· 5 years ago · Jul 07, 2020, 06:50 PM
1"""
2# This is a python3 script to compare the defined list of 'block_ips'
3# against the Organizations MX devices outbound L3 Firewall rules
4# Output is a CSV file, with a list of Network names that are either OK
5# or NOK, with a list of IP's that are not blocked.
6#
7# Latest version always on
8#
9# Version v0.2
10#
11# Changelog :
12# v0.1 20200705 Initial version
13# v0.2 20200707 Added check for 'appliance'
14#
15#
16#
17#
18#
19"""
20
21import csv
22import meraki
23import netaddr
24
25# Define IPs we need to check
26block_ips = ["1.1.1.1", "2.2.2.2"]
27
28# Define your organization ID
29organization_id = "549236"
30
31# Defining your API key as a variable in source code is not recommended
32# API_KEY_SANDBOX = '6bec40cf957de430a6f1f2baa056b99a4fac9ea0'
33# Instead, use an environment variable as shown under the Usage section
34# @ https://github.com/meraki/dashboard-api-python/
35
36API_KEY = "6bec40cf957de430a6f1f2baa056b99a4fac9ea0"
37dashboard = meraki.DashboardAPI(API_KEY)
38
39# Get Networks for Org
40response = dashboard.networks.getOrganizationNetworks(organization_id)
41
42# Set the CSV output file and write a header row
43output_file = open("meraki_fw_rules.csv", mode="w")
44csv_writer = csv.writer(output_file, escapechar=" ", quoting=csv.QUOTE_NONE)
45header_row_text = "Network, Blocked, Missing IP's, fw_rules"
46csv_writer.writerow([header_row_text])
47
48for network in response:
49 # Gets network id to later run the fwrules get
50 net_id = network.get("id", None)
51 # Gets network name to write later in the csv file
52 net_name = network.get("name", None)
53 if "appliance" in network["productTypes"]:
54 # Gets all fw rules for the network
55 fw_rules = meraki.getmxl3fwrules(API_KEY, net_id)
56 if fw_rules is None:
57 csv_row = "{0},{1},{2}".format(net_name, "No FW", fw_rules)
58 print("### Writing this row to CSV:", csv_row)
59 csv_writer.writerow([csv_row])
60 else:
61 for rule in fw_rules:
62 # we're interested only in deny policy
63 if rule.get("policy") == "deny":
64 # Converts the output from Meraki to a list,
65 # in case the rule has more IP Adresses
66 meraki_destCidr = rule.get("destCidr", None).split(",")
67 # For each IP in the meraki dashbord
68 for ip in meraki_destCidr:
69 # For each blocked IP, convert to 'CIDR' and compare
70 # if they are the same, remove the Block IP from the list.
71 # If we have an empty list, all IP's are blocked in the Dashboard
72 for bip in block_ips:
73 if netaddr.IPNetwork(bip) == netaddr.IPNetwork(ip):
74 block_ips.remove(bip)
75 # If block ip list is empty, we're ok
76 if not block_ips:
77 csv_row = "{0},{1},{2}".format(net_name, "OK", fw_rules)
78 print("### Writing this row to CSV:", csv_row)
79 csv_writer.writerow([csv_row])
80 # If Block IP list is not empty, we're NOK and need which IPs are not blocked
81 elif block_ips:
82 csv_row = "{0},{1},{2},{3}".format(net_name, "NOK", block_ips, fw_rules)
83 print("### Writing this row to CSV:", csv_row)
84 csv_writer.writerow([csv_row])
85 else:
86 csv_row = "{0},{1}".format(net_name, "No Appliance")
87 print("### Writing this row to CSV:", csv_row)
88 csv_writer.writerow([csv_row])
89output_file.close()