topic Re: Firewall configuration provided as a .txt file? in Network Security

Firewall configuration provided as a .txt file?

acfreema — Mon, 11 Sep 2023 19:44:18 GMT

I have a customer who wants a new site to have the same firepower firewall configuration (except the site-specific items) as another properly functioning site. When asked for the firewall configuration information, they sent a 34MB .txt file that looks like what I have pasted below. I haven't seen this before, and the other network engineer on my team is also confused by this. Can anyone help?

{"metadata":{"Exported version":"6.6.5-81","Generated on":"08-24-2023","Masked":true}}
{"version":"cllh35qmc4bq2","hardwareName":"Ethernet1/3","monitorInterface":true,"ipv4":{"ipType":"STATIC","defaultRouteUsingDHCP":false,"dhcp":false,"addressNull":true,"type":"interfaceipv4"},"ipv6":{"enabled":false,"autoConfig":false,"dhcpForManagedConfig":false,"dhcpForOtherConfig":false,"enableRA":false,"dadAttempts":1,"linkLocalAddress":

Re: Firewall configuration provided as a .txt file?

Marius Gunnerud — Mon, 11 Sep 2023 20:41:04 GMT

This is the API GET output for the FTD configuration. Technically you could just change what you need to in these files and then send them vial a POST call to the new FTD and you are good to go.

Re: Firewall configuration provided as a .txt file?

Marvin Rhoads — Tue, 12 Sep 2023 09:50:17 GMT

Assuming they are managed by the same FMC, you could also just onboard the new firewall with a basic config, add the full set of device specific details in FMC and then associate the same Access Control, NAT and platform policies to the new firewall.

Re: Firewall configuration provided as a .txt file?

acfreema — Tue, 12 Sep 2023 12:29:26 GMT

Thanks guys, that helps, but I'm still really confused. The first hurdle is "change what you need". This is my first exposure to a firepower firewall configuration, and without any contact with the firewall from which this configuration was pulled, so I don't know what would need to be changed. How do I find what I need to change? How is it arranged? After applying this configuration, would the firewall still be accessible to make changes that I didn't make prior to uploading the configuration? If it matters, these are both using FTD.

Re: Firewall configuration provided as a .txt file?

Marius Gunnerud — Tue, 12 Sep 2023 13:16:10 GMT

The answers to your questions depends on how you intend to configure the firewall. Through the GUI or through API. If you are going to configure via API I suggest looking at the API page and then look at the POST examples for each area you are going to configure. In FDM there is a link to the API page on the dashboard and in FMC add /api/api-explorer to the end of the FMC IP.

FDM and FMC APIs have slight differences in naming standards but for the most part they have the same structure.

So, this will not be a plain copy paste into the CLI, if you intend to use APIs you will need to do a separate API call for each configuration (interfaces, security zones, objects, NAT, Routing, etc.).

If you are not used to using APIs and programming this should not be a big deal, if not it looks more difficult than it actually is. It might take a little time to get used to the structure of the APIs but once that is down i goes like a breeze.

You can also have a look at the developer page for some insight into the firewall APIs.

https://developer.cisco.com/secure-firewall/