Meraki

Community

Using the API to update the MX L3 Firewall using Network Policy Objects

Solved
NJNetworkGuy100
Getting noticed
‎Mar 22 2023 5:48 AM
‎Mar 22 2023 5:48 AM

Using the API to update the MX L3 Firewall using Network Policy Objects

Are there any examples or documentation on updating the L3 Firewall on a MX using existing Network Policy Objects with the API?  I can't seem to find any examples to follow.  

 

 

0 Kudos
1 Accepted Solution
In response to NJNetworkGuy100
rhbirkelund
Kind of a big deal
Kind of a big deal
‎Mar 23 2023 12:12 AM
‎Mar 23 2023 12:12 AM

When you create a Policy Object or assign multiple Policy Objects to a Group Policy Object, they are all assigned an ID.

You then refer to each Policy Object as OBJ([ID]) or Group Policy as GRP([ID]).

When you then assign these objects to a Firewall Rule in either srcCidr or destCidr, as a single comma-separated string.

Eg.

"rules": [{
    'comment': 'Deny Src Any to Dest Group ID 225', 
    'policy': 'deny', 
    'protocol': 'tcp', 
    'destPort': '443', 
    'destCidr': 'GRP(225)', 
    'srcPort': 'Any', 
    'srcCidr': 'Any', 
    'syslogEnabled': False
},{
    'comment': 'Deny Src Any to Dest Obj ID 662029145223465067,837 and 662029145223465068', 
    'policy': 'allow', 
    'protocol': 'tcp', 
    'destPort': '443', 
    'destCidr': 'OBJ(662029145223465067),OBJ(837),OBJ(662029145223465068)', 
    'srcPort': 'Any', 
    'srcCidr': 'Any', 
    'syslogEnabled': False
}]

This shows two rules as Python Dictionaries.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.

View solution in original post

4 Replies 4
alemabrahao
Kind of a big deal
‎Mar 22 2023 6:33 AM
‎Mar 22 2023 6:33 AM

Have you checked the dashboard API? 

 

https://developer.cisco.com/meraki/api-latest/#!update-organization-policy-object

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
NJNetworkGuy100
Getting noticed
‎Mar 22 2023 10:52 AM
‎Mar 22 2023 10:52 AM

I have, but I'm curious how to use the Policy Object as a destination or source when writing a Python script to update a rule in a L3 Firewall on a MX.

0 Kudos
In response to NJNetworkGuy100
rhbirkelund
Kind of a big deal
Kind of a big deal
‎Mar 23 2023 12:12 AM
‎Mar 23 2023 12:12 AM

When you create a Policy Object or assign multiple Policy Objects to a Group Policy Object, they are all assigned an ID.

You then refer to each Policy Object as OBJ([ID]) or Group Policy as GRP([ID]).

When you then assign these objects to a Firewall Rule in either srcCidr or destCidr, as a single comma-separated string.

Eg.

"rules": [{
    'comment': 'Deny Src Any to Dest Group ID 225', 
    'policy': 'deny', 
    'protocol': 'tcp', 
    'destPort': '443', 
    'destCidr': 'GRP(225)', 
    'srcPort': 'Any', 
    'srcCidr': 'Any', 
    'syslogEnabled': False
},{
    'comment': 'Deny Src Any to Dest Obj ID 662029145223465067,837 and 662029145223465068', 
    'policy': 'allow', 
    'protocol': 'tcp', 
    'destPort': '443', 
    'destCidr': 'OBJ(662029145223465067),OBJ(837),OBJ(662029145223465068)', 
    'srcPort': 'Any', 
    'srcCidr': 'Any', 
    'syslogEnabled': False
}]

This shows two rules as Python Dictionaries.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
In response to rhbirkelund
NJNetworkGuy100
Getting noticed
‎Mar 23 2023 5:14 AM
‎Mar 23 2023 5:14 AM

That is perfect!  Thanks for the explanation.  

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2025 Cisco Systems, Inc.