27
4.6 WAN Health.......................................................................................................................................................................................................... 28
EX – Investigate Your WAN connections ........................................................................................ 28
5 MX Security ........................................................................................................................................................................................................... 29
EX – Configure Split Tunnel VPN .................................................................................................... 29
5.1 (Layer 7) Firewall rules .................................................................................................................................................................................. 30
EX – Define layer 7 firewall rules .................................................................................................... 30
5.2 Content Filtering ................................................................................................................................................................................................ 31
Page |3
Meraki MX SD-WAN
Umbrella SIG - SASE
EX – Set content filtering ................................................................................................................ 31

5.3 Enable Threat Protection............................................................................................................................................................................ 33
EX – enable advanced malware protection ................................................................................... 33
5.4 Retrospective Threat Protection (INFORATIONAL) ...............................................................................................................37
5.5 Extra Info: Retrospective Alerts ............................................................................................................................................................. 39
6 SASE............................................................................................................................................................................................................................. 41
6.1 Disable protection on MX .......................................................................................................................................................................... 42
EX – Disable MX configuration ....................................................................................................... 42
6.2 Deploy SASE (SIG) on Meraki .................................................................................................................................................................. 43
EX – Verify Umbrella SD-WAN connectors configuration ............................................................. 43
6.3 Connect your branch MX to Umbrella ............................................................................................................................................ 45
EX – Connect Branch to Umbrella .................................................................................................. 45
6.4 Umbrella Protection ...................................................................................................................................................................................... 47
EX – Connect Branch to Umbrella & Test out ................................................................................ 47
7 The Hybrid worker ............................................................................................................................................................................................ 53
7.1 UMB - The Hybrid worker: Cloud security ..................................................................................................................................... 53
7.2 UMB - The Hybrid worker: SIG-Based Cloud security ......................................................................................................... 54
EX – Activate SIG Umbrella on your protected device .................................................................. 55
Page |4
Meraki MX SD-WAN
Umbrella SIG - SASE
2 Your playground
We have prepared 2 dashboards for you. One to control your on-prem network, the other to
control your cloud security policies.
The first one, Cisco Meraki dashboard is a powerful cloud dashboard to monitor and manage
your network devices.
The security dashboard for today is Umbrella Dashboard. We will use this dashboard
throughout the course to regulate and secure web and cloud applications for our users.
2.1 Webex - Your playground: Webex App

Let’s connect!
Create a live connection to your trainer so you can rely on real-time support.
Therefore, the first step is to create an account (if you don’t have any yet) and participate
during the training.
EX -- Log in on Webex
• Go to https://web.webex.com
• Login (or create an account) – Using the web version or the app version.
• Communicate your login email to the trainer (so you can be added to the team)
Page |5
Meraki MX SD-WAN
Umbrella SIG - SASE
2.2 Meraki - Your playground: Meraki Dashboard
This dashboard is built for Managed Services providers and can support
most of the core services needed by MSPs.
For this training we will only use the dashboard to configure our network
components.
EX -- Log in on Meraki Dashboard
You should have received an email to accept access to your station.
Click on the link in the email to accept access to your lab.
IMPORTANT: Make sure you clicked on YES. If not, go back to the email and click again on the URL.
Page |6
Meraki MX SD-WAN
Umbrella SIG - SASE
Go to http://dashboard.meraki.com & log in with your own email address.
You have read rights in multiple networks in this lab but only 1 belongs to you.
Click on the dropdown arrow on the left to locate your network.
Can you see your networks? Great!
Now open your own network:

# Virtual LAB … #
You can only save changes in your own network! All the
others are read-only.
Locate the topology overview in the ‘Network-wide’ settings. Make sure all 3 devices
are online.
Can you log in into the dashboard?  Click on your button to confirm.
POD1 POD2 POD3 POD4 POD5 POD6 POD7 POD8 POD9 POD10
Page |7
Meraki MX SD-WAN
Umbrella SIG - SASE
2.3 PC - Your playground: Take control over your test PC

Where is the fun on building a business network without having a wireless client?
Use remote desktop to take over a wireless client that sits in your new network.
EX -- Log in on your test pc
Open a browser session to https://emea.comstorlabs.com:3100
Login
POD# Username Password

1 comstor1 <Ask trainer>
Are you on the test pc? – Can you read you station number on the desktop?
POD1 POD2 POD3 POD4 POD5 POD6 POD7 POD8 POD9 POD10
Page |8
Meraki MX SD-WAN
Umbrella SIG - SASE
2.4 Umbrella - Your playground: Umbrella Dashboard
The second part of the lab is all about secure DNS and WEB policies.
These actions will be performed on the Umbrella dashboard.
EX -- Log in on Umbrella Dashboard
Go to https://dashboard.umbrella.com
• Username: comstor.labs@gmail.com
• Password: <ASK TRAINER>
Page |9
Meraki MX SD-WAN
Umbrella SIG - SASE
3 Prep your lab

3.1 WAN Setup: Route traffic through WAN Emulator
EX – Enable your WAN emulator
By routing traffic through a WAN emulator, we can control aspects like delay, jitter, packet loss,
and more.
Connect WAN 1 to your WAN emulator.
Route traffic over the emulator by changing the Default GW of your WAN1.
Security & SD-WAN > Appliance Status | Uplink

Click on the edit icon next to WAN 1
Change the default gateway of WAN 1:

• Default Gateway Station 1: from 10.101.0.1 to 10.101.0.254
Note: The new gateway doesn’t change instantly.

