Meraki Community

FrankVeprek

I'm using this in conjunction with getNetworkWirelessSsidFirewallL3FirewallRules. It grabs the rules from my testing network, and applies them to another. I've got 46 rules for this particular l3 Firewall, and the last one is an explicit deny - DENY IPv4 Any Any Any. It seems fine with the first 45 rules, but the last one generates this error:

meraki.exceptions.APIError: wireless, updateNetworkWirelessSsidFirewallL3FirewallRules - 400 Bad Request, {'errors': ['At least one of your firewall rules is invalid: "ssid[firewall_rules][46][dst_cidr] Destination address must be an IP address or a subnet in CIDR form (e.g. \'192.168.1.0/24\'), For ACL rules applied to both IPv4 and IPv6,or \'any\'".']}

The destCidr field is Any. I have other Allow rules with a destCidr of Any that seem to pass just fine. Not sure why this rule is causing an error.

Jake-Young

You can't delete them. You just wouldn't append them to your 'rules_for_update' list as you build it. So, you could try adding something like this above rule_tmp in your first loop

if rule["comment"] == "Wireless clients accessing LAN":
continue
if rule["comment"] == "Default rule":
continue

View solution in original post

Jake-Young

It's not the last rule, it's the second to last rule. When you make the call to get the rules from your test network it includes the two bottom Meraki "default" rules.

- Wireless clients access LAN
- Default rule

If you look at the "Wireless client access LAN rule you'll see that the 'destCidr' is a string, 'Local LAN'. That's your problem. It's not an acceptable value to pass in.

{
'comment': 'Wireless clients accessing LAN',
'ipVer': 'ipv4',
'policy': 'deny',
'protocol': 'Any',
'destPort': 'Any',
'destCidr': 'Local LAN', # <--- This one
}

Neither of those two Meraki "default rules need to be passed in. They already exist in the destination Network you're configuring (again by default). So, you'll want to delete those last two rules in the list before making the API call to PUT all the rules in the destination Network.

If you need to adjust the "Wireless clients accessing LAN" rule you don't want to pass the actual rule in with your rules, you need to add the additional API parameter allowLanAccess. The last rule "Default rule" is not adjustable. It's always Allow IPv4 Any Any Any.

FrankVeprek

Thanks! I assume this is one of those instances where my "rule 1" is treated as "rule 0", etc.?

How does one delete those rules? They have a grey background in the dashboard, and no option to edit or delete (or any options, for that matter).

If it helps, this is the code I'm using. I'm VERY new to this, and have never done programming before, so I really do appreciate any insight that can be provided.

dashboard = meraki.DashboardAPI(API_KEY)

network_id = 'Network1'

number = '4'

response = dashboard.wireless.getNetworkWirelessSsidFirewallL3FirewallRules(

network_id, number

)

rules_for_update=[]

for rule in response["rules"]:

print(rule["comment"])

print(rule["ipVer"])

print(rule["policy"])

print(rule["protocol"])

print(rule["destPort"])

print(rule["destCidr"])

print("\n")

rule_tmp = {"comment": rule["comment"], "ipVer": rule["ipVer"], "policy": rule["policy"], "protocol": rule["protocol"], "destPort": rule["destPort"], "destCidr": rule["destCidr"].lower()}

rules_for_update.append(rule_tmp)

network_ID_to_update = 'Network2'

number_to_update = '3'

response_to_update = dashboard.wireless.updateNetworkWirelessSsidFirewallL3FirewallRules(

network_ID_to_update, number_to_update,

rules=rules_for_update

)

for rules in response_to_update["rules"]: