Put API L3 firewall rules

Solved
jasonrakers
Conversationalist

Put API L3 firewall rules

I am using Postman to interact with the API and seem to be stuck on how to issue a PUT for L3 firewall rules. I have a parameter of "rules" with a value of the array as defined in the attached -

I get a 200 message, but when I GET the network the firewall rules have not been modified.

 

I've also tried defining a "rules": array in the body (as shown in the online Meraki API documentation) with no different results. 

 

Guidance would be appreciated. 

 

Sample array used in the value field attached

{
        "comment": "allow https - corp internet",
        "policy": "allow",
        "protocol": "tcp",
        "srcPort": "Any",
        "srcCidr": "10.0.0.0/8",
        "destPort": "443",
        "destCidr": "Any",
        "syslogEnabled": false
    },
    {
        "comment": "allow ssh - corp internet",
        "policy": "allow",
        "protocol": "tcp",
        "srcPort": "Any",
        "srcCidr": "10.0.0.0/8",
        "destPort": "22",
        "destCidr": "Any",
        "syslogEnabled": true
    }
1 Accepted Solution
jasonrakers
Conversationalist

I have resolved my issue.   As instructed in the API documentation I have been using the "params" key of "rules" and a "value" of the array.  The body also contained the array as the example code indicated.  If I removed the params key of rules, than I would receive the following error:

404 Bad Request

{ 
     "errors": [
         "Missing parameter -  the \"rules\" parameter is required"
      ]
}

I imported the sample curl example from the Meraki API documentation into Postman and noticed that the params did not include anything, only the body with the array.  I updated my request accordingly and now L3 firewall rules are updated.  As a note, the firewall replaces any existing rules with the array contents. So to update a single rule you would need to include all the rules.

 

View solution in original post

21 Replies 21
Adam
Kind of a big deal

I haven't added a rule via API before but I have two observations.

1.  The documentation says "Update L3 Firewall Rules" so I wonder if you are only allowed to update and not add. It doesn't clarify

2.  The rules array appears to be required and make sure to pay attention that it uses a bracket instead of the curly brace so I assume the body of the postman request would be formatted similar to this

{
  "rules": [
      {
        "comment": "allow https - corp internet",
        "policy": "allow",
        "protocol": "tcp",
        "srcPort": "Any",
        "srcCidr": "10.0.0.0/8",
        "destPort": "443",
        "destCidr": "Any",
        "syslogEnabled": false

 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
jasonrakers
Conversationalist

{
 	"rules": [
 	{
        "comment": "allow https - corp internet",
        "policy": "allow",
        "protocol": "tcp",
        "srcPort": "Any",
        "srcCidr": "10.0.0.0/8",
        "destPort": "443",
        "destCidr": "Any",
        "syslogEnabled": false
    },
    {
        "comment": "allow ssh - corp internet",
        "policy": "allow",
        "protocol": "tcp",
        "srcPort": "Any",
        "srcCidr": "10.0.0.0/8",
        "destPort": "22",
        "destCidr": "Any",
        "syslogEnabled": true
    }
	]
}

this is what I have tried in the body, I am thinking the value in my params field is not correct, but not sure on what other format it should be in.

 

You might be onto something with the "Update firewall rule" language instead of "Add", but I tried adding additional destination ports and/or source CIDR in a rule, keeping the same rule order as retrieved in a GET, but the modified rules do not reflect the changes on another GET. 

 

jasonrakers
Conversationalist

I have resolved my issue.   As instructed in the API documentation I have been using the "params" key of "rules" and a "value" of the array.  The body also contained the array as the example code indicated.  If I removed the params key of rules, than I would receive the following error:

404 Bad Request

{ 
     "errors": [
         "Missing parameter -  the \"rules\" parameter is required"
      ]
}

I imported the sample curl example from the Meraki API documentation into Postman and noticed that the params did not include anything, only the body with the array.  I updated my request accordingly and now L3 firewall rules are updated.  As a note, the firewall replaces any existing rules with the array contents. So to update a single rule you would need to include all the rules.

