Cisco Meraki Firewall

Introduction

Are you tying to migrate a config from another device to a Cisco Meraki MX, and that config uses objects, object groups or service groups?

Meraki mfw is a Python script that lets you edit an objects and rules file in MIcrosoft Excel and then import the resulting configuration in the Meraki Dashboard as L3 appliance firewal rules.  The object names are embedded into the comment field for each imported rule so you can also export the current config again, modify it, and import it again - all while preserving the object and service group names.

Installation

Download mfw.zip  (last updated 12-Jul-2020) and extract it to a directory you want to run it from.

Download mfw.zip

meraki-mfw uses dotenv to safely store your credentials.  Create a file called .meraki.env in your home directory (note the leading dot in the filename).  For Linux this is typically /home/username.  For Windows this is typically c:\users\<username>.

Into .meraki.env put this line:

x_cisco_meraki_api_key=<your API key>

If you don't have an API key yet then following the instructions on this page: https://documentation.meraki.com/zGeneral_Administration/Other_Topics/The_Cisco_Meraki_Dashboard_API

Prior to running this script you'll need Python 3.x installed and you'll need to run the below commands to install the extra components required.

pip3 install argparse
pip3 install meraki==1.0.0b3
pip3 install -U meraki
pip3 install -U python-dotenv

If you are using the script on Linux I would suggest marking it executable to make running it simpler.

chmod +x mfw.py

Usage

To export the current rules (or a set of previously imported rules):

mfw.py  -o "Your org name" -n "Your network name" export rules.csv objects.csv

To import rules and append them to what is already in the dashboard:

mfw.py  -o "Your org name" -n "Your network name" import -a rules.csv objects.csv

To import rules and replace what is already in the dashboard:

mfw.py  -o "Your org name" -n "Your network name" import -r rules.csv objects.csv

objects.csv and rules.csv are - csv files. They have been designed so you can edit them in Microsoft Excel.

ojects.csv contains objects, object groups (which are other objects) and service defintions. When they are imported a simple string substition is done for the object name with the values in the next column. A sample object.csv might look like:

Name,Value
google,"google.com,accounts"
web,"80,443"
accounts,accounts.google.com

In the above example, "google" is a group consisting of the FQDN google.com and the nested object called "accounts", which itself is another FQDN - accounts.google.com.

"web" is a service group consisting of the ports 80 and 443.

rules.csv might look like:

Comment,Policy,Protocol,Source Port,Source CIDR,Destination Port,Destination CIDR,Syslog Enabled
General Comment,allow,udp,Any,192.168.73.1/32,web,google,False
,deny,tcp,Any,192.168.73.2/32,80,google.com,False

You'll notice the rule referencing the object group "google" and the service group "web".

The script does not do any checking on the format of the files, so if you get an error from the meraki API during import you have put something in a format that the API does not like.

You could try creating some of the rules in the dashboard and exporting them to see how they should look.

You could try breaking up the rules you are importing into smaller files until you locate the rule with the error.

Common things to look out for are to make sure all addresses are in prefix notation. You can't just have an IP address on its own. Also the second field in the objects.csv file MUST be in speech or quote marks.