Update Network Wireless Ssid Firewall L3 Firewall Rules via API

Luca_1
Here to help

Update Network Wireless Ssid Firewall L3 Firewall Rules via API

Hi,

I'm trying to Update Network Wireless Ssid Firewall L3 Firewall Rules via API.

API return error "Destination address must be an IP address or a subnet in CIDR form (e.g. '192.168.1.0/24' ora 'any')" when Firewall rules include Local LAN traffic roule like this:

 

 

 

{
          "comment": "Wireless clients accessing LAN",
          "ipVer": "ipv4",
          "policy": "deny",
          "protocol": "Any",
          "destPort": "Any",
          "destCidr": "Local LAN"
        }

 


How can I update this firewall via API?
Any idea?
 
Thanks to all
8 Replies 8
rhbirkelund
Kind of a big deal
Kind of a big deal

If you simply "pop" that entry in the Firewall rule payload, so that you only send actual rules and not that rule, will the POST succeed?

 

That rule can not be removed. It will always be there, so I wonder if you can update the rules, without actually updating that rule, as well.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
Luca_1
Here to help

Yes, without that rule update work correctly. But if I need to update rule to permit/deny access to local LAN? 

rhbirkelund
Kind of a big deal
Kind of a big deal

I could suspect you might be hitting a bug in the API, so it might be worthwhile to submit a ticket with Meraki Support, and have their take on it.

 

If you leave out the destCidr key/val pair, does the POST succeed aswell?

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
PhilipDAth
Kind of a big deal
Kind of a big deal

You can't change the default rule.  Instead, you have to add a rule above it to do a deny/any/any.

rhbirkelund
Kind of a big deal
Kind of a big deal

Yeah, that's correct, but from what I gather form @Luca_1s post, it's the Local LAN access for Wireless Clients rule, and not the Default rule. 🙂

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
Adrian4
Head in the Cloud

I'v just hit the exact same issue! lol. Is there a way via API to change the allow/deny status of this rule like you can in the dashboard?

as_
Here to help

Yeah not finding a way to update that dropdown from allow to deny for traffic to Local LAN.  The best i came up for was to add three seperate rules for each of the private class subnets.  Hope this won't block the gateway for the client.

 

rules=[{'comment': 'Wireless clients accessing LAN', 'ipVer': 'ipv4', 'policy': 'deny', 'protocol': 'any', 'destPort': 'Any', 'destCidr': '10.0.0.0/8'},
{'comment': 'Wireless clients accessing LAN', 'ipVer': 'ipv4', 'policy': 'deny', 'protocol': 'any', 'destPort': 'Any', 'destCidr': '172.16.0.0/12'},
{'comment': 'Wireless clients accessing LAN', 'ipVer': 'ipv4', 'policy': 'deny', 'protocol': 'any', 'destPort': 'Any', 'destCidr': '192.168.0.0/16'}]

FrankVeprek
Here to help

I had the same issue with the 2 default rules. My last rule is a DENY ANY ANY, and I just want "my" rules copied over, not the defaults (don't need to since they're already going to be there). Someone suggested adding this in my code and it worked flawlessly.

 

    if rule["comment"] == "Wireless clients accessing LAN":
        continue
    if rule["comment"] == "Default rule":
        continue
Get notified when there are additional replies to this discussion.