Firewall rules for management acces to dashboard and api

joopv
Getting noticed

Firewall rules for management acces to dashboard and api

Hi,

 

We need the ip addresses or address ranges that we can use to access the dashboard.  Both for API access and regular browser access.

 

We manage Meraki networks at several large and small organizations.

 

I can find the access rules for Meraki devices, but i need the access rules for management.

5 REPLIES 5
Inderdeep
Kind of a big deal
Kind of a big deal

@joopv : Using Network Objects may help you:   https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/Network_Objects_Configuration_Guide

 

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
PhilipDAth
Kind of a big deal
Kind of a big deal

From the dashboard, in the top right, go Help/Firewall Info.  It will give you the firewall rules for that specific dashboard.

 

Note the required IP ranges can vary from customer dashboard to customer dashboard.

Thanks for the reply.  These firewall rules are meant for *Meraki devices* needing access to the Meraki dashboard.

 

I need the rules needed for management access (browser, API calls etc.) to the dashboard.

 

This is for a workstation needing access to *and only to* the meraki dashboard.

 

PhilipDAth
Kind of a big deal
Kind of a big deal

For the API it would be:

api.meraki.com

<shard>.meraki.com

Where <shard> is the shard your org is located on.

If you use MV, then there are going to be a bunch more for image retrieval (snapshot API).

If you use MQTT you are going to need to add in the MQTT servers that you use.

 

For the dashboard, that's a lot tougher.  There are the obvious ones:

meraki.com

www.meraki.com

meraki.cisco.com

account.meraki.com

<shard>.meraki.com

 

That's assuming you use Meraki accounts.  If you log in using SecureX or SAML you'll need to add all those authentication URLs as well.

 

But then you also need all the URLs for all the components used.  If you go to Chrome developer tools (CTRL-SHIFT-I) and go to the "Sources" tab, and then load each page, you'll get the external domains also required.  For example:

PhilipDAth_0-1622148236485.png

 

Note that you won't be able to match on IP address, as a lot of these use load balancers with dynamic sets of IPs growing and expanding, so you have to match on FQDN.

 

If you use MV you are going to need to add in the URLs for the cloud proxies (if viewing from outside) or the cameras (if viewing from inside).

 

Thanks for your extensive answer!

 

We are already testing and punching holes in the firewall , using the developer tools.  Will update this topic.

 

Get notified when there are additional replies to this discussion.