topic Re: why we can't push the configuration by CLI in FTD? in Network Security

why we can't push the configuration by CLI in FTD?

Sudqi — Mon, 22 Jan 2024 08:42:06 GMT

we have many deterrent FW, all of types I worked in have two options for the configuration, GUI of CLI

but in Cisco FTD there is no CLI option, which is make it very hard to add a long object of dynamic template for example

any solution for this weak point?

Thanks

Re: why we can't push the configuration by CLI in FTD?

Rob Ingram — Mon, 22 Jan 2024 09:21:01 GMT

@Sudqi no you cannot push configuration from CLI. You do have the option to use dynamic objects which can be uploaded via RestAPI and do not require a policy to be pushed.

https://integratingit.wordpress.com/2021/06/19/ftd-dynamic-objects/

https://www.youtube.com/watch?v=Azvc7HR_cmo

Re: why we can't push the configuration by CLI in FTD?

Sudqi — Mon, 22 Jan 2024 09:33:18 GMT

Thanks Rob,

I mean the long object-group, and the dynamic template, and this is an example, I need to know the value for deny the CLI configuration in the FTD?

Re: why we can't push the configuration by CLI in FTD?

Marius Gunnerud — Mon, 22 Jan 2024 13:50:29 GMT

It is possible to configure the FTD from the CLI, however this is only useful for small configuration changes, for example adding a static route in the instance where an incorrect static route is deployed from the FMC and access between FMC and FTD has been lost. In these cases you would also be required to make the same changes in the FMC GUI as this configuration will be overwritten during the next deployment push.

You can use API to add these objects to the FTD (https://<FMC IP>/api/api-explorer), or you can use the import Network Objects option in the GUI under Objects > Network and click on add network.

Re: why we can't push the configuration by CLI in FTD?

MHM Cisco World — Mon, 22 Jan 2024 13:56:15 GMT

https://www.google.com/url?sa=t&source=web&rct=j&opi=89978449&url=https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/215972-push-objects-in-bulk-to-fmc-using-rest-a.pdf&ved=2ahUKEwiZrL_tkvGDAxUURvEDHVuAAnAQFnoECAoQAQ&usg=AOvVaw2Uhq6uvymesiUcjX3tKdSq

Check this friend

MHM

Re: why we can't push the configuration by CLI in FTD?

Marvin Rhoads — Mon, 22 Jan 2024 14:55:39 GMT

You may also find CSDAC useful, depending on your use case.

https://secure.cisco.com/secure-firewall/docs/cisco-secure-dynamic-attribute-connector

Re: why we can't push the configuration by CLI in FTD?

Sudqi — Tue, 23 Jan 2024 06:32:19 GMT

Unfortunately Marius, this method to import will import an object, not object group, so if we have 10,000 line, there will be 10,000 object,

Re: why we can't push the configuration by CLI in FTD?

Marius Gunnerud — Tue, 23 Jan 2024 11:41:42 GMT

Then your only option would be to use API to do this.

Here is a script you can use as a starting point for adding an object group to the FMC. You will need to add some logic to it to parse through your object group and add it to the _object dictionary as needed. You will also need to update the DOMAIN_UUID value to the FMC domain UUID.

As always, before using the script in your production environment be sure to test it in a lab to make sure it does what you are expecting it to do.

#!/usr/bin/env python3 import json from pprint import pprint import requests from requests.auth import HTTPBasicAuth import sys address = "10.10.10.10" username = "user" password = "password" DOMAIN_UUID = "e276abec-e0f2-11e3-8169-6d9ed49b625f" headers = {'Content-Type' : 'application/json'} verify = False if not verify: from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) def get_auth_token(address, username, password): try: _api_uri = "/api/fmc_platform/v1/auth/generatetoken" _url = "https://" + address + _api_uri _response = requests.request("POST", _url, verify=False, auth=HTTPBasicAuth(username, password)) accesstoken = _response.headers["X-auth-access-token"] refreshtoken = _response.headers["X-auth-refresh-token"] DOMAIN_UUID = _response.headers["DOMAIN_UUID"] return {"X-auth-access-token" : accesstoken, "X-auth-refresh-token" : refreshtoken, "DOMAIN_UUID" : DOMAIN_UUID} except Exception as err: print("Error in generating auth token --> " + str(err)) sys.exit() def send_data(action, api_uri, rule_data): try: _api_uri = api_uri _url = _api_uri #print(rule_data) _response = requests.request(f"{action}", _url, data=json.dumps(rule_data), verify = False, headers=headers) _status_code = _response.status_code _resp = _response.text json_rest = json.loads(_resp) print(json.dumps(json_rest,sort_keys=True,indent=4, separators=(",", ": "))) print() if _status_code == 201 or _status_code == 202: print(f"### {action} successful #### ") print() print() else: _response.raise_for_status() print(f"Error occured in {action} --> " + _resp) print() except requests.exceptions.HTTPError as _err: print("Error in connection --> " + str(_err)) print() print() def objectGroup(): _object = { "name" : "NewObjectGroup", "type" : "NetworkGroup", "literals": [ {"type": "Network", "value": "1.2.3.0/24" }, { "type": "Host", "value": "1.2.3.4" } ], "objects": [ { "type": "Network", "id": "1dcefdd8-07f7-438a-9221-97d63710614e" }, { "type": "Host", "id": "04ea3f1f-f5a9-4eca-b051-487ebeb4c97f" } ] } return _object ############# # MAIN CODE # ############# response = get_auth_token(address, username, password) headers["X-auth-access-token"] = response["X-auth-access-token"] headers["X-auth-refresh-token"] = response["X-auth-refresh-token"] netObjGrp_url = f"https://{address}/api/fmc_config/v1/domain/{DOMAIN_UUID}/object/networkgroups" send_data("POST", netObjGrp_url, objectGroup())