meraki_mx_l7_firewall – Manage MX appliance layer 7 firewalls in the Meraki cloud

New in version 2.9.

Synopsis

• Allows for creation, management, and visibility into layer 7 firewalls implemented on Meraki MX firewalls.

Parameters

Parameter			Choices/Defaults	Comments
auth_key string / required				Authentication key provided by the dashboard. Required if environmental variable MERAKI_KEY is not set.
categories boolean			Choices: no yes	When True, specifies that applications and application categories should be queried instead of firewall rules.
host string			Default: "api.meraki.com"	Hostname for Meraki dashboard. Can be used to access regional Meraki environments, such as China.
internal_error_retry_time integer			Default: 60	Number of seconds to retry if server returns an internal server error.
net_id string				ID of network which MX firewall is in.
net_name string				Name of network which MX firewall is in.
org_id string				ID of organization.
org_name string				Name of organization. aliases: organization
output_format string			Choices: snakecase ← camelcase	Instructs module whether response keys should be snake case (ex. net_id) or camel case (ex. netId).
output_level string			Choices: debug normal ←	Set amount of debug output during module execution.
rate_limit_retry_time integer			Default: 165	Number of seconds to retry if rate limiter is triggered.
rules list				List of layer 7 firewall rules.
	application -			Application to filter.
		id string		URI of application as defined by Meraki.
		name string		Name of application to filter as defined by Meraki.
	application_category -			Category of applications to filter.
		id string		URI of application category as defined by Meraki.
		name string		Name of application category to filter as defined by Meraki.
	countries list			List of countries to whitelist or blacklist. The countries follow the two-letter ISO 3166-1 alpha-2 format.
	host string			FQDN of host to filter.
	ip_range string			CIDR notation range of IP addresses to apply rule to. Port can be appended to range with a ":".
	policy string		Choices: deny ←	Policy to apply if rule is hit.
	port string			TCP or UDP based port to filter.
	type string		Choices: application application_category blacklisted_countries host ip_range port whitelisted_countries	Type of policy to apply.
state string			Choices: present ← query	Query or modify a firewall rule.
timeout integer			Default: 30	Time to timeout for HTTP requests.
use_https boolean			Choices: no yes ←	If no, it will use HTTP. Otherwise it will use HTTPS. Only useful for internal Meraki developers.
use_proxy boolean			Choices: no yes	If no, it will not use a proxy, even if one is defined in an environment variable on the target hosts.
validate_certs boolean			Choices: no yes ←	Whether to validate HTTP certificates.

Notes

Note

• Module assumes a complete list of firewall rules are passed as a parameter.
• If there is interest in this module allowing manipulation of a single firewall rule, please submit an issue against this module.
• More information about the Meraki API can be found at https://dashboard.meraki.com/api_docs.
• Some of the options are likely only used for developers within Meraki.
• As of Ansible 2.9, Meraki modules output keys as snake case. To use camel case, set the ANSIBLE_MERAKI_FORMAT environment variable to camelcase.
• Ansible’s Meraki modules will stop supporting camel case output in Ansible 2.13. Please update your playbooks.

Examples

- name: Query firewall rules
  meraki_mx_l7_firewall:
    auth_key: abc123
    org_name: YourOrg
    net_name: YourNet
    state: query
  delegate_to: localhost

- name: Query applications and application categories
  meraki_mx_l7_firewall:
    auth_key: abc123
    org_name: YourOrg
    net_name: YourNet
    categories: yes
    state: query
  delegate_to: localhost

- name: Set firewall rules
  meraki_mx_l7_firewall:
    auth_key: abc123
    org_name: YourOrg
    net_name: YourNet
    state: present
    rules:
      - type: whitelisted_countries
        countries:
          - US
          - FR
      - type: blacklisted_countries
        countries:
          - CN
      - policy: deny
        type: port
        port: 8080
      - type: port
        port: 1234
      - type: host
        host: asdf.com
      - type: application
        application:
          id: meraki:layer7/application/205
      - type: application_category
        application:
          id: meraki:layer7/category/24
  delegate_to: localhost

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key				Returned	Description
data complex				success	Firewall rules associated to network.
	application_categories list			success, when querying applications	List of application categories and applications.
		applications list			List of applications within a category.
			id string	success	URI of application. Sample: Gmail
			name string	success	Descriptive name of application. Sample: meraki:layer7/application/4
		id string		success	URI of application category. Sample: Email
		name string		success	Descriptive name of application category. Sample: layer7/category/1
	rules list			success, when not querying applications	Ordered list of firewall rules.
		applicationCategory list			List of application categories within a category.
			id string	success	URI of application. Sample: Gmail
			name string	success	Descriptive name of application. Sample: meraki:layer7/application/4
		applications list			List of applications within a category.
			id string	success	URI of application. Sample: Gmail
			name string	success	Descriptive name of application. Sample: meraki:layer7/application/4
		blacklistedCountries string		success	Countries to be blacklisted. Sample: RU
		ipRange string		success	Range of IP addresses in rule. Sample: 1.1.1.0/23
		policy string		success	Action to apply when rule is hit. Sample: deny
		port string		success	Port number in rule. Sample: 23
		type string		success	Type of rule category. Sample: applications
		whitelistedCountries string		success	Countries to be whitelisted. Sample: CA

Status

• This module is not guaranteed to have a backwards compatible interface. [preview]
• This module is maintained by the Ansible Community. [community]

Authors

• Kevin Breit (@kbreit)

Hint

If you notice any issues in this documentation, you can edit this document to improve it.