topic Firepower 7.4: add objects using LINA (diagnostic-cli ) in exec mode in Network Security

Firepower 7.4: add objects using LINA (diagnostic-cli ) in exec mode

tryingtofixit — Sun, 20 Oct 2024 12:31:20 GMT

can I copy paste objects directly into the diagnostic-cli (exec mode) and have fmc read them? I want to mass add about 100 "host" objects and 100 network ranges. It's a snap to do it in the ASA in the cli, and thankfully I need the same 200 in firepower.

what about editing existing objects in the lina ACL's, does the fmc read these edits?

What is the limitation of editing ACL's, objects, etc in the diagnostic-cli, is that in a doc somewhere?

Re: Firepower 7.4: add objects using LINA (diagnostic-cli ) in exec mo

Rob Ingram — Sun, 20 Oct 2024 12:39:03 GMT

@tryingtofixit no, unfortunately that won't work.

You can import objects into the FMC from a CSV file.

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/740/management-center-device-config-74/objects-object-mgmt.html?bookSearch=true#importing_objects

Or you could use a python script to import the objects.

Re: Firepower 7.4: add objects using LINA (diagnostic-cli ) in exec mo

tryingtofixit — Sun, 20 Oct 2024 13:00:45 GMT

yeah, this is about as clear as mud their "CSV" standards. what about some CSV file examples? how do I import a network range, a network FQDN. got any more websites you can direct me to. As for python, betting there are ZERO cisco approved "blessed" python scripts for doing adds/moves/changes? let me guess head to "gitbhub" and spin the python script firepower "wheel of luck?" 🙂 🙂

Re: Firepower 7.4: add objects using LINA (diagnostic-cli ) in exec mo

Rob Ingram — Sun, 20 Oct 2024 13:06:24 GMT

@tryingtofixit here is the CSV format, amend to fit your needs.

Re: Firepower 7.4: add objects using LINA (diagnostic-cli ) in exec mo

Jonatan Jonasson — Sun, 20 Oct 2024 13:39:35 GMT

The import objects dialogue provides sample data (see screenshot below), and pressing the question mark in the upper right corner gives you the same page as Rob linked above.

With this you should have enough information to be able to create your CSV file in the correct syntax.

Regarding python scripts, first of all you should start by going to the DevNet Code Exchange (https://developer.cisco.com/codeexchange/) before testing your luck on a random github repository.

That being said, most scripts are focused on more advanced things, and each use case can be slightly different.
And if you've already reached the point where your input data is structured, (unless you were planning to automate the reading of the ASA config, which is another story), it's easier just to convert into the CSV structure and import via GUI.
Which is why you probably wont find many scripts focused solely on importing objects.

Re: Firepower 7.4: add objects using LINA (diagnostic-cli ) in exec mo

tryingtofixit — Sun, 20 Oct 2024 16:25:47 GMT

thanks for the info.

We have modified and added ACL's via the Lina interface and these rules do show up in the FMC. don't know if that is supported but it does work at least in 7.0.4 of the FMC.

One thing I have noticed that unless the object is being used in a rule, it's not in the lina config my guess to preserve memory and increase performance.

If cisco can spend big $$$ on their firewall migration program, why can't they devote some time to make official cisco supported scripts for the API and firepower? I have attempted to use some of these python scripts to dump out ACL's and other things from the API. "lacking" is an understatement. When was the last time a FP release included new reports that people have been wanting, python and API solution are just cisco not wanting to put effort into development. For the price cisco charges for FP/FMC, it is severely under powered in reporting.

Still no report to print out objects and ACL's into a spreadsheet (xls) format. that is just 1 example in the "die on the vine" mentality cisco has toward the GUI in FMC. It's the "Apple method". Give the customers what you want them to have not what they are asking for.

Re: Firepower 7.4: add objects using LINA (diagnostic-cli ) in exec mo

tryingtofixit — Mon, 21 Oct 2024 14:18:31 GMT

test

Re: Firepower 7.4: add objects using LINA (diagnostic-cli ) in exec mo

tryingtofixit — Mon, 21 Oct 2024 16:34:55 GMT

what would fqdn be? Also noticed that community doesn't accept CSV if put into text for some reason. (edit its mention of fbook) that violates the rules thanks for the delayed private message spambot!)

is this the only docs for importing for csv's

Firepower Management Center Configuration Guide, Version 7.0 - Reusable Objects [Cisco Secure Firewall Management Center] - Cisco

What about port groups? can I create a port group for import? sure doesn't look that way.

The column header must be mentioned in capital letters.
The file must have the following columns headers:

NAME
PROTOCOL
PORT
ICMPCODE
ICMPTYPE

The NAME column entry is mandatory.

For 'tcp' and 'udp' protocol types, the PORT column entry is mandatory.
For 'icmp' and 'icmp6' protocol types, the ICMPCODE and ICMPTYPE column entries are mandatory.

I have at least 50 port groups, having to "gui" them together from individual ports is unacceptable with FP being this mature into its development stage. Python and API are the cop-out method of having a bad GUI that has had almost zero feature improvements in 5+ years. Thanks