Add Meraki MX L3 Firewall Rule to Networks

This is a simple Python script that takes a NewRuleToAdd.txt file as input to add one rule with all the IP addresses from the list to each Network in the Org using the Meraki API.
Before going off to add the rules, it will print out to console a summary of the IPs to add to the new rule, the ticket number and the list of all networks it will add them to.
It will then ask for confirmation from the operator of the script.

Dependencies and initial setup:

Python 3.6 with the following modules installed:

  1. requests
  2. meraki

More details on the meraki module here:
https://github.com/meraki/dashboard-api-python
https://developer.cisco.com/meraki/api-v1/#!overview

You can typically install those modules with the following commands:

pip install requests

pip install meraki

You need to have a file named config.py in the same directory as the AddRulesToMXL3Firewall.py
script with the definition of the Meraki API key to use to run the code as well as the Org ID for
the Organanization for which you want to change the rules for all Networks.
You can obtain the Meraki API Key and the org ID by following the instructions here:
https://developer.cisco.com/meraki/api/#/rest/getting-started

Example of content of the config.py file you must create:

meraki_api_key = "yourMerakiAPIKey"
meraki_org_id = "yourOrgID"

You also need to have the input file named NewRuleToAdd.txt in the same directory as the AddRulesToMXL3Firewall.py
It should only have two lines:

  1. Comment to use for new rule to be added
  2. comma separated list of IP addresses in dot-decimal notation

Example of content of the NewRuleToAdd.txt file you must create:

Case323423
40.17.41.118,40.17.41.119

Running the code:

python3 AddRulesToMXL3Firewall.py

You will be prompted for confirmation before proceeding with the overall operation.
You will also be prompted on a per Network basis if you wish to proceed with adding the rules

If you wish to remove this last confirmation so the script can run for all Networks
without interruption, look for the comment below in the AddRulesToMXL3Firewall.py
file and comment the line below it by adding # as the first character of the line

"#Comment line below if you wish to skip confirmation for each Network"

Use Case

This script was created to manage Meraki firewall rules using a simple Python script. The script uses a simple text file with the rule reason (case ID) and the IP addresses that need to be blocked. When it is executed, the script applies these rules across all Meraki networks. The script can be set to prompt the administrator to validate rules on a network-by-network basis, or to apply the rules across the board.

Even though the customer for whom this was originally created uses Umbrella, the way they segment their network forces them to add firewall rules to all the Meraki networks in their organization manually. They have dozens, so it can take a couple of hours to perform the operation manually and the process can be error-prone. Originally, the customer received an email notifying them of the URLs and IP addresses they need to block, tracked the changes in a text file, and tagged each rule change action with the notification incident number. Administrators would access the Meraki Dashboard and, one by one, bring up the L3 Firewall rules for each Network and add a new rule. This script automates this entire manual process.

Business Summary
The script can drastically reduce the time and complexity of making the required changes to firewalls, to comply with PCI.

Even though an organization uses Umbrella, the method of network segmentation may force administrators to manually add firewall rules to all the Cisco Meraki networks in the organization to be PCI-compliant. With dozens of networks, this process can take hours to perform, and may be prone to error. This Python script drastically reduces the time needed to add new rules quickly. The script currently performs a quick sanity check on the format of the IP addresses that the user wants to add to the rules, but can be expanded to perform a full validation of the IP address.

This simple Python script leverages the Cisco Meraki API with an input file called "NewRuleToAdd.txt". The script adds one rule with all the IP addresses from the list to each network in the Cisco Meraki organization. Before adding the rules, the script will print out a summary of the IPs to add to the new rule, the ticket number, and a list of all networks that the rule will be added to. The operator must confirm the script execution before it proceeds.

Business Summary
The script makes adding consistent firewall rules easier and less error-prone, and they can be applied across all networks in an organization.
View code on GitHub
  • Owner

  • Contributors

    +1Github contributor
  • Categories

  • Products

    Meraki
  • Programming Languages

    Python
  • License

    Other

Code Exchange Community

Get help, share code, and collaborate with other developers in the Code Exchange community.View Community
Disclaimer:
Cisco provides Code Exchange for convenience and informational purposes only, with no support of any kind. This page contains information and links from third-party websites that are governed by their own separate terms. Reference to a project or contributor on this page does not imply any affiliation with or endorsement by Cisco.