meraki_mx_l3_firewall – Manage MX appliance layer 3 firewalls in the Meraki cloud

New in version 2.7.

Synopsis

  • Allows for creation, management, and visibility into layer 3 firewalls implemented on Meraki MX firewalls.

Parameters

Parameter Choices/Defaults Comments
auth_key
string / required
Authentication key provided by the dashboard. Required if environmental variable MERAKI_KEY is not set.
host
string
Default:
"api.meraki.com"
Hostname for Meraki dashboard.
Can be used to access regional Meraki environments, such as China.
internal_error_retry_time
integer
Default:
60
Number of seconds to retry if server returns an internal server error.
net_id
-
ID of network which MX firewall is in.
net_name
-
Name of network which MX firewall is in.
org_id
string
ID of organization.
org_name
string
Name of organization.

aliases: organization
output_format
string
    Choices:
  • snakecase ←
  • camelcase
Instructs module whether response keys should be snake case (ex. net_id) or camel case (ex. netId).
output_level
string
    Choices:
  • debug
  • normal ←
Set amount of debug output during module execution.
rate_limit_retry_time
integer
Default:
165
Number of seconds to retry if rate limiter is triggered.
rules
-
List of firewall rules.
comment
-
Optional comment to describe the firewall rule.
dest_cidr
-
Comma separated list of CIDR notation destination networks.
dest_port
-
Comma separated list of destination port numbers to match against.
policy
-
    Choices:
  • allow
  • deny
Policy to apply if rule is hit.
protocol
-
    Choices:
  • any
  • icmp
  • tcp
  • udp
Protocol to match against.
src_cidr
-
Comma separated list of CIDR notation source networks.
src_port
-
Comma separated list of source port numbers to match against.
syslog_enabled
-
Whether to log hints against the firewall rule.
Only applicable if a syslog server is specified against the network.
state
-
    Choices:
  • present ←
  • query
Create or modify an organization.
syslog_default_rule
boolean
    Choices:
  • no ←
  • yes
Whether to log hits against the default firewall rule.
Only applicable if a syslog server is specified against the network.
This is not shown in response from Meraki. Instead, refer to the syslog_enabled value in the default rule.
timeout
integer
Default:
30
Time to timeout for HTTP requests.
use_https
boolean
    Choices:
  • no
  • yes ←
If no, it will use HTTP. Otherwise it will use HTTPS.
Only useful for internal Meraki developers.
use_proxy
boolean
    Choices:
  • no
  • yes
If no, it will not use a proxy, even if one is defined in an environment variable on the target hosts.
validate_certs
boolean
    Choices:
  • no
  • yes ←
Whether to validate HTTP certificates.

Notes

Note

  • Module assumes a complete list of firewall rules are passed as a parameter.

  • If there is interest in this module allowing manipulation of a single firewall rule, please submit an issue against this module.

  • More information about the Meraki API can be found at https://dashboard.meraki.com/api_docs.

  • Some of the options are likely only used for developers within Meraki.

  • As of Ansible 2.9, Meraki modules output keys as snake case. To use camel case, set the ANSIBLE_MERAKI_FORMAT environment variable to camelcase.

  • Ansible’s Meraki modules will stop supporting camel case output in Ansible 2.13. Please update your playbooks.

Examples

- name: Query firewall rules
  meraki_mx_l3_firewall:
    auth_key: abc123
    org_name: YourOrg
    net_name: YourNet
    state: query
  delegate_to: localhost

- name: Set two firewall rules
  meraki_mx_l3_firewall:
    auth_key: abc123
    org_name: YourOrg
    net_name: YourNet
    state: present
    rules:
      - comment: Block traffic to server
        src_cidr: 192.0.1.0/24
        src_port: any
        dest_cidr: 192.0.2.2/32
        dest_port: any
        protocol: any
        policy: deny
      - comment: Allow traffic to group of servers
        src_cidr: 192.0.1.0/24
        src_port: any
        dest_cidr: 192.0.2.0/24
        dest_port: any
        protocol: any
        policy: permit
  delegate_to: localhost

- name: Set one firewall rule and enable logging of the default rule
  meraki_mx_l3_firewall:
    auth_key: abc123
    org_name: YourOrg
    net_name: YourNet
    state: present
    rules:
      - comment: Block traffic to server
        src_cidr: 192.0.1.0/24
        src_port: any
        dest_cidr: 192.0.2.2/32
        dest_port: any
        protocol: any
        policy: deny
    syslog_default_rule: yes
  delegate_to: localhost

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
data
complex
success
Firewall rules associated to network.

 
comment
string
always
Comment to describe the firewall rule.

Sample:
Block traffic to server
 
dest_cidr
string
always
Comma separated list of CIDR notation destination networks.

Sample:
192.0.1.1/32,192.0.1.2/32
 
dest_port
string
always
Comma separated list of destination ports.

Sample:
80,443
 
policy
string
always
Action to take when rule is matched.

 
protocol
string
always
Network protocol for which to match against.

Sample:
tcp
 
src_cidr
string
always
Comma separated list of CIDR notation source networks.

Sample:
192.0.1.1/32,192.0.1.2/32
 
src_port
string
always
Comma separated list of source ports.

Sample:
80,443
 
syslog_enabled
boolean
always
Whether to log to syslog when rule is matched.

Sample:
True


Status

Authors

  • Kevin Breit (@kbreit)

Hint

If you notice any issues in this documentation, you can edit this document to improve it.