It takes several minutes before the new gateway is accepted.
P a g e | 10
Meraki MX SD-WAN
Umbrella SIG - SASE
WAN 1 FAILED?
Inform the trainer and ask to restore the WAN emulator
WAN Emulator still unreachable?
It can happen that the emulator malfunctions. When this happens: Don’t panic, this has
no influence over the course of the lab. Only a few tests cannot be performed.
• Change default gateway back to previous address.

• Skip the WAN Emulator test steps
P a g e | 11
Meraki MX SD-WAN
Umbrella SIG - SASE
3.2 WLAN Setup
Your test client needs to receive an IP address of your internal switches network. Therefore, set
your wireless to bridging.
EX – Update WLAN : Bridging
You will need only 1 Wireless WLAN.

• Change its name to Office-X (X = your station number)
• Set to Bridge Mode
Rename your wireless network.

Wireless > SSIDs | Rename
Set the name of your network to ‘Office-X’ (X = your station number)

Save changes
Update IP assignment.
Wireless > Access Control
Keep security to ‘Open’ for easy testing

Client IP and VLAN > External DHCP server assigned  Bridged
Save changes
Allow connections from WLAN to LAN.

Wireless > Firewall & traffic shaping
Under Block IPs and ports > Outbound rules: Set Allow for Local Lan
Save changes
Test out by connecting your client to the WLAN.
P a g e | 12
Meraki MX SD-WAN
Umbrella SIG - SASE
Troubleshooting: network connection
If you fail to get an IP address  Reboot your test station.
P a g e | 13
Meraki MX SD-WAN
Umbrella SIG - SASE
4 MX SD-WAN
SD-WAN?
Software-defined wide area networking (SD-WAN) doesn’t need to be a mystery. In essence,

it’s technology that simplifies the operation and management of the many network
connections between sites in an organization.
SD-WAN lets you control how traffic is directed and prioritized across multiple uplinks, and
enables your network to immediately and intelligently adapt to changing performance
conditions — ensuring latency-sensitive traffic like VoIP or point-of-sale services have the
throughput and optimization they need.
And we are going to learn just that!
4.1 Establish VPN

EX – Establish VPN
In this section we will learn to build a ‘traditional’ full tunnel VPN from our branch to the HQ.
FULL TUNNEL?
Traditionally this was the way to go when building site-to-site VPN connections.
A full tunnel allows you to send all traffic to 1 location where all your security power sits, the HQ.
After filtering and inspecting the traffic, the door to the WWW would open.
A full tunnel is not always needed in an SD-WAN design and we gradually learn to shift from a
full tunnel to a full SD-WAN design, where we will apply the needed security on the branch
and/or in the cloud.
This section proofs how easy it is to scale your network with a new branch MX.
• Setup VPN using AutoVPN as SPOKE to HQ in a Full tunnel
• Let your local LAN participate in the VPN
P a g e | 14
Meraki MX SD-WAN
Umbrella SIG - SASE
Activate your VPN.

Security & SD-WAN > Site-to-site VPN
Type: Spoke
• This defines your branch site on a point of a star topology
Hub: HQ
• This defines your HQ as the center of our star topology
• All internal data of other sites will be sent through HQ
IPv4 default route: Enable
• You will route all traffic through HQ (also web traffic)
VPN Settings > Local Networks: Enabled
• The local subnet will participate in the VPN
Non-Meraki VPN peers
On this page you can also build a VPN connection to non-Meraki products. This is only
recommended when just VPN are required. VPN peers in this section do not participate in
the SD-WAN optimisation and control.
P a g e | 15
Meraki MX SD-WAN
Umbrella SIG - SASE
Test VPN
Log in with your test client and try to reach the HQ site.
Test this out by accessing a web server on the HQ site.
• Connect to your SSID: Office X (where X = your station number)

• Access the web server: 10.50.0.100
Your site-to-site VPN is established, next we will build our SD-WAN.
P a g e | 16
Meraki MX SD-WAN
Umbrella SIG - SASE
4.2 Dynamic WAN fail-over

EX – Establish WAN Failover
Each MX is equipped with 2 WAN connections.

- DSL (WAN1)
- MPLS (WAN2)
Constant measurements are being performed over these connections and we will create SLAs
per application that we detect over the WAN.
The 4G Failover is our 3th connection, that activates only when the primary 2 connections fail.
Meraki Auto VPN
Set DSL as your primary WAN for general traffic & build VPNs over all your WAN
connections.
Security & SD-WAN > SD-WAN & traffic shaping | Uplink selection
Make sure that:
• Primary uplink: WAN 1
Use DSL as default for all general traffic over our WAN
• Load balancing: Disabled
We only use the expensive 2nd connection when SLA is not met.
Note: you can load balance traffic if this is needed.
• Active-Active AutoVPN: Enabled
In a normal MPLS network, VPN is not required. We keep it active today.
Note: even when WAN1 and WAN2 fail we can opt for a cellular backup. Changing the
outbound rules that will apply when this happens can be found under ‘Firewall’. For now, all
backup traffic is allowed over 4G.
P a g e | 17
Meraki MX SD-WAN
Umbrella SIG - SASE
EX – Voice & Video SLA
Real-time traffic (like voice and video) is susceptible to latency.

