This is a simple Python script that takes a NewRuleToAdd.txt file as input to add one rule with all the IP addresses from the list to each Network in the Org using the Meraki API. Before going off to add the rules, it will print out to console a summary of the IPs to add to the new rule, the ticket number and the list of all networks it will add them to. It will then ask for confirmation from the operator of the script.
Python 3.6 with the following modules installed:
- requests
- meraki
More details on the meraki module here: https://github.com/meraki/dashboard-api-python https://developer.cisco.com/meraki/api-v1/#!overview
You can typically install those modules with the following commands:
pip install requests
pip install meraki
You need to have a file named config.py in the same directory as the AddRulesToMXL3Firewall.py script with the definition of the Meraki API key to use to run the code as well as the Org ID for the Organanization for which you want to change the rules for all Networks. You can obtain the Meraki API Key and the org ID by following the instructions here: https://developer.cisco.com/meraki/api/#/rest/getting-started
Example of content of the config.py file you must create:
meraki_api_key = "yourMerakiAPIKey"
meraki_org_id = "yourOrgID"
This repository contains two sample Python scripts that differ in the way they are configured:
This is the original script in this code repository and has been kept as-is for backwards compatibility even though
the new script described further below (NewOrChangeRulesToMXL3Firewall.py
) covers it's functionality and more.
This script adds new 'deny' rules to all Networks in an organization except for those that are filtered out in the code in lines 120-122 by checking if the Network name starts or ends with certain strings.
Only destination IP addresses can be specified in the 'deny' rule to be added by this script.
To use it, you need to have the input file named NewRuleToAdd.txt in the same directory as the AddRulesToMXL3Firewall.py
It should only have two lines:
- Comment to use for new rule to be added
- comma separated list of IP addresses in dot-decimal notation
Example of content of the NewRuleToAdd.txt
file you must create:
Case323423
40.17.41.118,40.17.41.119
This script can add or update firewall rules for all Networks in an organization and you can define all aspects of the rule, including
source and destination IPs and ports, destination FQDNs and more. It also allows you to insert duplicate rules if you so desire.
To use it, you need to have the config file named NewOrChangedRuleConfig.py
in the same directory as the NewOrChangeRulesToMXL3Firewall.py
A sample config file is already included in the respository with comments describing what you have to specify for each value.
You only need to edit the RULE_DATA and RULE_ACTION constants:
RULE_DATA= {
"comment": "TestRule", #this field contains the name of the rule to add/modify/append
"policy": "allow", #'allow' or 'deny' traffic specified by this rule
"protocol": "any", #The type of protocol (must be 'tcp', 'udp', 'icmp' or 'any')
"srcPort": "Any", #Comma-separated list of destination port(s) (integer in the range 1-65535), or 'any'
"srcCidr": "Any", #Comma-separated list of source IP address(es) (in IP or CIDR notation), or 'any' (note: FQDN not supported for source addresses) i.e. 10.0.1.34,192.168.1.10/24
"destPort": "Any", #Comma-separated list of destination port(s) (integer in the range 1-65535), or 'any'
"destCidr": "10.5.8.1", #Comma-separated list of destination IP address(es) (in IP or CIDR notation), fully-qualified domain names (FQDN) or 'any' i.e. 10.0.1.34/32,192.168.1.10/24, www.cnn.com
"syslogEnabled": True #Log this rule to syslog (True or False, boolean value) - only applicable if a syslog has been configured
}
RULE_ACTION=DupRuleAct.REPLACE # can be DupRuleAct.REPLACE, DupRuleAct.APPEND or DupRuleAct.ADD_DUPLICATE as defined above
If you wish to have the script automatically skip networks in your organization without you having to manually specify so as it runs, just
add the Network IDs to the networks_skip.txt
text file, one per line (blank sample included in this repository) and the script will read the IDs
and notify you on the console as it skips over them. If you do not fill out the file or remove it, the script will just ignore it and proceed to
evaluate all Networks in the organization to try and add the rule you specify.
Issue either command below depending on which script you would like to execute.
For the original but limited functionality script:
python3 AddRulesToMXL3Firewall.py
For the new and more functional script:
python3 NewOrChangeRulesToMXL3Firewall.py
In both scripts, you will be prompted for confirmation before proceeding with the overall operation.
You will also be prompted on a per Network basis if you wish to proceed with adding the rules
If you wish to remove this last confirmation so the script can run for all Networks without interruption, look for the comment below in the .py script file you wish to modify and comment the line below it by adding # as the first character of the line
"#Comment line below if you wish to skip confirmation for each Network"