cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Put API L3 firewall rules

SOLVED
Highlighted
Conversationalist

Put API L3 firewall rules

I am using Postman to interact with the API and seem to be stuck on how to issue a PUT for L3 firewall rules. I have a parameter of "rules" with a value of the array as defined in the attached -

I get a 200 message, but when I GET the network the firewall rules have not been modified.

 

I've also tried defining a "rules": array in the body (as shown in the online Meraki API documentation) with no different results. 

 

Guidance would be appreciated. 

 

Sample array used in the value field attached

{
        "comment": "allow https - corp internet",
        "policy": "allow",
        "protocol": "tcp",
        "srcPort": "Any",
        "srcCidr": "10.0.0.0/8",
        "destPort": "443",
        "destCidr": "Any",
        "syslogEnabled": false
    },
    {
        "comment": "allow ssh - corp internet",
        "policy": "allow",
        "protocol": "tcp",
        "srcPort": "Any",
        "srcCidr": "10.0.0.0/8",
        "destPort": "22",
        "destCidr": "Any",
        "syslogEnabled": true
    }
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Conversationalist

Re: Put API L3 firewall rules

I have resolved my issue.   As instructed in the API documentation I have been using the "params" key of "rules" and a "value" of the array.  The body also contained the array as the example code indicated.  If I removed the params key of rules, than I would receive the following error:

404 Bad Request

{ 
     "errors": [
         "Missing parameter -  the \"rules\" parameter is required"
      ]
}

I imported the sample curl example from the Meraki API documentation into Postman and noticed that the params did not include anything, only the body with the array.  I updated my request accordingly and now L3 firewall rules are updated.  As a note, the firewall replaces any existing rules with the array contents. So to update a single rule you would need to include all the rules.

 

View solution in original post

21 REPLIES 21
Highlighted
Kind of a big deal

Re: Put API L3 firewall rules

I haven't added a rule via API before but I have two observations.

1.  The documentation says "Update L3 Firewall Rules" so I wonder if you are only allowed to update and not add. It doesn't clarify

2.  The rules array appears to be required and make sure to pay attention that it uses a bracket instead of the curly brace so I assume the body of the postman request would be formatted similar to this

{
  "rules": [
      {
        "comment": "allow https - corp internet",
        "policy": "allow",
        "protocol": "tcp",
        "srcPort": "Any",
        "srcCidr": "10.0.0.0/8",
        "destPort": "443",
        "destCidr": "Any",
        "syslogEnabled": false

 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
Highlighted
Conversationalist

Re: Put API L3 firewall rules

{
 	"rules": [
 	{
        "comment": "allow https - corp internet",
        "policy": "allow",
        "protocol": "tcp",
        "srcPort": "Any",
        "srcCidr": "10.0.0.0/8",
        "destPort": "443",
        "destCidr": "Any",
        "syslogEnabled": false
    },
    {
        "comment": "allow ssh - corp internet",
        "policy": "allow",
        "protocol": "tcp",
        "srcPort": "Any",
        "srcCidr": "10.0.0.0/8",
        "destPort": "22",
        "destCidr": "Any",
        "syslogEnabled": true
    }
	]
}

this is what I have tried in the body, I am thinking the value in my params field is not correct, but not sure on what other format it should be in.

 

You might be onto something with the "Update firewall rule" language instead of "Add", but I tried adding additional destination ports and/or source CIDR in a rule, keeping the same rule order as retrieved in a GET, but the modified rules do not reflect the changes on another GET. 

 

Highlighted
Conversationalist

Re: Put API L3 firewall rules

I have resolved my issue.   As instructed in the API documentation I have been using the "params" key of "rules" and a "value" of the array.  The body also contained the array as the example code indicated.  If I removed the params key of rules, than I would receive the following error:

404 Bad Request

{ 
     "errors": [
         "Missing parameter -  the \"rules\" parameter is required"
      ]
}

I imported the sample curl example from the Meraki API documentation into Postman and noticed that the params did not include anything, only the body with the array.  I updated my request accordingly and now L3 firewall rules are updated.  As a note, the firewall replaces any existing rules with the array contents. So to update a single rule you would need to include all the rules.