We would like to optimally use our DLS connection, but voice and video traffic should failover
to MPLS from the moment DSL is underperforming.
Luckily, our MX is constantly monitoring the state and performance of all the WAN
connections.
We will set an SLA rule for Voice and Video traffic:

- Use DSL (WAN1)
- SLA: 150ms delay; 30ms Jitter; 1% loss
- Failover to WAN2 when WAN1 is under performing
Set SLA rule for Voice and Video traffic.
Security & SD-WAN > SD-WAN & traffic shaping | SD-WAN policies
Create a Custom performance classes:
• Name: Voice Video
• Max Latency: 300 ms
• Max Jitter: 30 ms
• Mas loss: 1%
Save
Security & SD-WAN > SD-WAN & traffic shaping | VPN traffic
Add a preference:
• Traffic filter: All Voice & Video
• Traffic filter: Custom expression: ICMP
We will use ping for our test
• Preferred uplink: WAN 1
• Fail over if: Poor performance
• Performance clas: Voice Video
This is our created performance class.
P a g e | 18
Meraki MX SD-WAN
Umbrella SIG - SASE
WAN
Emulator Test your Voice SLA rule.
Open the WANemulator on your test PC.

Web browser to:
POD# Wan Emulator POD# Wan Emulator
1 http://10.20.0.121/WANem 6 http://10.20.0.126/WANem
If a previous setting is still active, click on the button Stop WANem
Start a persistent ping and notice a normal delay.

 ping 8.8.8.8 -t
P a g e | 19
Meraki MX SD-WAN
Umbrella SIG - SASE
Confirm that traffic flows over WAN 1
We face an acceptable delay for voice and video. This means that WAN 1 will be
chosen.
Security & SD-WAN > VPN Status | Uplink decisions

Search for: 8.8.8.8
We notice (as expected):

- Uplink decision; WAN 1
- Policy: Prefer WAN 1. Fail over if poor performance for "Voice Video"
WAN
Emulator Increase delay on WAN 1 with 300 ms
Go back to your test PC and increase delay on eth0 & eth2 with 300 ms.
We will notice:
- A short increase in delay (instant)
- Delay is restored to acceptable values (after a few seconds)
P a g e | 20
Meraki MX SD-WAN
Umbrella SIG - SASE
Confirm that traffic failed over to WAN 2
Security & SD-WAN > VPN Status | Uplink decisions

Search for: 8.8.8.8
We notice (as expected):

- Uplink decision; WAN 2
- Reason: Performance-based
- Policy: Prefer WAN 1. Fail over if poor performance for "Voice Video"
WAN
Stop WANemulation and notice that traffic is restored to WAN 1
Emulator
Click on the button Stop WANem

Restoration time is about 1 minute.
Check the uplink decisions on the dashboard to confirm that ICMP & Voice traffic
over WAN 1 has restored.
P a g e | 21
Meraki MX SD-WAN
Umbrella SIG - SASE
4.3 SD-WAN Traffic control & shaping

EX – HQ traffic: Low priority file downloads
Centrally, we store a lot of our company files.
Because of the size of these files, we will do the following:

- Use DSL (WAN1)
- Failover to WAN2 when WAN1 is down
- Priority: Low
- Bandwidth: Limited
Set SLA for file transfer to/from the file server.
Security & SD-WAN > SD-WAN & traffic shaping | Traffic shaping rules
Create a new rule:
• Custom expressions: 10.50.0.100
Click add expression
• Bandwidth limit: 100 Kbps
We keep it low for testing purposes. In production you want to increase
this value.
• Priority: Low
Define bandwidth priority
• DSCP Tag: 0
Define WAN Priority: MX, will maintain the DSCP tags in the tunnel and
also copy to the IPSec header which can be read, for example, by the ISP
Priority:
Specifying a traffic shaping rule as High, Normal, Low guarantees a certain fraction of the
uplink to each priority level. The ratios are as follows:
o High 4/7
o Normal 2/7
o Low 1/7
MORE INFO & examples.
P a g e | 22
Meraki MX SD-WAN
Umbrella SIG - SASE
Test your shaping rule.
On your test PC, download a file from the HQ file server

Web browser to: http://10.50.0.100/files/test.tar
Notice:
- Around 12,7 KB/Sec  = 100 Kbps
P a g e | 23
Meraki MX SD-WAN
Umbrella SIG - SASE
EX – SaaS traffic control

In this section, we will control SaaS traffic.
Set traffic shaping rules for:

- Netflix
- Audio Video
- Software updates
Set SLA for the following SaaS applications:
Security & SD-WAN > SD-WAN & traffic shaping | Traffic shaping rules
Create new rules for:
• Allow 2Mbps to the host ‘speedof.me’ & port 443
• For Netflix & YouTube, shape traffic to 1024 K down, 512 K up. Ensure this kind of traffic is
also handled as low priority
• For all voice and video conferencing, remove all bandwidth restrictions and ensure they
are high priority
• Limit all software and AV updates to 100 kbps with priority ‘Low’
Disable the default shaping rules.
Tip; for destination & port definitions:

o Simply add the port number in the definition.
P a g e | 24
Meraki MX SD-WAN
Umbrella SIG - SASE
Test your shaping rule.
• Go to windows update and start the update.

(Notice how slow the download goes)
• Web browser to speedof.me (Notice the 2 Mbps up and down)
P a g e | 25
Meraki MX SD-WAN
Umbrella SIG - SASE
4.4 Insight
You beloved collaboration tool doesn’t work as expected?
The first challenge of the IT admin is, where to start troubleshooting.

