topic I created a new python script in Network Security

Cisco Firepower API

jason_williams — Tue, 12 Mar 2019 13:14:53 GMT

Firepower Management Center API - Object Management

One of my customers, recently migrated to Cisco Firepower Threat Defense. One of the challenges that I ran into was the ASA Configuration migration script from Cisco duplicated objects in Firepower Management Center.

To delete these objects, required clicking delete for each object. This was a painful and time consuming activity, so I built a python script to delete object utilizing the FMC API. Attached to this blog is a python script that will allow you to delete unused objects. If you need to delete a large number of objects, it will save you time.

I created a new python script

jason_williams — Thu, 19 Jan 2017 20:50:43 GMT

I created a new python script that will utilize the API to create a CSV of the Access Control Policy. See the link below for all the FMC Python scripts.

https://github.com/scourge71/fmcapi

Jason,

michmcda — Mon, 27 Mar 2017 17:42:05 GMT

Jason,

Nice scripts. Do you have similar on creating or adding a new access rule to an existing access control policy? Getting the following on my attempt:

{"error":{"category":"FRAMEWORK","messages":[{"description":"No data."}],"severity":"WARN"}}

Of course, my input JSON is probably not correct, since finding good reference for this has been difficult.

Any pointers to additional test scripts, or docs will be a great.

michmcda,

jason_williams — Wed, 29 Mar 2017 02:20:56 GMT

michmcda,

The documentation is lacking. Are you utilizing the api-explorer built-in to Firepower? I ended up do a lot of trial and error with Postman. Check out the links below too. Also, you can post your JSON syntax, so I can look at it.

Postman:

https://www.getpostman.com

CDW Blog:

http://blog.cdw.com/security/programing-ciscos-firepower-6-1-rest-api

michmcda,

neipatel — Wed, 29 Mar 2017 13:20:23 GMT

michmcda,

To be sure of your code can you also provide the script you are using? Couple pointers:

The method should be PUT with the request URI :

/api/fmc_config/v1/domain/DomainUUID/policy/accesspolicies/id_of_access_policy_you_are_editing

A JSON content example would be :

{
  "name": "Access Policy to Edit",
  "description": "Test REST API policy",
  "type": "AccessPolicy",
  "id": "id_of_access_policy_you_are_editing",
  "defaultAction": {
    "intrusionPolicy": {
      "id": "id_of_existing_or_new_intrusion_policy",
      "type": "IntrusionPolicy"
    },
  "type": "AccessPolicyDefaultAction", 
  "logBegin": "true/false", 
  "logEnd": "true/false", 
  "sendEventsToFMC": "true/false",
  "action": "any_allowed_action_enum", 
  "id": "id_of_default_action",
    "variableSet": {
      "id": "id_of_variableSet_to_be_added",
      "type": "VariableSet"
    },
    "snmpConfig": {
      "id": "id_of_snmpConfig_object",
      "type": "SNMPAlert"
    },
    "syslogConfig": {
      "id": "id_of_syslog_object",
      "type": "SyslogAlert"
    },

  }
}

Re: I created a new python script

prashant dwivedi — Sat, 26 Aug 2017 02:09:58 GMT

got it working..thanks

Re: I created a new python script

prashant dwivedi — Sun, 27 Aug 2017 05:28:29 GMT

Hey Mate,

Need your help please! I need to import pre-filter policy. Do you have any script for the same ?

I have retrived ACP sucessfully using your script , thanks to you.

I have migrated ASA to FTD and all policies have been migrated as a part of pre-filter policy. its good to import all of them in an excel file for futher reading.

Thanks for your help

Re: Cisco Firepower API

GWH-jayohaitchenn — Tue, 20 Nov 2018 16:33:58 GMT

Hi Jason,

Wonderful idea, and it's feature that sound be in the FMC, in my opinon.

However, I am having trouible getting it to run. I have python v3 running on my Windows 10 laptop and get syntax errors when running. Do I need to use a different version of Python?

Thanks

John

Re: Jason,

ismail_salma1987 — Tue, 07 May 2019 07:59:43 GMT

Hello Jason,

Can i have a script which will add/remove rules in an ACP from Excel/CSV.

Looking forward for ur response.

Regards

Ismail Kalolwala

kalolwalaismail@yahoo.com

Re: I created a new python script

ismail_salma1987 — Tue, 07 May 2019 08:01:14 GMT

Hello Prahant,

Can i have the script which adds/remove rules from ACP.

Regards

Ismail Kalolwala

kalolwalaismail@yahoo.com