 

Adam
Kind of a big deal

Thanks for following up on this.  I was curious what the resolution would be. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
IsraelM
Conversationalist

Hi Guys,

I've been testing with APIs adding adddresses, names, getting networks, devices, etc.

 

I was trying to add L3 rules into an MX and this really helped since I had the RULES missing parameter, but after doing some testing I'm encountering the following issue.

 

If I try to add one rule:

 

[
    {
        "comment": "Test Rule",
        "policy": "deny",
        "protocol": "any",
        "srcPort": "Any",
        "srcCidr": "10.10.37.5/32",
        "destPort": "Any",
        "destCidr": "10.10.36.0/24",
        "syslogEnabled": false
    },
    {
        "comment": "Default rule",
        "policy": "allow",
        "protocol": "Any",
        "srcPort": "Any",
        "srcCidr": "Any",
        "destPort": "Any",
        "destCidr": "Any",
        "syslogEnabled": false
    }
]

 

I get a 200OK but no addition was made, ever further if I enter a rule manually in the portal and I run the same script everything gets deleted and I get the a 200OK but it deletes all the existing rules but the default one.

 

any guidance would be great.

 

BTW I'm doing this with postman

jasonrakers
Conversationalist

That appears to be the API behavior. You need to define the entire rule set. So if you want to add a rule, you include all the rules plus your addition.  Same from removal of a rule.  All the rules minus the deleted rule. Weird but it works. 

IsraelM
Conversationalist

Thanks for your reply.

 

I've just tried that last time, I first got the existing rules qith a GET, then I PUT the existing rules plus a new one at the top or at the bottom, and does the same the outcome is deletion of the existing rules but the default one.

UT
Comes here often

On the same topic, have a side question... is there a way to add the same firewall rule to multiple networks??? I know how to do with one network because of you have to define a networkID but what about applying to few networks or all thru Postman?

CBurkhead
Building a reputation

Don't know if you are still wanting to do this, but to my knowledge there is not a way to do this via Postman. Admittedly, I don't use Postman, but when I was looking at it I did not get the impression that you could do something like this. You can however do this via a language like Python. I have a script that allows me to access any L3 rules in any MX network in any organization and copy them to another network or networks. 

 

If you are interested in something like this, I can give you more information.

UT
Comes here often

Yes please! I am starting to learn Python just for this purpose so it will help me lot if you could give me any more information.

CBurkhead
Building a reputation

No problem. Do you know if there is an easy way to talk out of the forum? I want to get an idea of what you have done so far and that does not need to be a public discussion. I will also give you the script I wrote and help you to understand what it is doing and modify it to meet your needs.

CarolineS
Community Manager
Community Manager


@CBurkhead wrote:

Do you know if there is an easy way to talk out of the forum? I want to get an idea of what you have done so far and that does not need to be a public discussion. 


Hi @CBurkhead - I just granted you Private Message permissions (typically they're granted automatically after a certain amount of activity on the forums), so you and @UT can exchange contact info privately. 

Caroline S | Community Manager, Cisco Meraki
New to the community? Get started here
CBurkhead
Building a reputation

Thank you very much! That will help a great deal.

gabi
New here

Hi everyone,

 

I have a few questions about this PUT API.

 

I am using a python script to update the L3 firewall rules. My API uses:

 

requests.put(apiCall, data=json.dumps(payload), headers=headers).json()

 

Where for payload, I've tried using just the array in the body (as suggested in the post resolution), like this:

 

payload = [
                     {
                         'comment':'Tested',
                         'policy':'deny',
                         'protocol':'Any',
                         'destPort':'Any',
                         'destCidr':"3.3.3.3/32",
                         'srcPort':'Any',
                         'srcCidr':'Any',

                      },
                      {
                         'comment':'Test',
                         'policy':'deny',
                         'protocol':'any',
                         'srcPort':'Any',
                         'srcCidr':'Any',
                         'destPort':'Any',
                         'destCidr':'1.1.1.1/32,2.2.2.2/32'

                       }

                ]

 

And I receive a 200 code, but the rules are not added nor changed.

