Hi ,
Let's say I create a brand new Network 'NetA'. It contains the default rule base :
{"rules":[{"comment":"Default rule","policy":"allow","protocol":"Any","srcPort":"Any","srcCidr":"Any","destPort":"Any","destCidr":"Any","syslogEnabled":false}]}
Now If I create a new network 'NetB' and I PUT the firewall rules that I got from 'NetA' , I will end up with 2 default rules ...
That's annoying... I have to modify the payload received by the API ( once again ) before doing a PUT to other networks...
@sungod Have I missed something ?
Support says this is expected since there are no checks to prevent duplicate rules.
So depending where you source your 'GET' , you could end up with a tons of dupplicate default rules.. Eg : Get NetA , Put NetB , Get NetB , Put NetC , Get NetC Put NetD [...]
Yes, it's annoying. I added a condition when preparing the new object to skip the default. But I don't like that I have to care about things that a computer could easily do better. And I ask myself why the API returns the default rules at all.
As far as I remember, this has always been the case. Another gotcha with the L3 firewall rules is that the PUT command completely replaces the rules. So if you expect that adding a rule, will simply append it to the set, you might end up replacing them all, with your new rule instead.
I usually just get the entire ruleset, do_stuff(mxrules) and then "pop" the last rule in the list.
E.g.
#! /usr/bin/env python3
import meraki
def do_stuff(rules):
pass
def main():
dashboard = meraki.DashboardAPI(
suppress_logging=True,
simulate=True
)
# Network ID
network_id = ""
# Get rules.
current_l3_mx_rules = dashboard.appliance.getNetworkApplianceFirewallL3FirewallRules(
network_id
)
# Pop the default rule
new_l3_mx_rules = do_stuff(current_l3_mx_rules)
if new_l3_mx_rules["rules"][-1]['comment'] == "Default rule":
new_l3_mx_rules["rules"].pop(-1)
if __name__ == "__main__":
main()
Yup this is exactly what we are doing ! It's just one more annoying thing to do 😞
Atleast, we have a priori knowledge that the default rule is always the last entry in the list, so we can simply just move backwards one step in the list. 😉
But yeah.. It's odd that the default rule cannot be edited, yet we still have to take into account when editing rules using the API, and thus work around it.