Insight can help you here.
Applications that use resources on the internet ‘SaaS’, leverage the local network AND the
public internet-network. When such an application works slow or has connection problems,
we have absolutely no idea where to start troubleshooting. With Insight you have a break-
down of all the elements in between and a report on each, allowing you to pinpoint where the
problem might lay.
P a g e | 26
Meraki MX SD-WAN
Umbrella SIG - SASE
4.5 Web App Health

We have selected a pre-defined list of applications that we would like to track. Adding
applications requires Organisational Admin rights, you have Network Admin rights and
Organisational Viewing rights. This means that you cannot save any new list in this network.
EX – Investigate Web applications
Insight > Web App Health
Scroll to the bottom and click on ‘Configure Web Applications’ to discover the apps that can be
monitored. Close window afterwards and scroll back up.
Select a SaaS applications that has already been used in your network.
In one overview you can detect where web applications are underperforming and where the
issue might be ( LAN | WAN | SaaS SERVER )
If enough software download has been generated, you should see your network in the list.
If not, select another network from the list.
Click on the one of the icons to start investigating the network performance of every section.
WAN & LAN: get an idea of the application performance over these networks.
Application: displays information about the Application-Layer performance that has been
gathered from traffic flows matching the selected Web Application. Can you identify the average
response time of the application?
P a g e | 27
Meraki MX SD-WAN
Umbrella SIG - SASE
Clients: displays information about each client that has used the specified Web Application
during the selected time period. The information includes the average Performance Score for a
given client and the current application, the number of requests the client has made, and the
average HTTP Response Time.
Servers: displays information about the remote Web Servers that have been utilized by the
Tracked Web Application during the chosen time period. This can be useful to help identify if
there is a specific Web Server that could be contributing to application issues.
Domains: displays information about different Web Domains that have been contacted by the
selected Web Application. Similar to the Servers tab, this can be useful to determine if there is a
specific domain that could be contributing to application performance issues.
4.6 WAN Health

The WAN Health feature is designed to monitor ISP uplinks across organization networks. In
addition to monitoring, WAN Health helps proactively troubleshoot ISP uplink issues such as
"Poor Performance" ISP or "High Usage." It also helps keeping track of primary, secondary and
LTE uplinks all together in one place.
EX – Investigate Your WAN connections
What is your best performing WAN connection at this moment?
P a g e | 28
Meraki MX SD-WAN
Umbrella SIG - SASE
5 MX Security
It makes sense to enable security on our MX. One of the benefits would be to build a direct
internet breakout, instead of tunnelling all traffic over HQ.
EX – Configure Split Tunnel VPN
Disable the full tunnel
This will route web traffic directly out to the internet.
Security & SD-WAN > Site-2-site VPN

Disable IPv4 default route
P a g e | 29
Meraki MX SD-WAN
Umbrella SIG - SASE
5.1 (Layer 7) Firewall rules

BitTorrent is used frequently in your office. Make sure that this traffic is blocked. Secondly, as
preparation to our Umbrella configuration block DNS requests to Google.
EX – Define layer 7 firewall rules
Set the following Layer 7 rules
Security & SD-WAN > Firewall
o Completely block the P2P > BitTorrent. (Layer 7 firewall rule.)

o Block the DNS port to 8.8.8.8
Run a DNS request to 8.8.8.8 (Google) on your TEST PC.

 nslookup www.comstor.com 8.8.8.8
P a g e | 30
Meraki MX SD-WAN
Umbrella SIG - SASE
5.2 Content Filtering

It is better to prevent connections to potentially infected or potentially addictive websites. Let’s
block connections to gaming and adult websites for your employees.
EX – Set content filtering
Block Shopping and Gambling websites. Click on the full category list link to understand the
other categories
Above this setting, make sure to set URL category list size to Full list
Security & SD-WAN > Firewall
Your employees are required to follow the live technology update sessions to be up-to-date
with what they well and work with. But please prevent them from entering all other sub
domains like the recordings on demand sites to stimulate the employees to attend the life
sessions.
Block the URL ‘www.google.com’
Curious if your adjustments have an impact on the clients in your network? Test it out! Note
that you will have a different block behaviour between HTTP and HTTPS. With HTTP we can
feed a block page in the conversation, HTTPS does not allow us to get in the tunnel. In this case
we will force a timeout.
Enable search filtering
P a g e | 31
Meraki MX SD-WAN
Umbrella SIG - SASE
Test Content filtering

o Wait until the configuration is synched to the MX
o Try to access the shopping site amazon.com
o Try to access ‘www.google.com’
o Open ‘Youtube’ and notice that safe search is on. This cannot be reactivated.
The same is active for Google.
P a g e | 32
Meraki MX SD-WAN
Umbrella SIG - SASE
5.3 Enable Threat Protection

Blocking potentially infected websites alone is not sufficient. Malware can slip in via many
other sources. First of all make sure your browser’s security rules will not be used, test out the
MX the fullest!
EX – enable advanced malware protection
Navigate to Security & SD-WAN -> Configure -> Threat protection.

Enable Advanced Malware Protection (AMP), as per the below
Set the Intrusion detection and prevention to Prevention with a Security ruleset.
Wait until the configuration is synched to the MX before running your tests.
P a g e | 33
Meraki MX SD-WAN
Umbrella SIG - SASE
TEST #1  Imitate an employee and try to download malware in his PC.
Open Firefox and paste this link in the address bar, and click on the EICAR test.
https://www.wicar.org/test-malware.html
It is likely that FireFox also detects malware and refuses a connections. This is obviously a good
thing. To ignore FireFox to test Umbrella, click on Ignore the risk
The connection is correctly cut by your MX.
P a g e | 34
Meraki MX SD-WAN
Umbrella SIG - SASE
If this file is blocked your malware engine works. Check security center
Security & SD-WAN > Security Center
See the logging on:

