cancel
Showing results for 
Search instead for 
Did you mean: 

URL Black list feed

SOLVED
Here to help

URL Black list feed

I would like to incorporate a daily threat intelligence URL Black list feed into our Meraki appliances.  We are using MX 65/67/68/84/100s all with Advanced Security Licenses.  The feed comes as a txt file with URL per line.  I can easily reformat this though if that is an issue.

Is there a way to do this without cutting and pasting to our MX Appliances on a daily basis?

Thanks

Ross.

Regards
Ross
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Head in the Cloud

Re: URL Black list feed

You are going to want to use the API to do that. My Suggestion use python to parse through the file with the URLs and then update Group Policy. If you don't feel comfortable using the API, then I don't believe its going to be possible.

 

This should help you get started with the API

https://documentation.meraki.com/zGeneral_Administration/Other_Topics/The_Cisco_Meraki_Dashboard_API

 

This is most likely the call you will use

https://dashboard.meraki.com/api_docs#update-a-group-policy

 

cf.png

9 REPLIES 9
Highlighted
Head in the Cloud

Re: URL Black list feed

You are going to want to use the API to do that. My Suggestion use python to parse through the file with the URLs and then update Group Policy. If you don't feel comfortable using the API, then I don't believe its going to be possible.

 

This should help you get started with the API

https://documentation.meraki.com/zGeneral_Administration/Other_Topics/The_Cisco_Meraki_Dashboard_API

 

This is most likely the call you will use

https://dashboard.meraki.com/api_docs#update-a-group-policy

 

cf.png

Here to help

Re: URL Black list feed

Greatly appreciated Racer!

I figured as much, but the heads up you've given there is awesome.  Particularly including the specific call. 

Out of curiosity, have you done this or has anyone else done this this way?  My python skills are average at best... ¯\_(ツ)_/¯

Regards
Ross
Head in the Cloud

Re: URL Black list feed

This exact call with this exact kind of solution, no.

 

I have used the API to parsr through text files in python and feed that into API calls on the dashboard. Not sure how I would rate my python skills but it's doable.

Here to help

Re: URL Black list feed

Cheers!
I greatly appreciate the assistance.
Regards
Ross
Kind of a big deal

Re: URL Black list feed

You realise if you are using the IPS engine that it is already getting a live feed of threats to stop?  I would tell it to prefer "security" to get the larger set.

https://gblogs.cisco.com/ch-tech/meraki-malware-detection-looks-also-into-the-past/

 

You may be manually duplicating something that is done automatically.

Here to help

Re: URL Black list feed

Hi Philip.
Thanks for the response.  The honest answer is no I didn't.  I do run them in IPS Balanced mode, but didn;t realise that that also had a URL blocking component. I understood it blocked Malware from many sources.  Where can I see the URL blocklist contents do you know?

Regards
Ross
Kind of a big deal

Re: URL Black list feed

The IPS signatures are updated dynamically.  It could happen several times in an hour and then not for several days.  It just depends what new threats are emerging.

The list is not publically available.

 

I would crank it up to prefer security.

 

You can read more about the rule sets here:

https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Threat_Protection#Intrus...

Here to help

Re: URL Black list feed

Thanks Philip.
I might have a play with the custom solution as well though, as I know it has some known malicious URI/URLs in it that I can get to from behind the MX even in "Security" mode. If I can automate that being updated, I will sleep a little better...
Thank you very much for the heads up, and links though. It's greatly appreciated.
Regards
Ross
Getting noticed

Re: URL Black list feed

Have you thought about Umbrella integration? Instead of having to update a rather static feed (not even in real time) this would be a big leap forward from a security perspective.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.