Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2984
Views
3
Helpful
3
Replies

Policy Object/Groups with API

Go to solution
mikefredrik
Level 1
Level 1

‎07-01-2025 12:41 AM

I'm working on a workflow to do automation as much as possible. We will use Policy objects and groups in our organisations.
Try to findout how to use API to attach a policy-group in the firewall settings in a network.
If I do a get fw rules from a network that I've attached this policy manual via the UI I see the following.

"srcPort": "Any",

"srcCidr": "OBJ(738027388935347594)",

"destPort": "Any",

"destCidr": "GRP(738027388935341366)",

This is just a snippet from the source/destination part of the output

The error give is that the Cidr need to be IP or VLAN

Any input/ideas to share

//Mikael

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
mikefredrik
Level 1
Level 1

‎07-01-2025 04:58 AM

I manage to find a solution with some input from someone in our EMEA-Meraki Partner Webex space.
By using the following logic it worked just fine

group = 'GRP'+ '('+ policy_group +')'
object = 'OBJ' + '(' + policy_object + ')'

rule_list = []
rule_dict = {
'comment': 'Block Guest to LAN',
'policy': 'deny',''
'protocol': 'any',
'destPort': 'Any',
'srcPort': 'Any',
'syslogEnabled': False
}
rule_dict['srcCidr'] = object
rule_dict['destCidr'] = group
rule_list.append(rule_dict)
The reason I used a variable is that we launch a lot of different network in many different orgs so we need to get the Object/Group ID before we can run the API
This works

View solution in original post

3 Replies 3

Go to solution
aleabrahao
Meraki Community All-Star
Meraki Community All-Star

‎07-01-2025 03:53 AM

Group Policies in Meraki can include firewall rules, traffic shaping, content filtering, VLAN tagging, etc. When you see "srcCidr": "OBJ(...)" or "destCidr": "GRP(...)", these are references to policy objects or groups, not raw IPs or CIDRs.

The Meraki API currently does not support using object/group references like OBJ(...) or GRP(...) directly in firewall rules via the API. It expects valid CIDR notation or VLAN IDs.

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Helpful

Go to solution
mikefredrik
Level 1
Level 1

‎07-01-2025 04:58 AM

I manage to find a solution with some input from someone in our EMEA-Meraki Partner Webex space.
By using the following logic it worked just fine

group = 'GRP'+ '('+ policy_group +')'
object = 'OBJ' + '(' + policy_object + ')'

rule_list = []
rule_dict = {
'comment': 'Block Guest to LAN',
'policy': 'deny',''
'protocol': 'any',
'destPort': 'Any',
'srcPort': 'Any',
'syslogEnabled': False
}
rule_dict['srcCidr'] = object
rule_dict['destCidr'] = group
rule_list.append(rule_dict)
The reason I used a variable is that we launch a lot of different network in many different orgs so we need to get the Object/Group ID before we can run the API
This works

Go to solution
Philip D'Ath
Meraki Community All-Star
Meraki Community All-Star

‎07-01-2025 02:59 PM

Have some snippets of code I can share, but not a whole solution.

You need to get the group policy ID. I used this for processing a large number of networks, so cache the group policy results, but you may not need that complexity.

def getGPId(dashboard,netId,gpName):
	global groupPolicies

	# If we don't have a cache of group polcies - build it now
	if groupPolicies.get(netId)==None:
		groupPolicies[netId]=dashboard.networks.getNetworkGroupPolicies(netId)

	# Search for the group policy name
	for gp in groupPolicies[netId]:
		if gp['name']==gpName:
			return(gp['groupPolicyId'])

	raise SystemExit("Invalid group policy name supplied: "+gpName)

And then something like:

def applyGP(dashboard,orgId,net,netId):
  gpId=getGPId(dashboard,netId,"GP Name")
  ...
  for client in dashboard.networks.getNetworkClients(netId,total_pages='all',timespan=1*86400,vlan=2):
    ...
    dashboard.networks.updateNetworkClientPolicy(netId,client['id'],'Group policy',groupPolicyId=gpId)
0 Helpful
Customers Also Viewed These Support Documents