 

I've also tried as indicated in the API documentation using the param "rules":

 

payload = { 'rules' : [
                     {
                         'comment':'Tested',
                         'policy':'deny',
                         'protocol':'Any',
                         'destPort':'Any',
                         'destCidr':"3.3.3.3/32",
                         'srcPort':'Any',
                         'srcCidr':'Any',

                      },
                      {
                         'comment':'Test',
                         'policy':'deny',
                         'protocol':'any',
                         'srcPort':'Any',
                         'srcCidr':'Any',
                         'destPort':'Any',
                         'destCidr':'1.1.1.1/32,2.2.2.2/32'

                       }

                 ]

            }

 

And the same result, code 200 OK, but nothing is updated.

 

Do you have any clue about what could be wrong?

Edgar-VO
Building a reputation

I got it working now....

 

It turns out (in my case) that you can only put IP addresses and IP subnets  in the L3 firewall which are part of your network and VPN. Any other will not be accepted nor inserted.

 

so if 3.3.3.3/32 is not part of your network, it will not work

 

 

UT
Comes here often

For adding firewall rules, the destination network may be outside your subnet so it shouldn't matter whether or not you have it on your network. The rule is just created to allow access to that destination and it can be any address. The routing will figure out where to send next. 

CBurkhead
Building a reputation

You will need the "rules" in your payload for this to work, I am surprised you got the 200 without it being in there. The only thought I had was what your headers value is? I know, particularly on a PUT or POST, if the header is wrong sometimes you will get return codes that look good, but nothing actually happens or something weird happens. Make sure that your header for the PUT contains your API key and {'Content-Type':'application/json'}. You don't need the content type when doing a GET, but I have found you have to have it for a PUT or POST.

gabi
New here

Great! That was it!! Thanks @CBurkhead

For my GET I was using the header:

headers = {"X-Cisco-Meraki-API-Key":"<my-API-Key>","Accept":"application/json"}

And I was trying to use the same header for the PUT operation. I was getting code 200 as you well mentioned, however, nothing ever changed.

Then, I followed your suggestion and changed my PUT header to:

headers = {"X-Cisco-Meraki-API-Key":"<my-API-Key>","Content-Type":"application/json"}

And that did it!

Thank y'all for the quick response to this thread. I imagined it would take me weeks to get a response. I'm so happy it was not the case. Kudos!
UT
Comes here often

This is what I use and I can add rules without issues.

import requests
import json

response = requests.put(url, headers=headers, data=json.dumps(payload))
print(response.json())

cumar_chan
New here

Key is to use python (or similar) to make bulk changes.

Use a variable to store the API response and print this out on to screen.

It is usually a  <Response [200]> for success

<Response [400]>  or  <Response [404]> for errors.

To decipher this, you should (in python) parse this into json()

i.e. details =  response.json()

print(details)

...you shoud see the exact nature of the error/failure:

in my case I had included some special chars in the comments section on rule 3:

 

{'errors': ['At least one of your firewall rules is invalid: "ssid[firewall_rules][3][comment] Comment may use only letters, numbers, spaces, and common punctuation".']}

 

P.S - special chars are allowed if you enter via GUI but not via API seemingly!!!

 

 

Edgar-VO
Building a reputation

Good Morning,

 

New at this site and topic... I am having the same issues.... i am sending (using postman and python) REST /API calls to the Meraki environment , i get a 200 Ok but no changes at all. In the logs i can see the old and new value being used, but not the ruleset i want/entered.

 

Somebody got a working python script using the API call : dashboard.mx_l3_firewall.updateNetworkL3FirewallRules()

 

Or of course something else .... 

 

Get notified when there are additional replies to this discussion.