topic Re: Update Network Wireless Ssid Firewall L3 Firewall Rules via API in Network Platform API

Update Network Wireless Ssid Firewall L3 Firewall Rules via API

Luca_1 — Sun, 19 Feb 2023 18:53:16 GMT

Hi,

I'm trying to Update Network Wireless Ssid Firewall L3 Firewall Rules via API.

API return error "Destination address must be an IP address or a subnet in CIDR form (e.g. '192.168.1.0/24' ora 'any')" when Firewall rules include Local LAN traffic roule like this:

{
          "comment": "Wireless clients accessing LAN",
          "ipVer": "ipv4",
          "policy": "deny",
          "protocol": "Any",
          "destPort": "Any",
          "destCidr": "Local LAN"
        }

How can I update this firewall via API?

Any idea?

Thanks to all

Re: Update Network Wireless Ssid Firewall L3 Firewall Rules via API

Rasmus Hoffmann Birkelund — Sun, 19 Feb 2023 19:01:25 GMT

If you simply "pop" that entry in the Firewall rule payload, so that you only send actual rules and not that rule, will the POST succeed?

That rule can not be removed. It will always be there, so I wonder if you can update the rules, without actually updating that rule, as well.

Re: Update Network Wireless Ssid Firewall L3 Firewall Rules via API

Luca_1 — Sun, 19 Feb 2023 19:54:07 GMT

Yes, without that rule update work correctly. But if I need to update rule to permit/deny access to local LAN?

Re: Update Network Wireless Ssid Firewall L3 Firewall Rules via API

Rasmus Hoffmann Birkelund — Sun, 19 Feb 2023 19:59:03 GMT

I could suspect you might be hitting a bug in the API, so it might be worthwhile to submit a ticket with Meraki Support, and have their take on it.

If you leave out the destCidr key/val pair, does the POST succeed aswell?

Re: Update Network Wireless Ssid Firewall L3 Firewall Rules via API

Philip D'Ath — Sun, 19 Feb 2023 20:04:18 GMT

You can't change the default rule. Instead, you have to add a rule above it to do a deny/any/any.

Re: Update Network Wireless Ssid Firewall L3 Firewall Rules via API

Rasmus Hoffmann Birkelund — Sun, 19 Feb 2023 20:07:30 GMT

Yeah, that's correct, but from what I gather form @Luca_1s post, it's the Local LAN access for Wireless Clients rule, and not the Default rule. 🙂

Re: Update Network Wireless Ssid Firewall L3 Firewall Rules via API

Adrian41 — Thu, 17 Aug 2023 09:54:35 GMT

I'v just hit the exact same issue! lol. Is there a way via API to change the allow/deny status of this rule like you can in the dashboard?

Re: Update Network Wireless Ssid Firewall L3 Firewall Rules via API

as_ — Fri, 02 Feb 2024 06:23:43 GMT

Yeah not finding a way to update that dropdown from allow to deny for traffic to Local LAN. The best i came up for was to add three seperate rules for each of the private class subnets. Hope this won't block the gateway for the client.

rules=[{'comment': 'Wireless clients accessing LAN', 'ipVer': 'ipv4', 'policy': 'deny', 'protocol': 'any', 'destPort': 'Any', 'destCidr': '10.0.0.0/8'},
{'comment': 'Wireless clients accessing LAN', 'ipVer': 'ipv4', 'policy': 'deny', 'protocol': 'any', 'destPort': 'Any', 'destCidr': '172.16.0.0/12'},
{'comment': 'Wireless clients accessing LAN', 'ipVer': 'ipv4', 'policy': 'deny', 'protocol': 'any', 'destPort': 'Any', 'destCidr': '192.168.0.0/16'}]

Re: Update Network Wireless Ssid Firewall L3 Firewall Rules via API

frank.veprek — Thu, 02 May 2024 18:57:26 GMT

I had the same issue with the 2 default rules. My last rule is a DENY ANY ANY, and I just want "my" rules copied over, not the defaults (don't need to since they're already going to be there). Someone suggested adding this in my code and it worked flawlessly.

if rule["comment"] == "Wireless clients accessing LAN":

continue

if rule["comment"] == "Default rule":

continue