I would like to incorporate a daily threat intelligence URL Black list feed into our Meraki appliances. We are using MX 65/67/68/84/100s all with Advanced Security Licenses. The feed comes as a txt file with URL per line. I can easily reformat this though if that is an issue.
Is there a way to do this without cutting and pasting to our MX Appliances on a daily basis?
Thanks
Ross.
Solved! Go to solution.
You are going to want to use the API to do that. My Suggestion use python to parse through the file with the URLs and then update Group Policy. If you don't feel comfortable using the API, then I don't believe its going to be possible.
This should help you get started with the API
https://documentation.meraki.com/zGeneral_Administration/Other_Topics/The_Cisco_Meraki_Dashboard_API
This is most likely the call you will use
https://dashboard.meraki.com/api_docs#update-a-group-policy
You are going to want to use the API to do that. My Suggestion use python to parse through the file with the URLs and then update Group Policy. If you don't feel comfortable using the API, then I don't believe its going to be possible.
This should help you get started with the API
https://documentation.meraki.com/zGeneral_Administration/Other_Topics/The_Cisco_Meraki_Dashboard_API
This is most likely the call you will use
https://dashboard.meraki.com/api_docs#update-a-group-policy
Greatly appreciated Racer!
I figured as much, but the heads up you've given there is awesome. Particularly including the specific call.
Out of curiosity, have you done this or has anyone else done this this way? My python skills are average at best... ¯\_(ツ)_/¯
This exact call with this exact kind of solution, no.
I have used the API to parsr through text files in python and feed that into API calls on the dashboard. Not sure how I would rate my python skills but it's doable.
You realise if you are using the IPS engine that it is already getting a live feed of threats to stop? I would tell it to prefer "security" to get the larger set.
https://gblogs.cisco.com/ch-tech/meraki-malware-detection-looks-also-into-the-past/
You may be manually duplicating something that is done automatically.
Hi Philip.
Thanks for the response. The honest answer is no I didn't. I do run them in IPS Balanced mode, but didn;t realise that that also had a URL blocking component. I understood it blocked Malware from many sources. Where can I see the URL blocklist contents do you know?
The IPS signatures are updated dynamically. It could happen several times in an hour and then not for several days. It just depends what new threats are emerging.
The list is not publically available.
I would crank it up to prefer security.
You can read more about the rule sets here: