cisco.meraki.meraki_mx_site_to_site_firewall – Manage MX appliance firewall rules for site-to-site VPNs
Note
This plugin is part of the cisco.meraki collection (version 2.5.0).
You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install cisco.meraki.
To use it in a playbook, specify: cisco.meraki.meraki_mx_site_to_site_firewall.
New in version 1.0.0: of cisco.meraki
Synopsis
- Allows for creation, management, and visibility into firewall rules for site-to-site VPNs implemented on Meraki MX firewalls.
Parameters
| Parameter | Choices/Defaults | Comments | |
|---|---|---|---|
| auth_key
string / required
|
Authentication key provided by the dashboard. Required if environmental variable MERAKI_KEY is not set.
|
||
| host
string
|
Default:
"api.meraki.com"
|
Hostname for Meraki dashboard.
Can be used to access regional Meraki environments, such as China.
|
|
| internal_error_retry_time
integer
|
Default:
60
|
Number of seconds to retry if server returns an internal server error.
|
|
| org_id
string
|
ID of organization.
|
||
| org_name
string
|
Name of organization.
aliases: organization |
||
| output_format
string
|
|
Instructs module whether response keys should be snake case (ex. net_id) or camel case (ex. netId).
|
|
| output_level
string
|
|
Set amount of debug output during module execution.
|
|
| rate_limit_retry_time
integer
|
Default:
165
|
Number of seconds to retry if rate limiter is triggered.
|
|
| rules
list / elements=dictionary
|
List of firewall rules.
|
||
| comment
string
|
Optional comment to describe the firewall rule.
|
||
| dest_cidr
string
|
Comma separated list of CIDR notation destination networks.
Any must be capitalized.
|
||
| dest_port
string
|
Comma separated list of destination port numbers to match against.
Any must be capitalized.
|
||
| policy
string
|
|
Policy to apply if rule is hit.
|
|
| protocol
string
|
|
Protocol to match against.
|
|
| src_cidr
string
|
Comma separated list of CIDR notation source networks.
Any must be capitalized.
|
||
| src_port
string
|
Comma separated list of source port numbers to match against.
Any must be capitalized.
|
||
| syslog_enabled
boolean
|
|
Whether to log hints against the firewall rule.
Only applicable if a syslog server is specified against the network.
|
|
| state
string
|
|
Create or modify an organization.
|
|
| syslog_default_rule
boolean
|
|
Whether to log hits against the default firewall rule.
Only applicable if a syslog server is specified against the network.
This is not shown in response from Meraki. Instead, refer to the syslog_enabled value in the default rule.
|
|
| timeout
integer
|
Default:
30
|
Time to timeout for HTTP requests.
|
|
| use_https
boolean
|
|
If
no, it will use HTTP. Otherwise it will use HTTPS.
Only useful for internal Meraki developers.
|
|
| use_proxy
boolean
|
|
If no, it will not use a proxy, even if one is defined in an environment variable on the target hosts.
|
|
| validate_certs
boolean
|
|
Whether to validate HTTP certificates.
|
|
Notes
Note
- Module assumes a complete list of firewall rules are passed as a parameter.
- More information about the Meraki API can be found at https://dashboard.meraki.com/api_docs.
- Some of the options are likely only used for developers within Meraki.
- As of Ansible 2.9, Meraki modules output keys as snake case. To use camel case, set the
ANSIBLE_MERAKI_FORMATenvironment variable tocamelcase. - Ansible’s Meraki modules will stop supporting camel case output in Ansible 2.13. Please update your playbooks.
- Check Mode downloads the current configuration from the dashboard, then compares changes against this download. Check Mode will report changed if there are differences in the configurations, but does not submit changes to the API for validation of change.
Examples
- name: Query firewall rules
meraki_mx_site_to_site_firewall:
auth_key: abc123
org_name: YourOrg
state: query
delegate_to: localhost
- name: Set two firewall rules
meraki_mx_site_to_site_firewall:
auth_key: abc123
org_name: YourOrg
state: present
rules:
- comment: Block traffic to server
src_cidr: 192.0.1.0/24
src_port: any
dest_cidr: 192.0.2.2/32
dest_port: any
protocol: any
policy: deny
- comment: Allow traffic to group of servers
src_cidr: 192.0.1.0/24
src_port: any
dest_cidr: 192.0.2.0/24
dest_port: any
protocol: any
policy: permit
delegate_to: localhost
- name: Set one firewall rule and enable logging of the default rule
meraki_mx_site_to_site_firewall:
auth_key: abc123
org_name: YourOrg
state: present
rules:
- comment: Block traffic to server
src_cidr: 192.0.1.0/24
src_port: any
dest_cidr: 192.0.2.2/32
dest_port: any
protocol: any
policy: deny
syslog_default_rule: yes
delegate_to: localhost
Return Values
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description | ||
|---|---|---|---|---|
| data
complex
|
success |
Firewall rules associated to network.
|
||
| rules
complex
|
success |
List of firewall rules associated to network.
|
||
| comment
string
|
always |
Comment to describe the firewall rule.
Sample:
Block traffic to server
|
||
| dest_cidr
string
|
always |
Comma separated list of CIDR notation destination networks.
Sample:
192.0.1.1/32,192.0.1.2/32
|
||
| dest_port
string
|
always |
Comma separated list of destination ports.
Sample:
80,443
|
||
| policy
string
|
always |
Action to take when rule is matched.
|
||
| protocol
string
|
always |
Network protocol for which to match against.
Sample:
tcp
|
||
| src_cidr
string
|
always |
Comma separated list of CIDR notation source networks.
Sample:
192.0.1.1/32,192.0.1.2/32
|
||
| src_port
string
|
always |
Comma separated list of source ports.
Sample:
80,443
|
||
| syslog_enabled
boolean
|
always |
Whether to log to syslog when rule is matched.
Sample:
True
|
||
Authors
- Kevin Breit (@kbreit)
© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/cisco/meraki/meraki_mx_site_to_site_firewall_module.html