cisco.meraki.meraki_mx_l7_firewall – Manage MX appliance layer 7 firewalls in the Meraki cloud

Note

This plugin is part of the cisco.meraki collection.

To install it use: ansible-galaxy collection install cisco.meraki.

To use it in a playbook, specify: cisco.meraki.meraki_mx_l7_firewall.

Synopsis

  • Allows for creation, management, and visibility into layer 7 firewalls implemented on Meraki MX firewalls.

Parameters

Parameter Choices/Defaults Comments
auth_key
string / required
Authentication key provided by the dashboard. Required if environmental variable MERAKI_KEY is not set.
categories
boolean
    Choices:
  • no
  • yes
When True, specifies that applications and application categories should be queried instead of firewall rules.
host
string
Default:
"api.meraki.com"
Hostname for Meraki dashboard.
Can be used to access regional Meraki environments, such as China.
internal_error_retry_time
integer
Default:
60
Number of seconds to retry if server returns an internal server error.
net_id
string
ID of network which MX firewall is in.
net_name
string
Name of network which MX firewall is in.
org_id
string
ID of organization.
org_name
string
Name of organization.

aliases: organization
output_format
string
    Choices:
  • snakecase ←
  • camelcase
Instructs module whether response keys should be snake case (ex. net_id) or camel case (ex. netId).
output_level
string
    Choices:
  • debug
  • normal ←
Set amount of debug output during module execution.
rate_limit_retry_time
integer
Default:
165
Number of seconds to retry if rate limiter is triggered.
rules
list / elements=dictionary
List of layer 7 firewall rules.
application
dictionary
Application to filter.
id
string
URI of application as defined by Meraki.
name
string
Name of application to filter as defined by Meraki.
countries
list / elements=string
List of countries to whitelist or blacklist.
The countries follow the two-letter ISO 3166-1 alpha-2 format.
host
string
FQDN of host to filter.
ip_range
string
CIDR notation range of IP addresses to apply rule to.
Port can be appended to range with a ":".
policy
string
    Choices:
  • deny ←
Policy to apply if rule is hit.
port
string
TCP or UDP based port to filter.
type
string
    Choices:
  • application
  • application_category
  • blocked_countries
  • host
  • ip_range
  • port
  • allowed_countries
Type of policy to apply.
state
string
    Choices:
  • present ←
  • query
Query or modify a firewall rule.
timeout
integer
Default:
30
Time to timeout for HTTP requests.
use_https
boolean
    Choices:
  • no
  • yes ←
If no, it will use HTTP. Otherwise it will use HTTPS.
Only useful for internal Meraki developers.
use_proxy
boolean
    Choices:
  • no
  • yes
If no, it will not use a proxy, even if one is defined in an environment variable on the target hosts.
validate_certs
boolean
    Choices:
  • no
  • yes ←
Whether to validate HTTP certificates.

Notes

Note

  • Module assumes a complete list of firewall rules are passed as a parameter.

  • If there is interest in this module allowing manipulation of a single firewall rule, please submit an issue against this module.

  • More information about the Meraki API can be found at https://dashboard.meraki.com/api_docs.

  • Some of the options are likely only used for developers within Meraki.

  • As of Ansible 2.9, Meraki modules output keys as snake case. To use camel case, set the ANSIBLE_MERAKI_FORMAT environment variable to camelcase.

  • Ansible’s Meraki modules will stop supporting camel case output in Ansible 2.13. Please update your playbooks.

Examples

- name: Query firewall rules
  meraki_mx_l7_firewall:
    auth_key: abc123
    org_name: YourOrg
    net_name: YourNet
    state: query
  delegate_to: localhost

- name: Query applications and application categories
  meraki_mx_l7_firewall:
    auth_key: abc123
    org_name: YourOrg
    net_name: YourNet
    categories: yes
    state: query
  delegate_to: localhost

- name: Set firewall rules
  meraki_mx_l7_firewall:
    auth_key: abc123
    org_name: YourOrg
    net_name: YourNet
    state: present
    rules:
      - type: allowed_countries
        countries:
          - US
          - FR
      - type: blocked_countries
        countries:
          - CN
      - policy: deny
        type: port
        port: 8080
      - type: port
        port: 1234
      - type: host
        host: asdf.com
      - type: application
        application:
          id: meraki:layer7/application/205
      - type: application_category
        application:
          id: meraki:layer7/category/24
  delegate_to: localhost

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
data
complex
success
Firewall rules associated to network.

 
application_categories
list / elements=string
success, when querying applications
List of application categories and applications.

   
applications
list / elements=string
success
List of applications within a category.

     
id
string
success
URI of application.

Sample:
Gmail
     
name
string
success
Descriptive name of application.

Sample:
meraki:layer7/application/4
   
id
string
success
URI of application category.

Sample:
Email
   
name
string
success
Descriptive name of application category.

Sample:
layer7/category/1
 
rules
list / elements=string
success, when not querying applications
Ordered list of firewall rules.

   
allowedCountries
string
success
Countries to be allowed.

Sample:
CA
   
applicationCategory
list / elements=string
success
List of application categories within a category.

     
id
string
success
URI of application.

Sample:
Gmail
     
name
string
success
Descriptive name of application.

Sample:
meraki:layer7/application/4
   
applications
list / elements=string
success
List of applications within a category.

     
id
string
success
URI of application.

Sample:
Gmail
     
name
string
success
Descriptive name of application.

Sample:
meraki:layer7/application/4
   
blockedCountries
string
success
Countries to be blacklisted.

Sample:
RU
   
ipRange
string
success
Range of IP addresses in rule.

Sample:
1.1.1.0/23
   
policy
string
success
Action to apply when rule is hit.

Sample:
deny
   
port
string
success
Port number in rule.

Sample:
23
   
type
string
success
Type of rule category.

Sample:
applications


Authors

  • Kevin Breit (@kbreit)