New Threat Protection in Meraki MX: Snort 3 and Beyond

Cyber threats are no longer isolated or predictable. Today’s attackers use polymorphic malware, encrypted payloads, lateral movement, and persistent footholds that challenge even modern firewalls. For organizations using Cisco Meraki MX appliances, this evolution has made embedded threat protection capabilities more crucial than ever.

Meraki has answered the call by reengineering its approach to network security. What began as basic IDS/IPS with Snort 2 has matured into a full threat defense stack powered by Snort 3, Advanced Malware Protection (AMP), and cloud-driven updates from Cisco Talos. This isn’t just about signature matching. It’s about creating a security posture that’s adaptive, scalable, and built for today’s decentralized networks.

At Stratus Information Systems, we work closely with IT teams to design and implement secure, resilient Meraki MX deployments. Whether you need zero-trust architecture or real-time threat blocking, our Cisco-certified engineers ensure your infrastructure delivers.

Core Components of Threat Protection in Meraki MX

Threat protection in the Meraki MX platform is not a single feature, but a layered defense model. The components that power this system include:

1. Snort-based IDS/IPS: At the core is the Snort engine, responsible for inspecting packet data and applying curated rulesets to detect malicious activity. It scans for command-and-control activity, exploit kits, malware traffic, and other malicious activity.
2. Advanced Malware Protection (AMP): AMP inspects file downloads over HTTP, comparing them against Cisco’s threat intelligence database. It prevents infected files from ever reaching your endpoints.
3. URL and File Allow Lists: Meraki provides granular control over what’s blocked or allowed, allowing administrators to override certain detections when false positives occur.
4. Threat Detection Policies: Administrators can fine-tune protection by selecting from different rulesets—Connectivity, Balanced, or Security, depending on the desired tradeoff between security depth and performance.

This multilayered system is constantly updated via the Meraki Cloud, with rules and signature updates delivered directly from Cisco Talos, Cisco’s elite threat research organization.

These features are available exclusively with Meraki MX Advanced Security Edition licensing, and require MX firmware version 12.20 or higher.

From Snort 2 to Snort 3 – What’s Changed

Snort 2 was a powerful intrusion detection engine in its day, but its single-threaded design and static architecture posed limitations. As modern networks demand real-time inspection of gigabit-level traffic, Snort 2 began to show its age.

Snort 3 solves these challenges with a multi-threaded architecture. It distributes packet inspection across multiple cores, making it faster and more responsive. This reduces bottlenecks in high-traffic environments, such as school campuses, healthcare facilities, or large corporate offices.

Key improvements in Snort 3 include:

• Port-independent protocol inspection: Protocols like HTTP and FTP are now detected regardless of the port they operate on.
• Support for HTTP/2: Snort 3 can inspect modern web traffic more effectively.
• Runtime engine swapping: Detection engines and modules can be updated without a firmware upgrade, reducing downtime.
• Hyperscan support: This feature accelerates regular expression (regex) processing using CPU vector extensions, thereby improving performance on newer hardware.
• Modularity and memory efficiency: Snort 3 uses memory more intelligently, improving its ability to scale on large deployments.

Note: Only Meraki MX appliances running firmware version 17.6 or later can run Snort 3. Models like the MX64 and MX65 remain on Snort 2 due to hardware constraints.

Inspection Coverage – What Gets Scanned

Meraki MX’s threat inspection applies to specific types of traffic flows:

• LAN to Internet
• Inter-VLAN
• Protected subnets in passthrough mode

This means MX will inspect both outbound traffic and east-west traffic between VLANs. However, it will not inspect intra-VLAN traffic that is, traffic between two clients on the same VLAN.

This design decision helps conserve resources but also creates blind spots if the network is flat. That’s why it’s important to implement VLAN segmentation and avoid leaving all internal systems on a single broadcast domain. For zero-trust environments, this step is essential.

With Snort 3, Meraki is aligning more closely with zero-trust principles, treating all traffic, internal or external, as potentially hostile.