Security & SD-WAN > Security Center > MX Events
P a g e | 35
Meraki MX SD-WAN
Umbrella SIG - SASE
Navigate to ‘Security Center’ and find out where the attacks came from.
Notice that from here you can block the IP or the complete region.
FYI: in case of an EXPLOID or FILE DOWNLOAD
Switch to ‘Event View’ investigate the Malware events and locate the Rule ID of an EXPLOID-
KIT (if present) or FILE-OTHER (if present).
If present, Identify the SNORT Summary of the EXPLOID-KIT/FILE-OTHER via ‘Rule details’ and
inspect this packet.
If not present, investigate a blocked file and investigate this on Virus Total
P a g e | 36
Meraki MX SD-WAN
Umbrella SIG - SASE
FYI
Read-only 5.4 Retrospective Threat Protection (INFORATIONAL)

pages;
Feel free to generate more test traffic yourself. Try to find file that will get through the firewall.
No Usually test-sites from competitive vendors contains on the fly created files that will only be
exercises blocked by their firewalls. Inspect to see how Meraki UTM reacts to unknown files.
Enable ThreatGrid (15 submissions maximum).
Below is a test by us from newly created malware; Download on our TEST PC. This will not be
discovered at first by AMP.
We selected ‘Unknown Disposition’ in Security Center. And found the malware files that got
through.
The file will be allowed to pass through but after Cisco understands this is a threat it will update
all UTMs out there and retrospectively alert you to clean up the threat.
The reason for the delay here is that we have to hear back from the ThreatGrid API after the file
has detonated; this can take up to 3 hours to show.
After the result comes back and it is found to be malware, it will show up like this. This will take
several hours.
P a g e | 37
Meraki MX SD-WAN
Umbrella SIG - SASE
FYI
Read-only INFORMATIONAL: (http://10.50.0.100/sample.zip) is released in a VM and ThreatGrid will report about

pages; the behaviour of the file.
No
exercises
INFORMATIONAL: (http://10.50.0.100/sample2.zip) is also released in a VM and ThreatGrid will report

about the behaviour of the file.
P a g e | 38
Meraki MX SD-WAN
Umbrella SIG - SASE
FYI
Read-only 5.5 Extra Info: Retrospective Alerts

pages;
The file downloaded in the above section will actually result in an AMP retrospective alert and
No the deposition of the file hash will change in the AMP databased. The time take for this alert to
exercises arrive is variable and depends on many factors, but is usually in the order of 2-6 hours. As such,
you might not see it in this lab. Therefore, we have included screen grabs of the process that
the retrospective alert will follow for your information. A ThreatGrid License is required for this
function.
First, the alert will only arrive if the appropriate alerting setting is enabled. To ensure it is,
navigate to ‘Network-wide->Configure->Alerts’ on most standard dashboards or ‘Network-
wide->Configure->General’. You will be presented with the following:
This will result in an email being receive at the configured alerting email address. It looks like the
following:
P a g e | 39
Meraki MX SD-WAN
Umbrella SIG - SASE
FYI
Read-only The purpose of this email is to make users/administrators log back into dashboard to
pages; investigate. Clicking on the ‘investigate the impact here’ section of the email takes the user to
Security Center (Security & SD-WAN ->Monitor-> Security Center). Which will look like this:
No
exercises
If we drill into the content by clicking on the link under ‘Threat Name’ we get the following
additional information:
If we then move to ‘Event’ view (by clicking on ‘Events’) and click on the file in question and
select ‘Show this file only’, it then shows the file deposition changed event and when the file
was originally analysed.
P a g e | 40
Meraki MX SD-WAN
Umbrella SIG - SASE
6 SASE
In this exercise we learn how to roll out cloud security to enforce a secure online behaviour for
all our employees.
All our sites are fully protected by a redundant cloud security SASE solution.
Important to note: Your Umbrella nodes are fully operating in your SD-WAN.
This design provides the following use cases:
• Inspect all internet-bound traffic at scale from a single cloud-delivered platform.

• Managing and monitoring both network devices and their security policies from simple
cloud-based solutions.
• Network administrators want to manage the entire set of security policies for all SD-WAN
branches using a single pane of glass.
• Organizations want to exclude guest traffic or high bandwidth application traffic from
cloud security services.
• Organizations want to utilize a unified cloud-based security solution without incurring
additional costs from interconnecting it to their existing Meraki network solution.
Requirements:
o Umbrella SIG Essential or SIG Advantage
o Meraki MX 14.00+ firmware versions
The UMB-SIG device does not require any additional licensing and is included as part of your
MX licensing purchase (as long as you have SIG licensing on the Umbrella dashboard).
Meraki MX SDWAN Plus Licensing is required for exclusion of Layer 7 Application traffic from
the Auto VPN to Umbrella SIG.
P a g e | 41
Meraki MX SD-WAN
Umbrella SIG - SASE
6.1 Disable protection on MX

To show the power of Umbrella, we need to deactivate protection on MX first.
In production you can leave both on, or choose one of both solutions to protect your branch.
EX – Disable MX configuration
Disable AMP.
Security & SD-WAN > Threat protection
• Amp: Disabled
• IPS: Disabled
Disable content filtering.

