Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

External Systems Configuration Guide

Cisco Meraki Cloud Controller and Network Devices

What is Discovered and Monitored

Cisco Meraki Devices are discoverable in either of the following ways

  • SNMP to the Cloud Controller
  • SNMP to each Network Device

SNMP Traps can be sent from the Cloud Controller. Cisco Meraki Network Devices can also send logs directly to FortiSIEM.

Protocol

Information Discovered

Metrics collected

Used for

SNMP (V1, V2c) to Cloud Controller or Devices Host name, Software version, Hardware model, Network interfaces Uptime, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths) Availability and Performance Monitoring
syslog from Meraki Firewalls   Firewall logs Security Monitoring

syslog from Meraki Access Points

 

Air Marshal logs

Security Monitoring

SNMP Traps from Cloud Controller Health Availability Monitoring

Event Types

  • Interface Utilization: PH_DEV_MON_NET_INTF_UTIL

Rules

Availability (From SNMP Trap)
  • Meraki Device Cellular Connection Disconnected
  • Meraki Device Down
  • Meraki Device IP Conflict
  • Meraki Device Interface Down
  • Meraki Device Port Cable Error
  • Meraki Device VPN Connectivity Down
  • Meraki Foreign AP Detected
  • Meraki New DHCP Server
  • Meraki New Splash User
  • Meraki No DHCP lease
  • Meraki Rogue DHCP Server
  • Meraki Unreachable Device
  • Meraki Unreachable RADIUS Server
  • Meraki VPN Failover
Performance (Fixed Threshold)
  • Network Intf Error Warning
  • Network Intf Error Critical
  • Network Intf Util Warning
  • Network Intf Util Critical
Performance (Dynamic Threshold Based on Baselines)
  • Sudden Increase in Network Interface Traffic
  • Sudden Increase in Network Interface Errors

Reports

None

Configuration

Syslog for Air Marshal Events

The latest instructions can be found at https://documentation.meraki.com/MR/Monitoring_and_Reporting/Air_Marshal to configure syslog for Air Marshal events.

Syslog alerting can be configured by navigating to Network-wide > General, and configuring the syslog server IP, port, and specifying "air marshal" events.

Note: For all roles, select each role available. This configuration applies for access points (APs), switches, and firewalls.

SNMP

FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.

Settings for Access Credentials 

Set these Access Method Definition values to allow FortiSIEM to communicate with your device.

Setting Value
Name <set name>
Device Type Cisco Meraki Cloud Controller
Access Protocol See Access Credentials
Port See Access Credentials
Password config See Password Configuration

Cisco Meraki Cloud Controller and Network Devices

What is Discovered and Monitored

Cisco Meraki Devices are discoverable in either of the following ways

  • SNMP to the Cloud Controller
  • SNMP to each Network Device

SNMP Traps can be sent from the Cloud Controller. Cisco Meraki Network Devices can also send logs directly to FortiSIEM.

Protocol

Information Discovered

Metrics collected

Used for

SNMP (V1, V2c) to Cloud Controller or Devices Host name, Software version, Hardware model, Network interfaces Uptime, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths) Availability and Performance Monitoring
syslog from Meraki Firewalls   Firewall logs Security Monitoring

syslog from Meraki Access Points

 

Air Marshal logs

Security Monitoring

SNMP Traps from Cloud Controller Health Availability Monitoring

Event Types

  • Interface Utilization: PH_DEV_MON_NET_INTF_UTIL

Rules

Availability (From SNMP Trap)
  • Meraki Device Cellular Connection Disconnected
  • Meraki Device Down
  • Meraki Device IP Conflict
  • Meraki Device Interface Down
  • Meraki Device Port Cable Error
  • Meraki Device VPN Connectivity Down
  • Meraki Foreign AP Detected
  • Meraki New DHCP Server
  • Meraki New Splash User
  • Meraki No DHCP lease
  • Meraki Rogue DHCP Server
  • Meraki Unreachable Device
  • Meraki Unreachable RADIUS Server
  • Meraki VPN Failover
Performance (Fixed Threshold)
  • Network Intf Error Warning
  • Network Intf Error Critical
  • Network Intf Util Warning
  • Network Intf Util Critical
Performance (Dynamic Threshold Based on Baselines)
  • Sudden Increase in Network Interface Traffic
  • Sudden Increase in Network Interface Errors

Reports

None

Configuration

Syslog for Air Marshal Events

The latest instructions can be found at https://documentation.meraki.com/MR/Monitoring_and_Reporting/Air_Marshal to configure syslog for Air Marshal events.

Syslog alerting can be configured by navigating to Network-wide > General, and configuring the syslog server IP, port, and specifying "air marshal" events.

Note: For all roles, select each role available. This configuration applies for access points (APs), switches, and firewalls.

SNMP

FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.

Settings for Access Credentials 

Set these Access Method Definition values to allow FortiSIEM to communicate with your device.

Setting Value
Name <set name>
Device Type Cisco Meraki Cloud Controller
Access Protocol See Access Credentials
Port See Access Credentials
Password config See Password Configuration