cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1546
Views
1
Helpful
4
Replies

FMC API unable to add access rule via Ansible

Hello,

 

I am having some issues while working with FMC API. The current API version is FMC Version: 6.4.0.7 (build 53). What I am trying to achieve is to add a new rule to an existing Access Policy object via Ansible using the API. However, it´s not very clear in the api-explorer of the FMC how to add Source Address, port numbers and other bit a pieces that I need to specify to configure the "specific" rule.

 

As an example, I will need to enter the following rule:

 

- Source: 10.10.10.0/24

- Destination: any in UDP port 53.

Then permit the above rule.

 

Note: I don´t have any problems with Ansible connectivity to the Firewall or converting YAML to JSON, is just a matter of not having enough details to structure and implement this rule above in JSON format.

 

I did this below and it worked, however it fails when I use the field "sourceNetworks" at the bottom line.

 

/api/v1/fmc_config/domain/{{domainuuid}}/policy/accesspolicies/{{containeruuid}}/accessrules

 

body:
    action: "ALLOW"
    enabled: false
    type: "AccessRule"
    name: "ansible_test1"
    sendEventsToFMC: true
    logFiles: true
    logBegin: true
    logEnd: true

 

   sourceNetworks:
        type: "10.30.7.0/24"

 

Any help will be really appreciated!

Thanks!

Alvaro

4 Replies 4

amotolani
Level 1
Level 1

Hello @alconstantinoga1 ,

 

You can try using the ansible collection we built for the fmc.

Its available on ansible galaxy. https://galaxy.ansible.com/amotolani/cisco_fmc

Hope it helps.

@amotolani I am using your Collection and really appreciated.

 

But I ran into an issue at creating ACP rule and hope you can shed some lights here.

at acp_rule.py, I would like to use destination port groups instead of individual port objects, for example, ADMIN-PORTGROUP ( like SSH, RDP, etc, etc)

    destination_ports:
      action: add
      name: demo_port2
when I tried to use pre-defined port groups the Ansible complains "" "msg": "Check that the destination_ports are existing cisco_fmc objects", though the destination port groups and port objects are defined already. You have port_group.py which defines port groups so I believe the acp_rule.py could use port groups but do not know where I got wrong. Thanks.
Leo

 


@a12288 wrote:

@amotolani I am using your Collection and really appreciated.

 

But I ran into an issue at creating ACP rule and hope you can shed some lights here.

at acp_rule.py, I would like to use destination port groups instead of individual port objects, for example, ADMIN-PORTGROUP ( like SSH, RDP, etc, etc)

    destination_ports:
      action: add
      name: demo_port2
when I tried to use pre-defined port groups the Ansible complains "" "msg": "Check that the destination_ports are existing cisco_fmc objects", though the destination port groups and port objects are defined already. You have port_group.py which defines port groups so I believe the acp_rule.py could use port groups but do not know where I got wrong. Thanks.
Leo

 

Hello a12288, 

 

Cool to see that the whole thing is useful to someone.

On the issue, currently the source_ports and destination_ports options only gives you the ability to add port objects to the Access rule. That is the reason you get that error message. The collection tries to find port objects with the name ADMIN-PORTGROUP and can't find it obviously.

What you can do is open an issue on the repo about this and i should be able to find some time to make the collection better by adding this option.


Cheers !

Hi, Amotolani.

 

I opened 2 issues last week and appreciate you could spend some time to improve your collection, this enhancements would be much helpful!

 

Leo

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:


This community is intended for developer topics around Data Center technology and products. If you are looking for a non-developer topic about Data Center, you might find additional information in the Data Center and Cloud community