topic Re: Policy Object/Groups with API in Network Platform API

Policy Object/Groups with API

mikefredrik — Tue, 01 Jul 2025 07:41:37 GMT

I'm working on a workflow to do automation as much as possible. We will use Policy objects and groups in our organisations.
Try to findout how to use API to attach a policy-group in the firewall settings in a network.
If I do a get fw rules from a network that I've attached this policy manual via the UI I see the following.

"srcPort": "Any",

"srcCidr": "OBJ(738027388935347594)",

"destPort": "Any",

"destCidr": "GRP(738027388935341366)",

This is just a snippet from the source/destination part of the output

The error give is that the Cidr need to be IP or VLAN

Any input/ideas to share

//Mikael

Re: Policy Object/Groups with API

aleabrahao — Tue, 01 Jul 2025 10:53:40 GMT

Group Policies in Meraki can include firewall rules, traffic shaping, content filtering, VLAN tagging, etc. When you see "srcCidr": "OBJ(...)" or "destCidr": "GRP(...)", these are references to policy objects or groups, not raw IPs or CIDRs.

The Meraki API currently does not support using object/group references like OBJ(...) or GRP(...) directly in firewall rules via the API. It expects valid CIDR notation or VLAN IDs.

Re: Policy Object/Groups with API

mikefredrik — Tue, 01 Jul 2025 11:58:08 GMT

I manage to find a solution with some input from someone in our EMEA-Meraki Partner Webex space.
By using the following logic it worked just fine

group = 'GRP'+ '('+ policy_group +')'

object = 'OBJ' + '(' + policy_object + ')'

rule_list = []

rule_dict = {

'comment': 'Block Guest to LAN',

'policy': 'deny',''

'protocol': 'any',

'destPort': 'Any',

'srcPort': 'Any',

'syslogEnabled': False

}

rule_dict['srcCidr'] = object

rule_dict['destCidr'] = group

rule_list.append(rule_dict)

The reason I used a variable is that we launch a lot of different network in many different orgs so we need to get the Object/Group ID before we can run the API

This works

Re: Policy Object/Groups with API

Philip D'Ath — Tue, 01 Jul 2025 21:59:23 GMT

Have some snippets of code I can share, but not a whole solution.

You need to get the group policy ID. I used this for processing a large number of networks, so cache the group policy results, but you may not need that complexity.

def getGPId(dashboard,netId,gpName):
	global groupPolicies

	# If we don't have a cache of group polcies - build it now
	if groupPolicies.get(netId)==None:
		groupPolicies[netId]=dashboard.networks.getNetworkGroupPolicies(netId)

	# Search for the group policy name
	for gp in groupPolicies[netId]:
		if gp['name']==gpName:
			return(gp['groupPolicyId'])

	raise SystemExit("Invalid group policy name supplied: "+gpName)

And then something like:

def applyGP(dashboard,orgId,net,netId):
  gpId=getGPId(dashboard,netId,"GP Name")
  ...
  for client in dashboard.networks.getNetworkClients(netId,total_pages='all',timespan=1*86400,vlan=2):
    ...
    dashboard.networks.updateNetworkClientPolicy(netId,client['id'],'Group policy',groupPolicyId=gpId)