Apply Policy Object/Groups to a L3 firewall rule using API

SOLVED
VinoyMohan
Getting noticed

Apply Policy Object/Groups to a L3 firewall rule using API

I am trying to figure out a way to apply a particular Policy Object/Groups to an L3 firewall rule using API. I can create an L3 firewall rule using CIDR/FQDN etc, but I am unable to map the firewall rule to a Policy Object using API.

 

Any leads will be appreciated.

1 ACCEPTED SOLUTION
VinoyMohan
Getting noticed

I have found the answer myself. For attaching the Policy Object & Groups we should use the below format in the API call.

 

Policy Object: 

         "destCidr" or "srcCidr": "OBJ(Policy Object ID)"
 
Policy Object Group: 
        "destCidr" or "srcCidr": "GRP(Policy Group ID)"

View solution in original post

9 REPLIES 9
VinoyMohan
Getting noticed

I have found the answer myself. For attaching the Policy Object & Groups we should use the below format in the API call.

 

Policy Object: 

         "destCidr" or "srcCidr": "OBJ(Policy Object ID)"
 
Policy Object Group: 
        "destCidr" or "srcCidr": "GRP(Policy Group ID)"
KarstenI
Kind of a big deal
Kind of a big deal

Can you give an example on how to do that?

Sure, please find below example for both Policy Object and Groups tagging a particular firewall rule.

 

Policy Object tagging to a firewall rule:

API URL: https://api.meraki.com/api/v1/networks/{{ network id}}/appliance/firewall/l3FirewallRules

{
    "rules": [
                {
            "comment": "Allow TCP traffic to subnet with HTTP servers.",
            "policy": "allow",
            "protocol": "tcp",
            "destPort": "443",
            "destCidr": "OBJ(1234567890)", #### 1234567890 is the Policy Object id
            "srcPort": "Any",
            "srcCidr": "10.10.10.0/24",
            "syslogEnabled": false
        }            ]
       
}
 

Policy Groups tagging to a firewall rule:

API URL: https://api.meraki.com/api/v1/networks/{{ network id}}/appliance/firewall/l3FirewallRules

{
    "rules": [
                {
            "comment": "Allow TCP traffic to subnet with HTTP servers.",
            "policy": "allow",
            "protocol": "tcp",
            "destPort": "443",
            "destCidr": "GRP(7894564679)", #### 7894564679 is the Policy Group id
            "srcPort": "Any",
            "srcCidr": "10.10.10.0/24",
            "syslogEnabled": false
        }            ]
       
}
 
 
Hope this helps

I dont know somehow my response to  your query is getting deleted automatically.

Policy Object mapping to an L3 firewall rule

API URL:https://api.meraki.com/api/v1/networks/{{ network id}}/appliance/firewall/l3FirewallRules

{
    "rules": [
                {
            "comment": "Allow TCP traffic to subnet with HTTP servers.",
            "policy": "allow",
            "protocol": "tcp",
            "destPort": "443",
            "destCidr": "OBJ(1234567890)",###  1234567890 is the policy object ID
            "srcPort": "Any",
            "srcCidr": "10.10.10.0/24",
            "syslogEnabled": false
        }            ]
       
}
 
KarstenI
Kind of a big deal
Kind of a big deal

Thanks for that, I'll play a bit with it 

RaphaelL
Kind of a big deal
Kind of a big deal

Off topic:I still wish we could disable/enable rules for testing purpose instead of deleting / re-creating them.

Yes, absolutely true. But there is no feature yet and deleting a particular firewall rule using API is also not there right now.

Policy Groups mapping to an L3 firewall rule

API URL:https://api.meraki.com/api/v1/networks/{{ network id}}/appliance/firewall/l3FirewallRules

{
    "rules": [
                {
            "comment": "Allow TCP traffic to subnet with HTTP servers.",
            "policy": "allow",
            "protocol": "tcp",
            "destPort": "443",
            "destCidr": "GRP(9879879879)", ###  9879879879 is the policy group ID
            "srcPort": "Any",
            "srcCidr": "10.10.10.0/24",
            "syslogEnabled": false
        }            ]
       
}

Hope this helps
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels