meraki-security-appliance
Meraki Security Appliance (MX) Operations
MCP Server
- Repository: CiscoDevNet/meraki-magic-mcp-community
- Transport: stdio (Python via FastMCP) or HTTP
- Requires:
MERAKI_API_KEY,MERAKI_ORG_ID
Key Capabilities
| Operation | API Method | What It Does |
|---|---|---|
| Security center | getNetworkSecurityCenter |
Security overview: threat score, events, top threats |
| VPN status | getNetworkVpnStatus |
VPN peer connectivity status |
| Firewall rules | getNetworkSecurityFirewallRules |
L3 outbound firewall rules |
| Update firewall | updateNetworkSecurityFirewallRules |
[WRITE] Modify L3 firewall rules |
| Site-to-site VPN | getNetworkSecurityVpnSiteToSite |
VPN mode (hub/spoke/none), hubs, subnets |
| Update VPN | updateNetworkSecurityVpnSiteToSite |
[WRITE] Modify VPN configuration |
| Content filtering | getNetworkSecurityContentFiltering |
URL categories, blocked URLs, allowed URLs |
| Update filtering | updateNetworkSecurityContentFiltering |
[WRITE] Modify blocked/allowed URL lists and categories |
| Security events | getNetworkSecuritySecurityEvents |
IDS/IPS events, malware, C2 callbacks |
| Traffic shaping | getNetworkSecurityTrafficShaping |
Global bandwidth limits, per-rule shaping |
| Update shaping | updateNetworkSecurityTrafficShaping |
[WRITE] Modify bandwidth limits and shaping rules |
Workflow: Firewall Rule Audit
When a user asks "show me the firewall rules on the branch MX":
- Find network:
getNetworks(meraki-network-ops) for the branch network - Firewall rules:
getNetworkSecurityFirewallRules— all L3 outbound rules - Analyze: check for overly permissive rules (any/any/any allow), shadowed rules, unused rules
- Content filtering:
getNetworkSecurityContentFiltering— URL category blocks - Security events:
getNetworkSecuritySecurityEvents— recent IDS/IPS hits - Report: rule table with security assessment and recommendations
Workflow: VPN Connectivity Troubleshooting
When investigating "VPN tunnel to HQ is down":
- VPN status:
getNetworkVpnStatus— tunnel state for all peers - VPN config:
getNetworkSecurityVpnSiteToSite— mode, hubs, subnets - Device status:
getDeviceStatus(meraki-network-ops) — is the MX online? - Uplinks:
getDeviceUplink— WAN link status (is ISP up?) - Security events:
getNetworkSecuritySecurityEvents— VPN-related errors - Report: root cause analysis (ISP outage, config mismatch, peer down)
Workflow: Content Filtering Review
When auditing web content filtering:
- Current config:
getNetworkSecurityContentFiltering— blocked categories, blocked/allowed URLs - Security events:
getNetworkSecuritySecurityEvents— users hitting blocked content - Compare across sites: check filtering consistency across networks
- Recommendations: tighten categories, add specific URL blocks/allows
- Apply:
updateNetworkSecurityContentFiltering— requires ServiceNow CR
Workflow: Security Event Investigation
When responding to a security alert:
- Security events:
getNetworkSecuritySecurityEvents— IDS/IPS detections, malware, C2 - Client details:
getClientDetails(meraki-network-ops) for involved endpoints - Firewall rules:
getNetworkSecurityFirewallRules— is the threat being blocked? - Content filtering: check if malicious domains are in the block list
- Containment:
updateClientPolicyto quarantine the endpoint — requires human approval - ServiceNow: create Security Incident
- Report: incident summary with timeline, IOCs, containment actions
Integration with Other Skills
| Skill | How They Work Together |
|---|---|
meraki-network-ops |
Network/device context for MX operations |
meraki-monitoring |
Live diagnostics on MX appliances |
fmc-firewall-ops |
Cross-platform firewall audit: Meraki MX rules vs Cisco FTD rules |
aws-network-ops |
Hybrid security: Meraki MX on-prem + AWS Network Firewall cloud |
ise-posture-audit |
Meraki client policies + ISE posture for unified access control |
servicenow-change-workflow |
Gate all firewall, VPN, and content filtering changes |
gait-session-tracking |
Record all security investigations and rule changes |
Important Rules
- Firewall rule changes affect all traffic — modifying L3 rules can break connectivity for the entire site
- VPN configuration changes can disrupt inter-site connectivity — always verify tunnel state after changes
- Content filtering affects user experience — coordinate with help desk before blocking new categories
- Security events require investigation — IDS/IPS alerts should be triaged, not ignored
- ServiceNow CR required for all firewall rule, VPN, content filtering, and traffic shaping changes
- Record in GAIT — log all security appliance audits, investigations, and changes
Environment Variables
MERAKI_API_KEY— Meraki Dashboard API keyMERAKI_ORG_ID— Meraki organization ID
More from automateyournetwork/netclaw
drawio-diagram
Generate draw.io network diagrams — native .drawio files with CLI export (PNG/SVG/PDF), plus browser-based Mermaid/XML/CSV via MCP server. Use when creating network topology diagrams, generating architecture visuals, exporting diagrams to PNG or PDF, or building draw.io files from discovery data.
20pyats-topology
Network topology discovery via CDP/LLDP neighbors, ARP tables, routing peers, and interface mapping to build complete network maps. Use when mapping the network, building a diagram, discovering what is connected to what, or documenting device neighbors and links.
20aws-architecture-diagram
AWS architecture diagrams — generate visual network topology diagrams from live AWS infrastructure. Use when drawing AWS network diagrams, visualizing VPCs, mapping Transit Gateway topology, or generating architecture documentation.
19grafana-observability
Grafana observability platform — dashboards, Prometheus PromQL, Loki LogQL, alerting, incidents, OnCall schedules, annotations, datasource queries, panel rendering (75+ tools). Use when querying Grafana dashboards, running PromQL for interface metrics, searching Loki logs for syslog events, investigating firing alerts, or checking who is on call.
18pyats-health-check
Comprehensive network device health monitoring - CPU, memory, interfaces, hardware, NTP, logging, environment, and uptime analysis. Use when running a device health check, monitoring CPU or memory usage, checking interface errors, or validating NTP sync.
17aws-security-audit
AWS security auditing — IAM users/roles/policies, CloudTrail API events, security posture analysis. Use when auditing IAM permissions, investigating security incidents, checking MFA compliance, or tracing API activity in CloudTrail.
16