PSMeraki

2.0.1

Public/Update-MrkNetworkMXL7FwRule.ps1

                                function Update-MrkNetworkMXL7FwRule{

    <#

    .SYNOPSIS

    Adds a Meraki L7 Firewall rule to the given Meraki network.

    .DESCRIPTION

    Adds a Meraki L7 Firewall rule to the given Meraki network.

    For MX series the firewall rules are set per NetworkID.

        PUT {{baseUrl}}/networks/{networkId}/l7FirewallRules

    .EXAMPLE

    Update-MrkNetworkMXL7FwRule -networkId X_112233445566778899 -policy Deny -type applicationCategory -value

    Update-MrkNetworkMXL7FwRule -networkId X_112233445566778899 -policy Deny -type host -value malicious.domain.com

    .PARAMETER networkId

    specify a networkId, find an id using get-MrkNetworks

    .PARAMETER policy

    This parameter is currently only available as 'deny' and determines if the rule is to deny (or allow?) a certain L7 destination

    .PARAMETER type

    This parameter is a fixed ValidateSet: "application", "applicationCategory","host","port","ipRange"

    * application(Category): this type requires a value of type array that provides an id and name of the Meraki-defined list of applications

    * host: this type requires a value of type string that names the host. E.g. www.somedomain.com

    * port: this type requires a value of type string that contains the portnumber that should be blocked

    * ipRange: this type requires a value of type string that contains the iprange (ip4v) that should be blocked

    .PARAMETER value

    the value is either a string or an array depending on the rule-type

    the array-value must be given like this: @{id="meraki:layer7/category/13";name="Video & music"}

    .PARAMETER action

    the action is add or remove. 'add' will look in the list of existing rules and only add the provided rule if not present yet.

    'remove' will look in the list of existing rules and only remove it when it is present.

    .PARAMETER reset

    optional switch to determine if the cmdlet will keep the existing L3 Firewall rules or start with a clean set of rules and add only this new one.

    not specifying it or assigning $false will keep the existing rules (default).

    #>

    [CmdletBinding()]

    [OutputType("System.String")]

    Param (

        [Parameter(Mandatory)][ValidateNotNullOrEmpty()][String]$networkId,

        [ValidateSet("deny")][String]$policy="deny",

        [Parameter(Mandatory)][ValidateNotNullOrEmpty()][ValidateSet("application", "applicationCategory","host","port","ipRange", "whitelistedCountries", "blacklistedCountries")][String]$type,

        [Parameter(Mandatory)][ValidateNotNullOrEmpty()]$value,

        [Parameter(Mandatory)][ValidateNotNullOrEmpty()][ValidateSet("add", "remove")][String]$action,

        [Parameter()][switch]$reset

    )

    $ruleset = @()

    if (-not $reset){

        $ruleset = (Get-MrkNetworkMXL7FwRule -networkId $networkId).rules

    }

    #the value in the rule-object is an object itself that cannot be compared as string

    if ($type -match "application"){

        $PSoValue = [pscustomobject]$value

    } else {

        $PSoValue = $value

    }

    #populate the to-be ruleset first with the existing rules (will be empty in case of reset)

    $applyRules = @()

    ForEach ($rule in $ruleset){

        #if the action is delete and the rule specifications policy/type/value are equal do not add it back to the ruleset.

        if ($action -eq 'remove' -and `

           ($rule.policy -eq $policy -and `

            $rule.type -eq $type -and `

            [string]$PSoValue -match $rule.value)){

                "No longer adding this rule: $value";

                continue

            }

        if ($action -eq 'add' -and `

            ($rule.policy -eq $policy -and `

             $rule.type -eq $type -and `

             $rule.value -match $PSoValue)){

                  "Not adding new rule as it is already present: $value";

                  $rulePresent = $true

              }

        #add this exising rule into the $ruleset object

        $ruleEntry = [PSCustomObject]@{

            policy = $rule.policy

            type   = $rule.type

            value  = $rule.value

        }

        $applyRules += $ruleEntry

    }

    #append the new ruleobject to the applyRules

    if ($action -eq 'add' -and $true -ne $rulePresent){

        $ruleEntry = New-Object -TypeName PSObject -Property @{

            policy = $policy

            type   = $type

            value  = $PSoValue

        }

        $applyRules += $ruleEntry

    };

    #construct the full ruleObject to push into the $body of the RESTapi request

    $ruleObject = New-Object -TypeName PSObject -Property @{

        rules = $applyRules

    }

    if($true -ne $rulePresent){

        if ($mrkApiVersion -eq 'v0'){

            $ResourceID = "/networks/$networkId/l7FirewallRules"

        } Else { #mrkApiVersion v1

            $ResourceID = "/networks/$networkId/appliance/firewall/l7FirewallRules"

        }        

        Invoke-MrkRestMethod -Method PUT -ResourceID $ResourceID -body $ruleObject

    }

}