You can't update, you have to set all rules again when you create a new rule.

You can't append a rule. You have to push the whole rule base.

So I would suggest doing a GET first , append your modifications , then PUT the whole rule base.

am I going to have to call the existing rules, then add them along with the new rule to the update call and basically re-write all the rules each time?

https://developer.cisco.com/codeexchange/github/repo/CiscoSE/AddMerakiMXL3FirewallRuleToNetworks#usecase

https://developer.cisco.com/meraki/build/mx-firewall-control-python-script/

Yes. The order of firewall rules is important, and Dashboard can't assume placement. Placing a rule at the end may not actually do anyty, thus it is up to you to place a rule in the correct position.

Another approach to consider is that if you want maintain rules via the API, it may be worth keeping the 'master copy' in a local database, then just write the whole set each time.

Then if you need to check rules, it's an API read and compare against the local copy.

I'm having a problem appending the new rule list to the existing list :(|

I think its because I have created the existing rule list as a dictionary. However if I try to re-write the dictionary as a list (with square brackets [] ) the code stops working. "Invalid syntax"

import requests
import security
import json

# Replace with your Meraki API key and network ID
api_key = security.MERAKI_API_KEY
organizationId = security.ORG_ID
network_id = "xxxxxxxxxxxxxxxxx"



url = f"https://api.meraki.com/api/v1/networks/{network_id}/appliance/firewall/l3FirewallRules"



headers = {
    'X-Cisco-Meraki-API-Key': api_key,
    'Content-Type': 'application/json'
}


response = requests.get(url, headers=headers, verify=False)

existingrules = response.json()

print(response.status_code)
print(response.text.encode('utf8'))

with open('ExistingRules.json', 'w') as json_file:
    json.dump(response.json(), json_file, indent=4)


newrule = '''{
    "rules": [
        {
            "comment": "Test RuleNEW.",
            "policy": "deny",
            "protocol": "any",
            "destPort": "any",
            "destCidr": "192.200.1.0/24",
            "srcPort": "Any",
            "srcCidr": "Any",
            "syslogEnabled": false
        }
    ]
}'''

existingrules.append(newrule)

response = requests.put(url, headers=headers, json=existingrules, verify=False)

As mentioned by @dajirku it is probable that appending is not going to behave as you wish.

Usually the last rule in the list is 'allow any-any', if you append a stricter rule it will be ignored as it will be lower in precedence than 'allow any-any'

To add a rule to existingrules, you should be adding an item to the rules array within it, not direct to existingrules.

Have a look at...

https://github.com/CiscoSE/AddMerakiMXL3FirewallRuleToNetworks/blob/master/AddRulesToMXL3Firewall.py

You could do something along the lines of

# Constants
netowrk_id = "xxxx"
TargetComment = "Google DNS"

# Get Rules for network
FirewallRules = dashboard.appliance.getNetworkApplianceFirewallL3FirewallRules(network_id)
# Determine idx where rule should be updated
target_idx = next((idx for idx, item in enumerate(FirewallRules['rules']) if item['comment'] == TargetComment), None)
# Update rule
FirewallRules['rules'][target_idx].update({
    "comment": TargetComment
    "policy": "deny",
    "protocol": "any",
    "destPort": "any",
    "destCidr": "192.200.1.0/24",
    "srcPort": "Any",
    "srcCidr": "Any",
    "syslogEnabled": false
})
# Remove Default Rule entry
FirewallRules['rules'].pop(-1)
# Update Rules
NewSetOfRules = dashboard.appliance.updateNetworkApplianceFirewallL3FirewallRules(
    networkId=network_id,
    rules=FirewallRules['rules']
)

What happens is, that I search through all the elements in FirewallRules for the index of the element with the comment, of the rule I wan't to update.

With the index in hand, I can either update the rule, or use the index to inject a new rule. In the above example I use it to update a specific rule.

Modify it to suit your implementation.

thanks. I have a working script now which does a similar thing. It injects the new rule to the existing but the rules are still updated by completely overwriting all existing rules with the list I send in - apparently that's the way it works, rather than just adding in any new items in the index.

It seems to work ok but I found that when you do the GET, the list includes the default allow rule. Then when you go to PUT the updated list - that Allow rule gets added like it was a custom rule so you end up with the default and an extra identical copy.

You get an extra Allow rule every time you do an update. I fixed this by searching the list index for that rule and deleting it (luckily the comment is "default Rule" which is nicely unique) before adding my new rule and sending it back.

Or use the a posteriori knowledge, that the default rule is always at the end of the list and simpy "pop it". 😉

# Remove Default Rule entry
FirewallRules['rules'].pop(-1)