Try SpotterManage MX appliance layer 7 firewalls in the Meraki cloud
| "added in version" 2.9 of ansible.builtin"
Authors: Kevin Breit (@kbreit)
preview | supported by community
pipInstall with pip install ansible==2.9.24
Allows for creation, management, and visibility into layer 7 firewalls implemented on Meraki MX firewalls.
- name: Query firewall rules
meraki_mx_l7_firewall:
auth_key: abc123
org_name: YourOrg
net_name: YourNet
state: query
delegate_to: localhost
- name: Query applications and application categories
meraki_mx_l7_firewall:
auth_key: abc123
org_name: YourOrg
net_name: YourNet
categories: yes
state: query
delegate_to: localhost
- name: Set firewall rules
meraki_mx_l7_firewall:
auth_key: abc123
org_name: YourOrg
net_name: YourNet
state: present
rules:
- type: whitelisted_countries
countries:
- US
- FR
- type: blacklisted_countries
countries:
- CN
- policy: deny
type: port
port: 8080
- type: port
port: 1234
- type: host
host: asdf.com
- type: application
application:
id: meraki:layer7/application/205
- type: application_category
application:
id: meraki:layer7/category/24
delegate_to: localhost
host:
default: api.meraki.com
description:
- Hostname for Meraki dashboard.
- Can be used to access regional Meraki environments, such as China.
type: str
rules:
description:
- List of layer 7 firewall rules.
suboptions:
application:
description:
- Application to filter.
suboptions:
id:
description:
- URI of application as defined by Meraki.
type: str
name:
description:
- Name of application to filter as defined by Meraki.
type: str
application_category:
description:
- Category of applications to filter.
suboptions:
id:
description:
- URI of application category as defined by Meraki.
type: str
name:
description:
- Name of application category to filter as defined by Meraki.
type: str
countries:
description:
- List of countries to whitelist or blacklist.
- The countries follow the two-letter ISO 3166-1 alpha-2 format.
type: list
host:
description:
- FQDN of host to filter.
type: str
ip_range:
description:
- CIDR notation range of IP addresses to apply rule to.
- Port can be appended to range with a C(":").
type: str
policy:
choices:
- deny
default: deny
description:
- Policy to apply if rule is hit.
type: str
port:
description:
- TCP or UDP based port to filter.
type: str
type:
choices:
- application
- application_category
- blacklisted_countries
- host
- ip_range
- port
- whitelisted_countries
description:
- Type of policy to apply.
type: str
type: list
state:
choices:
- present
- query
default: present
description:
- Query or modify a firewall rule.
type: str
net_id:
description:
- ID of network which MX firewall is in.
type: str
org_id:
description:
- ID of organization.
type: str
timeout:
default: 30
description:
- Time to timeout for HTTP requests.
type: int
auth_key:
description:
- Authentication key provided by the dashboard. Required if environmental variable
C(MERAKI_KEY) is not set.
required: true
type: str
net_name:
description:
- Name of network which MX firewall is in.
type: str
org_name:
aliases:
- organization
description:
- Name of organization.
type: str
use_https:
default: true
description:
- If C(no), it will use HTTP. Otherwise it will use HTTPS.
- Only useful for internal Meraki developers.
type: bool
use_proxy:
default: false
description:
- If C(no), it will not use a proxy, even if one is defined in an environment variable
on the target hosts.
type: bool
categories:
description:
- When C(True), specifies that applications and application categories should be queried
instead of firewall rules.
type: bool
output_level:
choices:
- debug
- normal
default: normal
description:
- Set amount of debug output during module execution.
type: str
output_format:
choices:
- snakecase
- camelcase
default: snakecase
description:
- Instructs module whether response keys should be snake case (ex. C(net_id)) or camel
case (ex. C(netId)).
type: str
validate_certs:
default: true
description:
- Whether to validate HTTP certificates.
type: bool
rate_limit_retry_time:
default: 165
description:
- Number of seconds to retry if rate limiter is triggered.
type: int
internal_error_retry_time:
default: 60
description:
- Number of seconds to retry if server returns an internal server error.
type: int
data:
contains:
application_categories:
contains:
applications:
contains:
id:
description: URI of application.
returned: success
sample: Gmail
type: str
name:
description: Descriptive name of application.
returned: success
sample: meraki:layer7/application/4
type: str
description: List of applications within a category.
type: list
id:
description: URI of application category.
returned: success
sample: Email
type: string
name:
description: Descriptive name of application category.
returned: success
sample: layer7/category/1
type: string
description: List of application categories and applications.
returned: success, when querying applications
type: list
rules:
contains:
applicationCategory:
contains:
id:
description: URI of application.
returned: success
sample: Gmail
type: str
name:
description: Descriptive name of application.
returned: success
sample: meraki:layer7/application/4
type: str
description: List of application categories within a category.
type: list
applications:
contains:
id:
description: URI of application.
returned: success
sample: Gmail
type: str
name:
description: Descriptive name of application.
returned: success
sample: meraki:layer7/application/4
type: str
description: List of applications within a category.
type: list
blacklistedCountries:
description: Countries to be blacklisted.
returned: success
sample: RU
type: str
ipRange:
description: Range of IP addresses in rule.
returned: success
sample: 1.1.1.0/23
type: str
policy:
description: Action to apply when rule is hit.
returned: success
sample: deny
type: str
port:
description: Port number in rule.
returned: success
sample: 23
type: str
type:
description: Type of rule category.
returned: success
sample: applications
type: str
whitelistedCountries:
description: Countries to be whitelisted.
returned: success
sample: CA
type: str
description: Ordered list of firewall rules.
returned: success, when not querying applications
type: list
description: Firewall rules associated to network.
returned: success
type: complex