cisco.meraki.meraki_mx_l7_firewall – Manage MX appliance layer 7 firewalls in the Meraki cloud

Note

This plugin is part of the cisco.meraki collection (version 2.2.1).

To install it use: ansible-galaxy collection install cisco.meraki.

To use it in a playbook, specify: cisco.meraki.meraki_mx_l7_firewall.

Synopsis

  • Allows for creation, management, and visibility into layer 7 firewalls implemented on Meraki MX firewalls.

Parameters

Parameter Choices/Defaults Comments
auth_key
string / required
Authentication key provided by the dashboard. Required if environmental variable MERAKI_KEY is not set.
categories
boolean
    Choices:
  • no
  • yes
When True, specifies that applications and application categories should be queried instead of firewall rules.
host
string
Default:
"api.meraki.com"
Hostname for Meraki dashboard.
Can be used to access regional Meraki environments, such as China.
internal_error_retry_time
integer
Default:
60
Number of seconds to retry if server returns an internal server error.
net_id
string
ID of network which MX firewall is in.
net_name
string
Name of network which MX firewall is in.
org_id
string
ID of organization.
org_name
string
Name of organization.

aliases: organization
output_format
string
    Choices:
  • snakecase ←
  • camelcase
Instructs module whether response keys should be snake case (ex. net_id) or camel case (ex. netId).
output_level
string
    Choices:
  • debug
  • normal ←
Set amount of debug output during module execution.
rate_limit_retry_time
integer
Default:
165
Number of seconds to retry if rate limiter is triggered.
rules
list / elements=dictionary
List of layer 7 firewall rules.
application
dictionary
Application to filter.
id
string
URI of application as defined by Meraki.
name
string
Name of application to filter as defined by Meraki.
countries
list / elements=string
List of countries to whitelist or blacklist.
The countries follow the two-letter ISO 3166-1 alpha-2 format.
host
string
FQDN of host to filter.
ip_range
string
CIDR notation range of IP addresses to apply rule to.
Port can be appended to range with a ":".
policy
string
    Choices:
  • deny ←
Policy to apply if rule is hit.
port
string
TCP or UDP based port to filter.
type
string
    Choices:
  • application
  • application_category
  • blocked_countries
  • host
  • ip_range
  • port
  • allowed_countries
Type of policy to apply.
state
string
    Choices:
  • present ←
  • query
Query or modify a firewall rule.
timeout
integer
Default:
30
Time to timeout for HTTP requests.
use_https
boolean
    Choices:
  • no
  • yes ←
If no, it will use HTTP. Otherwise it will use HTTPS.
Only useful for internal Meraki developers.
use_proxy
boolean
    Choices:
  • no ←
  • yes
If no, it will not use a proxy, even if one is defined in an environment variable on the target hosts.
validate_certs
boolean
    Choices:
  • no
  • yes ←
Whether to validate HTTP certificates.

Notes

Note

  • Module assumes a complete list of firewall rules are passed as a parameter.

  • If there is interest in this module allowing manipulation of a single firewall rule, please submit an issue against this module.

  • More information about the Meraki API can be found at https://dashboard.meraki.com/api_docs.

  • Some of the options are likely only used for developers within Meraki.

  • As of Ansible 2.9, Meraki modules output keys as snake case. To use camel case, set the ANSIBLE_MERAKI_FORMAT environment variable to camelcase.

  • Ansible’s Meraki modules will stop supporting camel case output in Ansible 2.13. Please update your playbooks.

  • Check Mode downloads the current configuration from the dashboard, then compares changes against this download. Check Mode will report changed if there are differences in the configurations, but does not submit changes to the API for validation of change.

Examples

- name: Query firewall rules
  meraki_mx_l7_firewall:
    auth_key: abc123
    org_name: YourOrg
    net_name: YourNet
    state: query
  delegate_to: localhost

- name: Query applications and application categories
  meraki_mx_l7_firewall:
    auth_key: abc123
    org_name: YourOrg
    net_name: YourNet
    categories: yes
    state: query
  delegate_to: localhost

- name: Set firewall rules
  meraki_mx_l7_firewall:
    auth_key: abc123
    org_name: YourOrg
    net_name: YourNet
    state: present
    rules:
      - type: allowed_countries
        countries:
          - US
          - FR
      - type: blocked_countries
        countries:
          - CN
      - policy: deny
        type: port
        port: 8080
      - type: port
        port: 1234
      - type: host
        host: asdf.com
      - type: application
        application:
          id: meraki:layer7/application/205
      - type: application_category
        application:
          id: meraki:layer7/category/24
  delegate_to: localhost

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
data
complex
success
Firewall rules associated to network.

 
application_categories
list / elements=string
success, when querying applications
List of application categories and applications.

   
applications
list / elements=string
success
List of applications within a category.

     
id
string
success
URI of application.

Sample:
Gmail
     
name
string
success
Descriptive name of application.

Sample:
meraki:layer7/application/4
   
id
string
success
URI of application category.

Sample:
Email
   
name
string
success
Descriptive name of application category.

Sample:
layer7/category/1
 
rules
list / elements=string
success, when not querying applications
Ordered list of firewall rules.

   
allowedCountries
string
success
Countries to be allowed.

Sample:
CA
   
applicationCategory
list / elements=string
success
List of application categories within a category.

     
id
string
success
URI of application.

Sample:
Gmail
     
name
string
success
Descriptive name of application.

Sample:
meraki:layer7/application/4
   
applications
list / elements=string
success
List of applications within a category.

     
id
string
success
URI of application.

Sample:
Gmail
     
name
string
success
Descriptive name of application.

Sample:
meraki:layer7/application/4
   
blockedCountries
string
success
Countries to be blacklisted.

Sample:
RU
   
ipRange
string
success
Range of IP addresses in rule.

Sample:
1.1.1.0/23
   
policy
string
success
Action to apply when rule is hit.

Sample:
deny
   
port
string
success
Port number in rule.

Sample:
23
   
type
string
success
Type of rule category.

Sample:
applications


Authors

  • Kevin Breit (@kbreit)