Meraki

Luca_1 · ‎Feb 19 2023

Hi,

I'm trying to Update Network Wireless Ssid Firewall L3 Firewall Rules via API.

API return error "Destination address must be an IP address or a subnet in CIDR form (e.g. '192.168.1.0/24' ora 'any')" when Firewall rules include Local LAN traffic roule like this:

{
          "comment": "Wireless clients accessing LAN",
          "ipVer": "ipv4",
          "policy": "deny",
          "protocol": "Any",
          "destPort": "Any",
          "destCidr": "Local LAN"
        }

How can I update this firewall via API?

Any idea?

Thanks to all

rhbirkelund · ‎Feb 19 2023

If you simply "pop" that entry in the Firewall rule payload, so that you only send actual rules and not that rule, will the POST succeed?

That rule can not be removed. It will always be there, so I wonder if you can update the rules, without actually updating that rule, as well.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.

Luca_1 · ‎Feb 19 2023

Yes, without that rule update work correctly. But if I need to update rule to permit/deny access to local LAN?

rhbirkelund · ‎Feb 19 2023

I could suspect you might be hitting a bug in the API, so it might be worthwhile to submit a ticket with Meraki Support, and have their take on it.

If you leave out the destCidr key/val pair, does the POST succeed aswell?

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.

PhilipDAth · ‎Feb 19 2023

You can't change the default rule. Instead, you have to add a rule above it to do a deny/any/any.

rhbirkelund · ‎Feb 19 2023

Yeah, that's correct, but from what I gather form @Luca_1s post, it's the Local LAN access for Wireless Clients rule, and not the Default rule. 🙂

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.

Adrian4 · ‎Aug 17 2023

I'v just hit the exact same issue! lol. Is there a way via API to change the allow/deny status of this rule like you can in the dashboard?

as_ · ‎Feb 1 2024

Yeah not finding a way to update that dropdown from allow to deny for traffic to Local LAN. The best i came up for was to add three seperate rules for each of the private class subnets. Hope this won't block the gateway for the client.

rules=[{'comment': 'Wireless clients accessing LAN', 'ipVer': 'ipv4', 'policy': 'deny', 'protocol': 'any', 'destPort': 'Any', 'destCidr': '10.0.0.0/8'},
{'comment': 'Wireless clients accessing LAN', 'ipVer': 'ipv4', 'policy': 'deny', 'protocol': 'any', 'destPort': 'Any', 'destCidr': '172.16.0.0/12'},
{'comment': 'Wireless clients accessing LAN', 'ipVer': 'ipv4', 'policy': 'deny', 'protocol': 'any', 'destPort': 'Any', 'destCidr': '192.168.0.0/16'}]

FrankVeprek · ‎May 2 2024

I had the same issue with the 2 default rules. My last rule is a DENY ANY ANY, and I just want "my" rules copied over, not the defaults (don't need to since they're already going to be there). Someone suggested adding this in my code and it worked flawlessly.

if rule["comment"] == "Wireless clients accessing LAN":

continue

if rule["comment"] == "Default rule":

continue