cisco.meraki.meraki_mx_site_to_site_firewall module – Manage MX appliance firewall rules for site-to-site VPNs

Note

This module is part of the cisco.meraki collection (version 2.8.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install cisco.meraki.

To use it in a playbook, specify: cisco.meraki.meraki_mx_site_to_site_firewall.

New in version 1.0.0: of cisco.meraki

Synopsis

  • Allows for creation, management, and visibility into firewall rules for site-to-site VPNs implemented on Meraki MX firewalls.

Parameters

Parameter

Comments

auth_key

string / required

Authentication key provided by the dashboard. Required if environmental variable MERAKI_KEY is not set.

host

string

Hostname for Meraki dashboard.

Can be used to access regional Meraki environments, such as China.

Default: “api.meraki.com”

internal_error_retry_time

integer

Number of seconds to retry if server returns an internal server error.

Default: 60

org_id

string

ID of organization.

org_name

aliases: organization

string

Name of organization.

output_format

string

Instructs module whether response keys should be snake case (ex. net_id) or camel case (ex. netId).

Choices:

  • snakecase ← (default)

  • camelcase

output_level

string

Set amount of debug output during module execution.

Choices:

  • debug

  • normal ← (default)

rate_limit_retry_time

integer

Number of seconds to retry if rate limiter is triggered.

Default: 165

rules

list / elements=dictionary

List of firewall rules.

comment

string

Optional comment to describe the firewall rule.

dest_cidr

string

Comma separated list of CIDR notation destination networks.

Any must be capitalized.

dest_port

string

Comma separated list of destination port numbers to match against.

Any must be capitalized.

policy

string

Policy to apply if rule is hit.

Choices:

  • allow

  • deny

protocol

string

Protocol to match against.

Choices:

  • any

  • icmp

  • tcp

  • udp

src_cidr

string

Comma separated list of CIDR notation source networks.

Any must be capitalized.

src_port

string

Comma separated list of source port numbers to match against.

Any must be capitalized.

syslog_enabled

boolean

Whether to log hints against the firewall rule.

Only applicable if a syslog server is specified against the network.

Choices:

  • no ← (default)

  • yes

state

string

Create or modify an organization.

Choices:

  • present ← (default)

  • query

syslog_default_rule

boolean

Whether to log hits against the default firewall rule.

Only applicable if a syslog server is specified against the network.

This is not shown in response from Meraki. Instead, refer to the syslog_enabled value in the default rule.

Choices:

  • no

  • yes

timeout

integer

Time to timeout for HTTP requests.

Default: 30

use_https

boolean

If no, it will use HTTP. Otherwise it will use HTTPS.

Only useful for internal Meraki developers.

Choices:

  • no

  • yes ← (default)

use_proxy

boolean

If no, it will not use a proxy, even if one is defined in an environment variable on the target hosts.

Choices:

  • no ← (default)

  • yes

validate_certs

boolean

Whether to validate HTTP certificates.

Choices:

  • no

  • yes ← (default)

Notes

Note

  • Module assumes a complete list of firewall rules are passed as a parameter.

  • More information about the Meraki API can be found at https://dashboard.meraki.com/api_docs.

  • Some of the options are likely only used for developers within Meraki.

  • As of Ansible 2.9, Meraki modules output keys as snake case. To use camel case, set the ANSIBLE_MERAKI_FORMAT environment variable to camelcase.

  • Ansible’s Meraki modules will stop supporting camel case output in Ansible 2.13. Please update your playbooks.

  • Check Mode downloads the current configuration from the dashboard, then compares changes against this download. Check Mode will report changed if there are differences in the configurations, but does not submit changes to the API for validation of change.

Examples

- name: Query firewall rules
  meraki_mx_site_to_site_firewall:
    auth_key: abc123
    org_name: YourOrg
    state: query
  delegate_to: localhost

- name: Set two firewall rules
  meraki_mx_site_to_site_firewall:
    auth_key: abc123
    org_name: YourOrg
    state: present
    rules:
      - comment: Block traffic to server
        src_cidr: 192.0.1.0/24
        src_port: any
        dest_cidr: 192.0.2.2/32
        dest_port: any
        protocol: any
        policy: deny
      - comment: Allow traffic to group of servers
        src_cidr: 192.0.1.0/24
        src_port: any
        dest_cidr: 192.0.2.0/24
        dest_port: any
        protocol: any
        policy: permit
  delegate_to: localhost

- name: Set one firewall rule and enable logging of the default rule
  meraki_mx_site_to_site_firewall:
    auth_key: abc123
    org_name: YourOrg
    state: present
    rules:
      - comment: Block traffic to server
        src_cidr: 192.0.1.0/24
        src_port: any
        dest_cidr: 192.0.2.2/32
        dest_port: any
        protocol: any
        policy: deny
    syslog_default_rule: yes
  delegate_to: localhost

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

data

complex

Firewall rules associated to network.

Returned: success

rules

complex

List of firewall rules associated to network.

Returned: success

comment

string

Comment to describe the firewall rule.

Returned: always

Sample: “Block traffic to server”

dest_cidr

string

Comma separated list of CIDR notation destination networks.

Returned: always

Sample: “192.0.1.1/32,192.0.1.2/32”

dest_port

string

Comma separated list of destination ports.

Returned: always

Sample: “80,443”

policy

string

Action to take when rule is matched.

Returned: always

protocol

string

Network protocol for which to match against.

Returned: always

Sample: “tcp”

src_cidr

string

Comma separated list of CIDR notation source networks.

Returned: always

Sample: “192.0.1.1/32,192.0.1.2/32”

src_port

string

Comma separated list of source ports.

Returned: always

Sample: “80,443”

syslog_enabled

boolean

Whether to log to syslog when rule is matched.

Returned: always

Sample: true

Authors

  • Kevin Breit (@kbreit)