Meraki

RaphaelL · ‎Mar 21 2024

Hi ,

Let's say I create a brand new Network 'NetA'. It contains the default rule base :

{"rules":[{"comment":"Default rule","policy":"allow","protocol":"Any","srcPort":"Any","srcCidr":"Any","destPort":"Any","destCidr":"Any","syslogEnabled":false}]}

Now If I create a new network 'NetB' and I PUT the firewall rules that I got from 'NetA' , I will end up with 2 default rules ...

That's annoying... I have to modify the payload received by the API ( once again ) before doing a PUT to other networks...

@sungod Have I missed something ?

Support says this is expected since there are no checks to prevent duplicate rules.

So depending where you source your 'GET' , you could end up with a tons of dupplicate default rules.. Eg : Get NetA , Put NetB , Get NetB , Put NetC , Get NetC Put NetD [...]

alemabrahao · ‎Mar 21 2024

As far as I remember, the Meraki API does not perform checks to avoid duplicate rules. When you use the PUT method to update firewall rules, it replaces the existing rules with the new rules provided. If the new rules include a default rule and a default rule already exists in the existing rules, you will have two default rules.

You can try adding a step to your process to check and remove the default rule from the rules obtained from the API before using PUT to update the rules on another network.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

KarstenI · ‎Mar 21 2024

Yes, it's annoying. I added a condition when preparing the new object to skip the default. But I don't like that I have to care about things that a computer could easily do better. And I ask myself why the API returns the default rules at all.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

rhbirkelund · ‎Mar 21 2024

As far as I remember, this has always been the case. Another gotcha with the L3 firewall rules is that the PUT command completely replaces the rules. So if you expect that adding a rule, will simply append it to the set, you might end up replacing them all, with your new rule instead.

I usually just get the entire ruleset, do_stuff(mxrules) and then "pop" the last rule in the list.

E.g.

#! /usr/bin/env python3

import meraki

def do_stuff(rules):
    pass

def main():
    dashboard = meraki.DashboardAPI(
        suppress_logging=True,
        simulate=True
    )

    # Network ID
    network_id = ""

    # Get rules. 
    current_l3_mx_rules = dashboard.appliance.getNetworkApplianceFirewallL3FirewallRules(
        network_id
    )

    # Pop the default rule
    new_l3_mx_rules = do_stuff(current_l3_mx_rules)
    if new_l3_mx_rules["rules"][-1]['comment'] == "Default rule":
        new_l3_mx_rules["rules"].pop(-1)


if __name__ == "__main__":
    main()

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.

RaphaelL · ‎Mar 21 2024

Yup this is exactly what we are doing ! It's just one more annoying thing to do 😞

rhbirkelund · ‎Mar 21 2024

Atleast, we have a priori knowledge that the default rule is always the last entry in the list, so we can simply just move backwards one step in the list. 😉

But yeah.. It's odd that the default rule cannot be edited, yet we still have to take into account when editing rules using the API, and thus work around it.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.

Meraki

Community

Get L3FirewallRules and Put L3FirewallRules will dupplicate the default rule

Get L3FirewallRules and Put L3FirewallRules will dupplicate the default rule