Security & SD-WAN > content filtering
Remove:
• Category blocking
• URL filtering
• Search filtering: Disabled
• Restricted YouTube content: Disabled
P a g e | 42
Meraki MX SD-WAN
Umbrella SIG - SASE
6.2 Deploy SASE (SIG) on Meraki

EX – Verify Umbrella SD-WAN connectors configuration
Deployment of the Umbrella connectors has to be done once for the entire organisation.
For this reason, this has al been performed.
The steps below are the steps that have been done, feel free to review them.
An Umbrella connector is a Meraki vMX that is deployed in the Umbrella cloud and
connected to your SD-WAN.
2 connectors will automatically be deployed to provide fail-over reduncancy.
Create a Legacy Management Key

FYI
- Umbrella Dashboard > Admin > API Keys > Legacy Keys
No Create the Umbrella Management Key
exercises
Enable Cloud on-ramp

FYI
-
Organisation > Cloud On-ramp
No
Connect to Umbrella using the Management API key (above)
exercises
P a g e | 43
Meraki MX SD-WAN
Umbrella SIG - SASE
FYI Start the deployment of your virtual MX’s

-
No
exercises
If you have already had a MR-ADV integration, you won't be able to enable Meraki
Umbrella SD-WAN Connector. A new Meraki Org is needed.
If you have already linked your Meraki Org to an Umbrella SIG Org, you will need to use
that Umbrella Org and won't be able to link your Meraki Org to a different Umbrella SIG
Org.
Meraki Umbrella SD-WAN Connector is available with the MR and MX DNS integrations.
Choose the Data Center (DC) location pair where the Connectors will be deployed
FYI
-
Input a name for the Connector network and choose the DC locations. This will create 2
No
networks, with a connector in each located at the chosen locations.
exercises
Verify if the connection is successful in the Meraki dashboard
Organization > Cloud On-Ramp > Deployments
P a g e | 44
Meraki MX SD-WAN
Umbrella SIG - SASE
6.3 Connect your branch MX to Umbrella

EX – Connect Branch to Umbrella
The branch MX needs to be configured as a Spoke on the Site-to-site VPN page, and the
deployed connectors need to be configured as Hubs.
This will result in the following VPN topology:

• Your branch is the Spoke
• HQ & Umbrella connectors are the Hubs
• SaaS traffic will be sent to the Umbrella connectors
(This is done automatically, no default route required)
Security & SD-WAN > Site-to-site VPN
DO NOT select the 'Default route' option, as Connector Hubs advertises default routes to
Umbrella SIG for all spokes connecting
P a g e | 45
Meraki MX SD-WAN
Umbrella SIG - SASE
Test traffic flowing over the WAN and Umbrella to the internet.
Initiate a ping on your test pc and confirm that the route of traffic flows through the Umbrella
connectors. Remember that ICMP takes the same route as Voice and video calls
(ref. SD-WAN section in this lab guide).
Security & SD-WAN > VPN status | Uplink decisions
We can confirm that:

• ICMP (as for Voice & Video) is using our pre-defined SD-WAN policy
• Primary uplink WAN 1
• Failover when performance is low
• Route through our vMX in the Umbrella could, located in Paris.
Note: this can be Prague in your example.
P a g e | 46
Meraki MX SD-WAN
Umbrella SIG - SASE
6.4 Umbrella Protection

EX – Connect Branch to Umbrella & Test out
With the deployment of the Umbrella connector, comes a Network Tunnel Identity.
In our topology, we therefore have 2 Tunnels.
We can and will apply policies on each tunnel.
Outgoing traffic
Traffic to the internet will take one of the 2 tunnels. These tunnels will run through our MX-
SASE policy and our Firewall policy
MX-SASE
This WEB policy is refined in the Umbrella dashboard, and contains:
- Block Unwanted (unwanted content is blocked, like gaming)
- Block News (News sites are blocked, like theguardian.com)
- DNS Security is applied (like Malware, CnC, Phishing)
Firewall Policy:
- Block communication over port: 333, 777, 888
- Block communication to 157.240.22.35
- Block Torrent applications
Incoming traffic
IPS is enabled:
- In Protection mode
- Sensitivity: Security over connectivity – deep inspection of traffic
P a g e | 47
Meraki MX SD-WAN
Umbrella SIG - SASE
Test: Web Policy (Outgoing traffic)
Investigate the Web Policy that will be applied to both tunnels.

Umbrella dashboard > Policy > Web Policy | MX-SASE
Notice that game sites are being blocked as part of our content ruleset
Test this out with your test PC
Review the activity going through the Umbrella SASE cloud.

Umbrella dashboard > Reporting > Activity Search
P a g e | 48
Meraki MX SD-WAN
Umbrella SIG - SASE
Test: Firewall Policy (Outgoing traffic)

Umbrella dashboard > Policies > Firewall Policy
Notice that connections to 157.240.22.35 are being blocked as part of our Firewall ruleset
Test this out with your test PC – start a ping to 157.240.22.35
Review the activity going through the Umbrella SASE cloud.

Umbrella dashboard > Reporting > Activity Search
P a g e | 49
Meraki MX SD-WAN
Umbrella SIG - SASE
Review: IPS Policy (Incoming traffic)

Umbrella dashboard > Policies > Firewall Policy | IPS Settings (top-right)
Note: Security Over Connectivity is selected.
Review the IPS Rule.

