URL Black list feed

Solved
Ramtech
Here to help

URL Black list feed

I would like to incorporate a daily threat intelligence URL Black list feed into our Meraki appliances.  We are using MX 65/67/68/84/100s all with Advanced Security Licenses.  The feed comes as a txt file with URL per line.  I can easily reformat this though if that is an issue.

Is there a way to do this without cutting and pasting to our MX Appliances on a daily basis?

Thanks

Ross.

Regards
Ross
1 Accepted Solution
SoCalRacer
Kind of a big deal

You are going to want to use the API to do that. My Suggestion use python to parse through the file with the URLs and then update Group Policy. If you don't feel comfortable using the API, then I don't believe its going to be possible.

 

This should help you get started with the API

https://documentation.meraki.com/zGeneral_Administration/Other_Topics/The_Cisco_Meraki_Dashboard_API

 

This is most likely the call you will use

https://dashboard.meraki.com/api_docs#update-a-group-policy

 

cf.png

View solution in original post

9 Replies 9
SoCalRacer
Kind of a big deal

You are going to want to use the API to do that. My Suggestion use python to parse through the file with the URLs and then update Group Policy. If you don't feel comfortable using the API, then I don't believe its going to be possible.

 

This should help you get started with the API

https://documentation.meraki.com/zGeneral_Administration/Other_Topics/The_Cisco_Meraki_Dashboard_API

 

This is most likely the call you will use

https://dashboard.meraki.com/api_docs#update-a-group-policy

 

cf.png

Ramtech
Here to help

Greatly appreciated Racer!

I figured as much, but the heads up you've given there is awesome.  Particularly including the specific call. 

Out of curiosity, have you done this or has anyone else done this this way?  My python skills are average at best... ¯\_(ツ)_/¯

Regards
Ross
SoCalRacer
Kind of a big deal

This exact call with this exact kind of solution, no.

 

I have used the API to parsr through text files in python and feed that into API calls on the dashboard. Not sure how I would rate my python skills but it's doable.

Ramtech
Here to help

Cheers!
I greatly appreciate the assistance.
Regards
Ross
PhilipDAth
Kind of a big deal
Kind of a big deal

You realise if you are using the IPS engine that it is already getting a live feed of threats to stop?  I would tell it to prefer "security" to get the larger set.

https://gblogs.cisco.com/ch-tech/meraki-malware-detection-looks-also-into-the-past/

 

You may be manually duplicating something that is done automatically.

Ramtech
Here to help

Hi Philip.
Thanks for the response.  The honest answer is no I didn't.  I do run them in IPS Balanced mode, but didn;t realise that that also had a URL blocking component. I understood it blocked Malware from many sources.  Where can I see the URL blocklist contents do you know?

Regards
Ross
PhilipDAth
Kind of a big deal
Kind of a big deal

The IPS signatures are updated dynamically.  It could happen several times in an hour and then not for several days.  It just depends what new threats are emerging.

The list is not publically available.

 

I would crank it up to prefer security.

 

You can read more about the rule sets here:

https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Threat_Protection#Intrus...

Ramtech
Here to help

Thanks Philip.
I might have a play with the custom solution as well though, as I know it has some known malicious URI/URLs in it that I can get to from behind the MX even in "Security" mode. If I can automate that being updated, I will sleep a little better...
Thank you very much for the heads up, and links though. It's greatly appreciated.
Regards
Ross
CptnCrnch
Kind of a big deal
Kind of a big deal

Have you thought about Umbrella integration? Instead of having to update a rather static feed (not even in real time) this would be a big leap forward from a security perspective.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels