topic API REST FXOS chassis 9300 or 4100 Firepower in Network Security

API REST FXOS chassis 9300 or 4100 Firepower

JOSE MARIA PEREZ ALBA — Tue, 12 Mar 2019 13:23:00 GMT

Hi,

I was reading the below documentation about API REST of chassis (FXOS):

https://developer.cisco.com/site/ssp/firepower/

But I haven't found more information (only it is mentioned at http://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/fxos211/cli-config/b_CLI_ConfigGuide_FXOS_211/introduction_to_the_firepower_9300.html?bookSearch=true) about FXOS API REST.

I have two pairs of 4100 Firepower and two pairs of 9300 Firepower, and they are connected to FMC 4000. I was trying to configure both pairs from API FXOS but I couldn't authenticate to FXOS API. FMC REST API is working and I can make GET, POST, etc.

Any idea about more information about FXOS API?

My request via POSTMAN is:

POST https://<Firepower Chassis_chassis_fqdn>[:management_port]/api/login

with HTTP Headers

Content-type HTTP set to application/json

USERNAME = <name of the user>

PASSWORD = <url_encoded_password>

Output is:

ERROR 400 with Payload

{
"error-code": "551",
"error-description": "Authentication failed",
"error-nr": "unidentified-fail"
}

Thank you in advance.

josemaria.perez,

neipatel — Wed, 03 May 2017 15:10:41 GMT

josemaria.perez,

Have you tried using basic authorization rather than directly adding the fields to the header? This will ensure that the encoding is done properly and should return a token back in the header for use in all subsequent requests.

Hi neipatel:

JOSE MARIA PEREZ ALBA — Thu, 04 May 2017 15:56:53 GMT

Hi neipatel:

Thanks for your helping. For example, If I make a curl to FMC 4000 to request the token, basic auth works but I have tried it for this case and I have the same output error. I have checked from Postman and CLI.

$ curl -k --user username:password https://<Firepower Chassis_chassis_fqdn>/api/login

Cache-Control: no-store, must-revalidate
Content-type: application/json

{"error-code": "552", "error-description": "Authorization required", "error-nr": "service-unavailable"}

Anybody know that it is working this API? FMC API is OK.

Hello,

Veronika Klauzova — Tue, 16 May 2017 20:27:10 GMT

Hello,

What FCM/FXOS version are you using?

I have tried now on FXOS 2.1.1.77 and it is working fine, here is syntax as an example that you can use:

$ curl -X POST -v -k -H "Authorization: Basic YWRtaW46VmtsYXV6b3YxMjM=" https://192.168.0.38/api/login --insecure -H "USERNAME=admin" -H "\
> Authorization:Basic YWRtaW46VmtsYXV6b3YxMjM=
> USERNAME:admin
> PASSWORD:Admin12345
> //Content-Type:application/x-www-form-urlencoded\
>
> "
* Trying 192.168.0.38...
* Connected to192.168.0.38 (192.168.0.38) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
* Server certificate: FPR4100
> POST /api/login HTTP/1.1
> Host:192.168.0.38
> User-Agent: curl/7.43.0
> Accept: */*
> Authorization: Basic YWRtaW46VmtsYXV6b3YxMjM=
> Authorization:Basic YWRtaW46VmtsYXV6b3YxMjM=
> USERNAME:admin
> PASSWORD:Admin12345
> //Content-Type:application/x-www-form-urlencoded
>
>
< HTTP/1.1 200 OK
< Date: Tue, 16 May 2017 20:22:41 GMT
< Server: Apache/2.4.16 (Unix) CiscoSSL/1.0.2j.6.0.269-fips
< Set-Cookie: SSA_C=2e85c9ea-9997-40d5-9f61-5805170417f9; Path=/; secure; Version=1
< Set-Cookie: SSA_T="1494966162/ea1cc996-7eff-4ba5-b95f-409fcfa34d5d"; httponly; Path=/; secure; Version=1
< Set-Cookie: SSA_U=admin; httponly; Path=/; secure; Version=1
< X-Frame-Options: SAMEORIGIN
< Cache-Control: no-cache, no-store
< Pragma: no-cache
< Transfer-Encoding: chunked
< Content-Type: application/json
<
{"token": "1494966162/ea1cc996-7eff-4ba5-b95f-409fcfa34d5d", "refreshPeriod": "600"}
* Connection #0 to host192.168.0.38 left intact

Enjoy,

Veronika

Hi Veronika,

JOSE MARIA PEREZ ALBA — Thu, 25 May 2017 10:55:24 GMT

Hi Veronika,

Thank you very much for your helping. The version of FXOS is 2.1.1.64 and FMC is 6.2.0. I have tried but it doesn't work for 4100 chassis. I will update firmware and FXOS next week and I will retry to connect to API.

All the best.

So what output you see after

Veronika Klauzova — Thu, 25 May 2017 12:31:08 GMT

So what output you see after using adjusted command which I have shared? Sill same error 552 as before?

Full command to be used:

curl -X POST -v -k -H "Authorization: Basic YWRtaW46VmtsYXV6b3YxMjM=" https://192.168.0.38/api/login --insecure -H "USERNAME=admin" -H "\
> Authorization:Basic YWRtaW46VmtsYXV6b3YxMjM=
> USERNAME:admin
> PASSWORD:Admin12345
> //Content-Type:application/x-www-form-urlencoded\
>
> "

Just keep in mind to change IP address 192.168.0.38 to your IP address of Firepower Chassis Manager / FXOS manager along with proper credentials, rest of the command attributes you can keep as above.

Hi Veronika:

JOSE MARIA PEREZ ALBA — Thu, 25 May 2017 15:37:06 GMT

Hi Veronika:

Now, it is working. I have the same output and I have the token 🙂 . I think that my error was to encode my password wrong for the basic authentication.

It is working at 4100 and 9300 series.

Also, I have modified your POST request. I have deleted two headers, modified Content-Type to application/json (documentation from CISCO say: "All REST API clients must send an HTTP Accept Header that is set to application/json" from https://developer.cisco.com/site/ssp/firepower/) and curl command should be:

curl -X POST -v -k https://yourFXOS_IP/api/login --insecure -H "\
Authorization:Basic YWRtaW46VmtsYXV6b3YxMjM=
USERNAME:admin
PASSWORD:admin12345
//Content-Type:application/json\
"

For me, it is working.

Thank you very much for your helping.

You're welcome, you saved

Veronika Klauzova — Thu, 25 May 2017 15:39:24 GMT

You're welcome, you saved some time with upgrade that was not necessary. Glad that it works now.

By the way thanks for sharing Cisco recommendations and relevant doc.