 

View solution in original post

Highlighted
Kind of a big deal

Re: Put API L3 firewall rules

Thanks for following up on this.  I was curious what the resolution would be. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
Highlighted
Conversationalist

Re: Put API L3 firewall rules

Hi Guys,

I've been testing with APIs adding adddresses, names, getting networks, devices, etc.

 

I was trying to add L3 rules into an MX and this really helped since I had the RULES missing parameter, but after doing some testing I'm encountering the following issue.

 

If I try to add one rule:

 

[
    {
        "comment": "Test Rule",
        "policy": "deny",
        "protocol": "any",
        "srcPort": "Any",
        "srcCidr": "10.10.37.5/32",
        "destPort": "Any",
        "destCidr": "10.10.36.0/24",
        "syslogEnabled": false
    },
    {
        "comment": "Default rule",
        "policy": "allow",
        "protocol": "Any",
        "srcPort": "Any",
        "srcCidr": "Any",
        "destPort": "Any",
        "destCidr": "Any",
        "syslogEnabled": false
    }
]

 

I get a 200OK but no addition was made, ever further if I enter a rule manually in the portal and I run the same script everything gets deleted and I get the a 200OK but it deletes all the existing rules but the default one.

 

any guidance would be great.

 

BTW I'm doing this with postman

Highlighted
Conversationalist

Re: Put API L3 firewall rules

That appears to be the API behavior. You need to define the entire rule set. So if you want to add a rule, you include all the rules plus your addition.  Same from removal of a rule.  All the rules minus the deleted rule. Weird but it works. 

Highlighted
Conversationalist

Re: Put API L3 firewall rules

Thanks for your reply.

 

I've just tried that last time, I first got the existing rules qith a GET, then I PUT the existing rules plus a new one at the top or at the bottom, and does the same the outcome is deletion of the existing rules but the default one.

Highlighted
Comes here often

Re: Put API L3 firewall rules

On the same topic, have a side question... is there a way to add the same firewall rule to multiple networks??? I know how to do with one network because of you have to define a networkID but what about applying to few networks or all thru Postman?

Highlighted
Building a reputation

Re: Put API L3 firewall rules

Don't know if you are still wanting to do this, but to my knowledge there is not a way to do this via Postman. Admittedly, I don't use Postman, but when I was looking at it I did not get the impression that you could do something like this. You can however do this via a language like Python. I have a script that allows me to access any L3 rules in any MX network in any organization and copy them to another network or networks. 

 

If you are interested in something like this, I can give you more information.

Highlighted
Comes here often

Re: Put API L3 firewall rules

Yes please! I am starting to learn Python just for this purpose so it will help me lot if you could give me any more information.

Highlighted
Building a reputation

Re: Put API L3 firewall rules

No problem. Do you know if there is an easy way to talk out of the forum? I want to get an idea of what you have done so far and that does not need to be a public discussion. I will also give you the script I wrote and help you to understand what it is doing and modify it to meet your needs.

Highlighted
Community Manager

Re: Put API L3 firewall rules


@CBurkhead wrote:

Do you know if there is an easy way to talk out of the forum? I want to get an idea of what you have done so far and that does not need to be a public discussion. 


Hi @CBurkhead - I just granted you Private Message permissions (typically they're granted automatically after a certain amount of activity on the forums), so you and @UT can exchange contact info privately. 

Caroline S | Community Manager, Cisco Meraki | @merakicaroline
New to the community? Get started here
Highlighted
Building a reputation

Re: Put API L3 firewall rules

Thank you very much! That will help a great deal.

Highlighted
New here

Re: Put API L3 firewall rules

Key is to use python (or similar) to make bulk changes.

Use a variable to store the API response and print this out on to screen.

It is usually a  <Response [200]> for success

<Response [400]>  or  <Response [404]> for errors.

To decipher this, you should (in python) parse this into json()

i.e. details =  response.json()

print(details)

...you shoud see the exact nature of the error/failure:

in my case I had included some special chars in the comments section on rule 3:

 

{'errors': ['At least one of your firewall rules is invalid: "ssid[firewall_rules][3][comment] Comment may use only letters, numbers, spaces, and common punctuation".']}

 

P.S - special chars are allowed if you enter via GUI but not via API seemingly!!!

