topic Re: FMC API 6.2 - API access to Prefilter policies and rules in Network Security

FMC API 6.2 - API access to Prefilter policies and rules

nosc — Fri, 21 Feb 2020 14:20:05 GMT

Greetings -

I was wondering if there was a way to programmatically access the prefilter policies/rules via the REST API. I don't necessarily need to write to the database - a simple GET to the prefilter table and rules will suffice.

The REST documentation is good for the ACP, but I couldn't find anything regarding the prefilter rules.

Thanks in advance!

Re: FMC API 6.2 - API access to Prefilter policies and rules

Marvin Rhoads — Wed, 20 Sep 2017 03:35:34 GMT

I don't believe that's exposed via the API at this stage (i.e. as of FMC 6.2.2).

The best you can do is screen scrape it using one of the ssh tools like Netmiko. The policy is stored in the file structure on the sensor in a place like:

./ngfw/var/sf/detection_engines/ea54a18a-92d2-11e7-8daf-2668033706e7/code/SF/Prefilter/PrefilterPolicy.pm

The long alphanumeric string in there is a GUID for your policy version. The parent directory contains all of the various policies as you can see here:

root@vftd-new:/# ls -al ./ngfw/Volume/6.2.2/sf/detection_engines/ea54a18a-92d2-11e7-8daf-2668033706e7/code/SF
total 144
drwxr-xr-x 17 root root 4096 Sep 18 12:50 .
drwxr-xr-x 4 root root 4096 Sep 18 12:50 ..
drwxr-xr-x 3 root root 4096 Sep 18 12:50 DNS
drwxr-xr-x 4 root root 4096 Sep 18 12:50 Files
drwxr-xr-x 2 root root 4096 Sep 18 12:50 GeoBlocking
drwxr-xr-x 3 root root 4096 Sep 18 12:50 IPReputation
drwxr-xr-x 5 root root 4096 Sep 18 12:50 Intrusion
drwxr-xr-x 2 root root 4096 Sep 18 12:50 ND
drwxr-xr-x 4 root root 4096 Sep 18 12:50 NGFW
drwxr-xr-x 4 root root 4096 Sep 18 12:50 NetworkAnalysis
-r--r--r-- 1 root root 76944 Sep 18 12:50 NetworkDiscovery.pm
drwxr-xr-x 2 root root 4096 Sep 18 12:50 Prefilter
drwxr-xr-x 2 root root 4096 Sep 18 12:50 QoS
drwxr-xr-x 6 root root 4096 Sep 18 12:50 RNA
drwxr-xr-x 6 root root 4096 Sep 18 12:50 SSL
drwxr-xr-x 2 root root 4096 Sep 18 12:50 System
drwxr-xr-x 2 root root 4096 Sep 18 12:50 Transaction
drwxr-xr-x 3 root root 4096 Sep 18 12:50 UMPD
root@vftd-new:/#

@Oliver Kaiser may be able to shed some light as his blog has some tips for working with the API.

http://dependencyhell.net/2017/07/09/Dumping-Firepower-ACP/

Re: FMC API 6.2 - API access to Prefilter policies and rules

nosc — Wed, 20 Sep 2017 04:32:45 GMT

Thanks Marvin! That's actually really helpful and may get me where I need to go. Hopefully Cisco decides to expose it via REST in the future, but I can definitely work with this.

Appreciate the help!

Re: FMC API 6.2 - API access to Prefilter policies and rules

Marvin Rhoads — Wed, 20 Sep 2017 10:41:50 GMT

Glad it helped. Please mark the reply as helpful if you found it to be so.

Re: FMC API 6.2 - API access to Prefilter policies and rules

Oliver Kaiser — Wed, 20 Sep 2017 11:24:24 GMT

As Marvin pointed out there is currently no way to get prefilter policy rules from the FMC REST API as of now. I checked the roadmap from mid 2017 and didnt find any information on when it will be added to the API... I think it will probably take one year since routing and nat will be implemented in the near future.

regards

Oliver

Re: FMC API 6.2 - API access to Prefilter policies and rules

Ty Rost — Fri, 06 Mar 2020 12:46:16 GMT

FWIW it looks like the prefilter rest APIs are now exposed in 6.4. I don't see anyway to write prefilter policies yet...

Re: FMC API 6.2 - API access to Prefilter policies and rules

Oliver Kaiser — Sat, 07 Mar 2020 08:25:44 GMT

You will need to upgrade to 6.5.0 - CRUD operations for prefilter rules have been added. See release notes for details: https://www.cisco.com/c/en/us/td/docs/security/firepower/650/relnotes/firepower-release-notes-650/features.html