Meraki

Community

Meraki External Dynamic IP list

CDTC
Here to help
‎Oct 4 2024 4:27 PM
‎Oct 4 2024 4:27 PM

Meraki External Dynamic IP list

Hello, 

 

I have a list of IP addresses that is maintained by our External Security team. Currently I'm running the API to take this list of IP addresses and add it to a Policy Object group which is included in our Layer 3 firewalls. This list has grown to over 150 IP addresses now and has hit the limit of the PolicyGroup. 

 

Is there a better "Dynamic" approach to blocking these IP addresses? 

 

Thank you!

0 Kudos
4 Replies 4
cmr
Kind of a big deal
Kind of a big deal
‎Oct 5 2024 11:39 AM
‎Oct 5 2024 11:39 AM

As a policy object can be an FQDN, perhaps you could create one and have multiple IP addresses behind it.  If you then add the FQDN to the group that might allow more than the 150 limit.  I must admit that I haven't tried it, but if you add one of the existing IPs to an FQDN along with the next you want to add, you will soon see if it works!

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 6 2024 12:14 PM
‎Oct 6 2024 12:14 PM

Rather than adding the IP addresses all the time to the firewall, why not add the dynamic FQDN DNS name of the MX once?

https://documentation.meraki.com/MX/Other_Topics/Dynamic_DNS_(DDNS)

 

Because it would be so easy to manage, you could create two groups.

0 Kudos
In response to PhilipDAth
CDTC
Here to help
‎Oct 6 2024 12:37 PM
‎Oct 6 2024 12:37 PM

As needing to block incoming connections to the firewall from a list of all "bad" IP addresses, Using a FQDN wouldn't work. As I understand how it works, it resolved a FQDN and then blocks the IP that it resolved to. 

 

I'm working on adding a clause to my API script to create a new group and then search for the rules that use the existing block lists.  

0 Kudos
In response to CDTC
cmr
Kind of a big deal
Kind of a big deal
‎Oct 6 2024 1:11 PM
‎Oct 6 2024 1:11 PM

@CDTC an FQDN can resolve to multiple IP addresses, as long as it doesn't care about the reverse DNS, it *might* work...

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.