Umbrella dashboard > Policies > IPS Signature Lists | open the active list
Here you can review the HIT Count when a rule has been triggered.
P a g e | 50
Meraki MX SD-WAN
Umbrella SIG - SASE
TEST Malware  Imitate an employee and try to download malware in his PC.
Open Firefox and paste this link in the address bar, and click on the EICAR test.
It is likely that FireFox also detects malware and refuses a connections. This is obviously a good
thing. To ignore FireFox to test Umbrella, click on Ignore the risk
The connection is now cut by Umbrella.
P a g e | 51
Meraki MX SD-WAN
Umbrella SIG - SASE
Review the malware attempt in the dashboard
You can review the threats in your network that tried to brake out of you site.
Umbrella dashboard > Reporting > Security Activity
The conncetion attempt is also reported in the activity search
P a g e | 52
Meraki MX SD-WAN
Umbrella SIG - SASE
7 The Hybrid worker

In a hybrid office we need to secure our employees, wherever they are connected from.
From home, on the road, from customers, everywhere.
7.1 UMB - The Hybrid worker: Cloud security

In this exercise we learn how to roll out cloud security to enforce a secure online behaviour for
all our employees, everywhere they go.
We have 2 options to activate Umbrella Cloud Security on our protected devices.
Option 1 - The stand-alone Cisco Umbrella Roaming Client.
This is an easy way to extend all DNS Policies we have seen this far, to all work stations.
Resulting in DNS-based security wherever we work from.
Side-Note:
How efficient is Cisco Umbrella with blocking these security categories?
The below results are published by AVTest (https://www.av-test.org/en/), an
independent IT Security Institute. The test released 3682 attacks on a systems
protected by different Cloud Security vendors. The results of this test indicate that
Cisco Umbrella outperformed the other vendors’ detection rates.
Vendor Package Detection rate (3,154 test)
Cisco Umbrella DNS Security Advantage 65.44%
DNSFilter DNSFilter 34.84%
Infoblox BloxOne Advanced 24.10%
Not enough protection for you?
Scroll further to Option 2 and let us show you how we can increase security for our users.
P a g e | 53
Meraki MX SD-WAN
Umbrella SIG - SASE
7.2 UMB - The Hybrid worker: SIG-Based Cloud security

Option 2- Using Cisco Secure Client (previously known as Anyconnect) will protect you with DNS-
based security AND web policies, resulting in a full Web Secure Gateway.
The Cisco Secure Client will be able to:

• All DNS Policies we have seen this far.
• Inspect files for malware using signatures, heuristics and file reputation. Powered by Cisco
Advanced Malware Protection.
• Analyse files for malicious behaviour using advanced sandboxing with static and dynamic
threat intelligence.
• Umbrella checks a file, based on its file extension, including s a detection engine to evaluate
the file. (Images, video files, document, ...)
• Full HTTPS inspection
• || Source – Destination – Time || Rulesets (think of blocking sites or content like social media
during school hours)
Side-Note:
More protection is to be expected using the Cisco Secure Client. Below is another test
performed by AVTest over Cisco Umbrella but this time with the client.
The below results are published by AVTest (https://www.av-test.org/en/), an

independent IT Security Institute. The test released 3682 attacks on a systems
protected by different Cloud Security vendors. The results of this test indicate that
Cisco Umbrella outperformed the other vendors’ detection rates.
Vendor Package Detection rate (3,682 attacks)
Cisco Umbrella SIG Advantage 90.41%
Netskope Secure Web Gateway 80.12%
Zscaler Internet Access Transformation 79.60%
Palo Alto Networks Prisma Access for Mobile Users 79.33%
Skyhigh Security Secure Web Gateway 63.96%
Iboss Zero Trust Edge 44.60%
P a g e | 54
Meraki MX SD-WAN
Umbrella SIG - SASE
EX – Activate SIG Umbrella on your protected device
The situation
We will setup a DNS policy for home/remote workers.
Before we continue; confirm that the Web policy MX-SASE is active

Confirm that you can access gambing.com
After the this session, the off-network policy becomes active and you will not be able to access
gambling.com no more.
P a g e | 55
Meraki MX SD-WAN
Umbrella SIG - SASE
Installation Umbrella module on Secure client
Open the folder LAB Programs (on the desktop) and install Cisco Secure Client > open setup.
Unselect all and select only Umbrella > Install Selected
P a g e | 56
Meraki MX SD-WAN
Umbrella SIG - SASE
Connect Cisco Secure Client to Umbrella
Open Cisco Secure Client and note that the correct profile is missing.
Copy OrgInfo.json from the LAB Progams folder to the following umbrella folder:
%ProgramData%\Cisco\Cisco Secure Client\Umbrella\
P a g e | 57
Meraki MX SD-WAN
Umbrella SIG - SASE
Test your Off-network policy
FIRST: CLEAR YOUR CACHE !

SECOND: Note that your cannot access gambling.com. Why is this?
TIP: Open the Off-network Policy – Home/Remote and notice the following
• All roaming computers are mapped to this policy.
• Gambling is not allowed for all roaming computers
All roaming computers, regardless of where they connect, will use the home/remote
policy.
P a g e | 58
Meraki MX SD-WAN
Umbrella SIG - SASE
Check the activity search and notice that your roaming computer is now displayed instead of
our Umbrella connector as an identity.
Test out in a home or remote network.
Disconnect from the office network and connect to API Lab (an unprotected network).
And try again to download malware using the eicar or wicar websites
Free testing against malware, phishing, CnC, …
Reconnecto to Wi-Fi
The station you are working on will be reverted after the training. Feel free to try and break the
Umbrella DNS + WEB security.
P a g e | 59
Meraki MX SD-WAN
Umbrella SIG - SASE
7.3 DUO – The user experience

EX – Connect to protected resources using DUO
Easy, Flexible Cybersecurity Solutions for Everyone
Multi-factor authentication is an electronic authentication method in which a user is granted

access to a website or application only after successfully presenting two or more pieces of
evidence to an authentication mechanism: knowledge, possession, and inherence.
Duo’s MFA (multi-factor authentication) and 2FA (two-factor authentication) app and access
tools can help make security resilience easy for your organization, with user-friendly features
for secure access, strong authentication, and device monitoring.
Use the below examples to learn the basic principles of MFA and see it in action.
• The day starts with logging on in the morning

Click HERE to simulate the experience of Chris
This is an interactive demo.
Open the URL and Please click

as you would in real life.
• Another use case is to protect sites and applications.