 

 

Highlighted
Getting noticed

Re: Put API L3 firewall rules

Good Morning,

 

New at this site and topic... I am having the same issues.... i am sending (using postman and python) REST /API calls to the Meraki environment , i get a 200 Ok but no changes at all. In the logs i can see the old and new value being used, but not the ruleset i want/entered.

 

Somebody got a working python script using the API call : dashboard.mx_l3_firewall.updateNetworkL3FirewallRules()

 

Or of course something else .... 

 

Highlighted
New here

Re: Put API L3 firewall rules

Hi everyone,

 

I have a few questions about this PUT API.

 

I am using a python script to update the L3 firewall rules. My API uses:

 

requests.put(apiCall, data=json.dumps(payload), headers=headers).json()

 

Where for payload, I've tried using just the array in the body (as suggested in the post resolution), like this:

 

payload = [
                     {
                         'comment':'Tested',
                         'policy':'deny',
                         'protocol':'Any',
                         'destPort':'Any',
                         'destCidr':"3.3.3.3/32",
                         'srcPort':'Any',
                         'srcCidr':'Any',

                      },
                      {
                         'comment':'Test',
                         'policy':'deny',
                         'protocol':'any',
                         'srcPort':'Any',
                         'srcCidr':'Any',
                         'destPort':'Any',
                         'destCidr':'1.1.1.1/32,2.2.2.2/32'

                       }

                ]

 

And I receive a 200 code, but the rules are not added nor changed.

 

I've also tried as indicated in the API documentation using the param "rules":

 

payload = { 'rules' : [
                     {
                         'comment':'Tested',
                         'policy':'deny',
                         'protocol':'Any',
                         'destPort':'Any',
                         'destCidr':"3.3.3.3/32",
                         'srcPort':'Any',
                         'srcCidr':'Any',

                      },
                      {
                         'comment':'Test',
                         'policy':'deny',
                         'protocol':'any',
                         'srcPort':'Any',
                         'srcCidr':'Any',
                         'destPort':'Any',
                         'destCidr':'1.1.1.1/32,2.2.2.2/32'

                       }

                 ]

            }

 

And the same result, code 200 OK, but nothing is updated.

 

Do you have any clue about what could be wrong?

Highlighted
Getting noticed

Re: Put API L3 firewall rules

I got it working now....

 

It turns out (in my case) that you can only put IP addresses and IP subnets  in the L3 firewall which are part of your network and VPN. Any other will not be accepted nor inserted.

 

so if 3.3.3.3/32 is not part of your network, it will not work

 

 

Highlighted
Building a reputation

Re: Put API L3 firewall rules

You will need the "rules" in your payload for this to work, I am surprised you got the 200 without it being in there. The only thought I had was what your headers value is? I know, particularly on a PUT or POST, if the header is wrong sometimes you will get return codes that look good, but nothing actually happens or something weird happens. Make sure that your header for the PUT contains your API key and {'Content-Type':'application/json'}. You don't need the content type when doing a GET, but I have found you have to have it for a PUT or POST.

Highlighted
Comes here often

Re: Put API L3 firewall rules

This is what I use and I can add rules without issues.

import requests
import json

response = requests.put(url, headers=headers, data=json.dumps(payload))
print(response.json())

Highlighted
Comes here often

Re: Put API L3 firewall rules

For adding firewall rules, the destination network may be outside your subnet so it shouldn't matter whether or not you have it on your network. The rule is just created to allow access to that destination and it can be any address. The routing will figure out where to send next. 

Highlighted
New here

Re: Put API L3 firewall rules

Great! That was it!! Thanks @CBurkhead

For my GET I was using the header:

headers = {"X-Cisco-Meraki-API-Key":"<my-API-Key>","Accept":"application/json"}

And I was trying to use the same header for the PUT operation. I was getting code 200 as you well mentioned, however, nothing ever changed.

Then, I followed your suggestion and changed my PUT header to:

headers = {"X-Cisco-Meraki-API-Key":"<my-API-Key>","Content-Type":"application/json"}

And that did it!

Thank y'all for the quick response to this thread. I imagined it would take me weeks to get a response. I'm so happy it was not the case. Kudos!
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.