Meraki MX Threat Protection Modes – IDS vs IPS

Meraki MX offers flexible deployment modes for threat detection:

• Detection (IDS) Mode: All traffic is logged and analyzed, but malicious flows are not blocked. This is useful for visibility and tuning.
• Prevention (IPS) Mode: Packets matching threat signatures are blocked in real-time.

Each mode can be paired with one of three detection rulesets:

• Connectivity: Lightweight and fast. Ideal for performance-sensitive environments. Focuses only on high-CVSS vulnerabilities from the last two years.
• Balanced: Default option. Provides protection against command-and-control traffic, exploit kits, SQL injection, and blocklisted indicators with moderate performance impact.
• Security: Most aggressive. Includes more historical CVEs and application-layer threat detection.

For most environments, Balanced provides the best mix of safety and stability. High-security environments—such as financial services or defense contractors—may opt for the Security ruleset despite the higher CPU load.

Advanced Malware Protection (AMP)

AMP works alongside Snort to provide file-level inspection. When enabled, it inspects HTTP downloads and blocks known malware based on Cisco’s global threat database.

Here’s how it works:

• A user attempts to download a file.
• MX inspects the download and checks the hash against known threat signatures.
• If the file is malicious, the download is blocked, and the event is logged in the Security Center.

AMP is especially useful in networks where endpoint protection may be inconsistent, such as guest environments, shared terminals, or BYOD deployments.

Administrators can review AMP events by navigating to Security & SD-WAN > Monitor > Security Center in the Meraki Dashboard.

Fine-Tuning Detection with Allow Lists

No threat detection system is perfect. Occasionally, AMP or Snort may block a legitimate file or domain. In these cases, Meraki provides two key allow list options:

1. Allow List URLs: This list overrides AMP and Snort blocks on specific domains or IPs. You can enter URLs like https://trustedvendor.com/* to permit access moving forward. Wildcards are supported.
2. Allow List Files: For non-URL-based detections, such as JavaScript snippets or file hashes, you can allow specific object IDs. These IDs are found in the event logs and can be added manually.

Only full organization admins have the rights to modify allow lists. This ensures that overrides are controlled and auditable across distributed teams.

Trusted Traffic Exclusions and Zero-Trust Design

With Snort 3, Meraki introduced a new feature: Trusted Traffic Exclusions. This allows admins to define IP ranges or hosts whose traffic should be exempt from inspection, such as internal application servers or partner appliances.

While this can reduce false positives, it should be used cautiously. In a true zero-trust network, no internal traffic should be automatically trusted. Use exclusions only when necessary and pair them with detailed logging to maintain oversight.

This feature allows Snort 3 to apply the same detection fidelity to both internal and external traffic, supporting zero-trust strategies where segmentation and validation are key.

Logging, Alerts, and Visibility

From the Dashboard, you can:

• View historical and real-time alerts
• Filter by source, destination, threat type, or detection engine
• Investigate AMP or Snort-based detections
• Export events to Syslog or forward them to a SIEM
  

This centralized view supports incident response, compliance audits, and threat hunting. It’s also fully cloud-managed, which means no additional software or on-prem infrastructure is required.

Best Practices for Secure Meraki MX Deployments

To maximize the value of Meraki MX threat protection, consider the following best practices:

• Enable IPS mode as soon as you’ve evaluated your environment for false positives.
• Use the Balanced ruleset for most environments; switch to Security mode for high-sensitivity networks.
• Review firmware status regularly and upgrade to Snort 3-capable versions when eligible.
• Avoid over-reliance on allow lists and implement a clear review process for overrides.
• Use VLAN segmentation to increase inspection coverage and reduce attack surfaces.
• Log events centrally via Syslog for better correlation and faster response.
  

To Conclude

Cisco Meraki MX, equipped with Snort 3 and AMP, offers a robust security platform for organizations that require agility and protection at scale. With cloud-managed updates, flexible rulesets, and zero-trust alignment, these appliances offer not just visibility, but action.

Stratus Information Systems helps organizations configure Meraki MX security the right way. Our experts can tailor deployments to your exact needs—from schools and city networks to global enterprises.

Need to upgrade to Snort 3 or fine-tune your threat policies? Talk to our team today.