Policy Object/Groups with API

Solved
mikefredrik
Here to help

Policy Object/Groups with API

I'm working on a workflow to do automation as much as possible. We will use Policy objects and groups in our organisations.
Try to findout how to use API to attach a policy-group in the firewall settings in a network.
If I do a get fw rules from a network that I've attached this policy manual via the UI I see the following.

 

"srcPort": "Any",

"srcCidr": "OBJ(738027388935347594)",

"destPort": "Any",

"destCidr": "GRP(738027388935341366)",

This is just a snippet from the source/destination part of the output

 

The error give is that the Cidr need to be IP or VLAN

 

Any input/ideas to share

 

//Mikael

1 Accepted Solution
mikefredrik
Here to help

I manage to find a solution with some input from someone in our EMEA-Meraki Partner Webex space.
By using the following logic it worked just fine

group = 'GRP'+ '('+ policy_group +')'
object = 'OBJ' + '(' + policy_object + ')'

rule_list = []
rule_dict = {
'comment': 'Block Guest to LAN',
'policy': 'deny',''
'protocol': 'any',
'destPort': 'Any',
'srcPort': 'Any',
'syslogEnabled': False
}
rule_dict['srcCidr'] = object
rule_dict['destCidr'] = group
rule_list.append(rule_dict)
 
The reason I used a variable is that we launch a lot of different network in many different orgs so we need to get the Object/Group ID before we can run the API
This works
 

View solution in original post

3 Replies 3
alemabrahao
Kind of a big deal
Kind of a big deal

Group Policies in Meraki can include firewall rules, traffic shaping, content filtering, VLAN tagging, etc. When you see "srcCidr": "OBJ(...)" or "destCidr": "GRP(...)", these are references to policy objects or groups, not raw IPs or CIDRs.

The Meraki API currently does not support using object/group references like OBJ(...) or GRP(...) directly in firewall rules via the API. It expects valid CIDR notation or VLAN IDs.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
mikefredrik
Here to help

I manage to find a solution with some input from someone in our EMEA-Meraki Partner Webex space.
By using the following logic it worked just fine

group = 'GRP'+ '('+ policy_group +')'
object = 'OBJ' + '(' + policy_object + ')'

rule_list = []
rule_dict = {
'comment': 'Block Guest to LAN',
'policy': 'deny',''
'protocol': 'any',
'destPort': 'Any',
'srcPort': 'Any',
'syslogEnabled': False
}
rule_dict['srcCidr'] = object
rule_dict['destCidr'] = group
rule_list.append(rule_dict)
 
The reason I used a variable is that we launch a lot of different network in many different orgs so we need to get the Object/Group ID before we can run the API
This works
 
PhilipDAth
Kind of a big deal
Kind of a big deal

Have some snippets of code I can share, but not a whole solution.

 

You need to get the group policy ID.  I used this for processing a large number of networks, so cache the group policy results, but you may not need that complexity.

def getGPId(dashboard,netId,gpName):
	global groupPolicies

	# If we don't have a cache of group polcies - build it now
	if groupPolicies.get(netId)==None:
		groupPolicies[netId]=dashboard.networks.getNetworkGroupPolicies(netId)

	# Search for the group policy name
	for gp in groupPolicies[netId]:
		if gp['name']==gpName:
			return(gp['groupPolicyId'])

	raise SystemExit("Invalid group policy name supplied: "+gpName)			

 

And then something like:

def applyGP(dashboard,orgId,net,netId):
  gpId=getGPId(dashboard,netId,"GP Name")
  ...
  for client in dashboard.networks.getNetworkClients(netId,total_pages='all',timespan=1*86400,vlan=2):
    ...
    dashboard.networks.updateNetworkClientPolicy(netId,client['id'],'Group policy',groupPolicyId=gpId)
Get notified when there are additional replies to this discussion.