Click HERE to simulate the experience of Lee

P a g e | 60
Meraki MX SD-WAN
Umbrella SIG - SASE
The Life and Death of Passwords
Passwordless authentication (or “modern authentication,” as it is known by some) is the term

used to describe a group of identity verification methods that don’t rely on passwords.
Biometrics, security keys, and specialized mobile applications are all considered “passwordless”
or “modern” authentication methods.
Use the below examples to see passwordless authentication in action.
• Opening an application without using a password


• Interested to understand how Lee registered the application for the first time?

P a g e | 61
Meraki MX SD-WAN
Umbrella SIG - SASE
A use case for every business
We understand that every business is unique and has different requirements, but every
business requires a secure authentication process for their employees and users.
Below you can find a large set of demos to help you understand many ways to provide secure
access to your customer networks.
https://demo.duo.com/
P a g e | 62
Meraki MX SD-WAN
Umbrella SIG - SASE
7.4 DUO – The admin experience

Visibility is essential when it comes to security.
Be aware when end points were jeopardised or authentications failed, and why.
Connect to the demo dashboard using your own Cisco CCO ID.
https://dcloud2-lon.cisco.com/content/instantdemo/cisco-duo-admin-panel-v1-instant-
demo?returnPathTitleKey=content-view
When logged in, click View to start
EX – Investigate authentications and device compliance
Investigate the active policy
P a g e | 63
Meraki MX SD-WAN
Umbrella SIG - SASE
Investigate the Reports
P a g e | 64
Meraki MX SD-WAN
Umbrella SIG - SASE
Investigate Device Insights
Only allow confirmations from up-to-date systems. Less possible that they are hacked
P a g e | 65
Meraki MX SD-WAN
Umbrella SIG - SASE
7.5 DUO – Start your own experience

EX – Try it yourself
Start your account  For Free!
Tired of working with a demo and following a script?

We invite you to test it out to secure your own applications and experience it for yourself.
Get the full experience for 30 days

https://signup.duo.com/
After 30 days you will be given the Free edition of DUO

(Basic feature set for 10 users)
DUO Editions
Multiple versions are available depending on the needs of your customer.

Learn about the differences using the link below.
https://duo.com/editions-and-pricing
P a g e | 66

Meraki - MX SD-WAN SASE

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Meraki - MX SD-WAN SASE

Uploaded by

Copyright:

Available Formats

V1

CISCO TECHNOLOGY LAB

CONNECT ANYONE, ANYWHERE:

ALL THE SECURITY:

ANALYTICS, POWERED BY ML:

1.2 Solution: SASE

1.3 LAB: Meraki MX + SASE

First, we control and automate the wan with Meraki SD-WAN

Second, we protect the branch with the MX ‘s built-in security

Third, apply SASE through a redundant cloud security engine Umbrella

Lastly, we empower your teleworkers to work from home

INFO -- Lab exercises: Every exercise in the lab is preceded by EX –

EX – Set content filtering ................................................................................................................ 31

2.1 Webex - Your playground: Webex App

2.2 Meraki - Your playground: Meraki Dashboard

EX -- Log in on Meraki Dashboard

You should have received an email to accept access to your station.

Click on the link in the email to accept access to your lab.

Go to http://dashboard.meraki.com & log in with your own email address.

Can you see your networks? Great!

Now open your own network:

2.3 PC - Your playground: Take control over your test PC

EX -- Log in on your test pc

Open a browser session to https://emea.comstorlabs.com:3100

POD# Username Password

2.4 Umbrella - Your playground: Umbrella Dashboard

EX -- Log in on Umbrella Dashboard

3 Prep your lab

Connect WAN 1 to your WAN emulator.

Security & SD-WAN > Appliance Status | Uplink

Change the default gateway of WAN 1:

Note: The new gateway doesn’t change instantly.

Inform the trainer and ask to restore the WAN emulator

WAN Emulator still unreachable?

• Change default gateway back to previous address.

3.2 WLAN Setup

EX – Update WLAN : Bridging

You will need only 1 Wireless WLAN.

Rename your wireless network.

Set the name of your network to ‘Office-X’ (X = your station number)

Keep security to ‘Open’ for easy testing

Allow connections from WLAN to LAN.

Test out by connecting your client to the WLAN.

Troubleshooting: network connection

If you fail to get an IP address  Reboot your test station.

Software-defined wide area networking (SD-WAN) doesn’t need to be a mystery. In essence,

And we are going to learn just that!

4.1 Establish VPN

Activate your VPN.

Non-Meraki VPN peers

• Connect to your SSID: Office X (where X = your station number)

Your site-to-site VPN is established, next we will build our SD-WAN.

4.2 Dynamic WAN fail-over

Each MX is equipped with 2 WAN connections.

Meraki Auto VPN

EX – Voice & Video SLA

Real-time traffic (like voice and video) is susceptible to latency.

We will set an SLA rule for Voice and Video traffic:

Set SLA rule for Voice and Video traffic.

Open the WANemulator on your test PC.

If a previous setting is still active, click on the button Stop WANem

Start a persistent ping and notice a normal delay.

Confirm that traffic flows over WAN 1