FMC API unable to add access rule via Ansible

alconstantinoga1 · ‎09-02-2020

Hello,

I am having some issues while working with FMC API. The current API version is FMC Version: 6.4.0.7 (build 53). What I am trying to achieve is to add a new rule to an existing Access Policy object via Ansible using the API. However, it´s not very clear in the api-explorer of the FMC how to add Source Address, port numbers and other bit a pieces that I need to specify to configure the "specific" rule.

As an example, I will need to enter the following rule:

- Source: 10.10.10.0/24

- Destination: any in UDP port 53.

Then permit the above rule.

Note: I don´t have any problems with Ansible connectivity to the Firewall or converting YAML to JSON, is just a matter of not having enough details to structure and implement this rule above in JSON format.

I did this below and it worked, however it fails when I use the field "sourceNetworks" at the bottom line.

/api/v1/fmc_config/domain/{{domainuuid}}/policy/accesspolicies/{{containeruuid}}/accessrules

body:
    action: "ALLOW"
    enabled: false
    type: "AccessRule"
    name: "ansible_test1"
    sendEventsToFMC: true
    logFiles: true
    logBegin: true
    logEnd: true

sourceNetworks:
type: "10.30.7.0/24"

Any help will be really appreciated!

Thanks!

Alvaro

amotolani · ‎02-10-2021

Hello @alconstantinoga1 ,

You can try using the ansible collection we built for the fmc.

Its available on ansible galaxy. https://galaxy.ansible.com/amotolani/cisco_fmc

Hope it helps.

a12288 · ‎03-15-2022

@amotolani I am using your Collection and really appreciated.

But I ran into an issue at creating ACP rule and hope you can shed some lights here.

at acp_rule.py, I would like to use destination port groups instead of individual port objects, for example, ADMIN-PORTGROUP ( like SSH, RDP, etc, etc)

destination_ports:

action: add

name: demo_port2

when I tried to use pre-defined port groups the Ansible complains "" "msg": "Check that the destination_ports are existing cisco_fmc objects", though the destination port groups and port objects are defined already. You have port_group.py which defines port groups so I believe the acp_rule.py could use port groups but do not know where I got wrong. Thanks.
Leo

amotolani · ‎03-17-2022

@a12288 wrote:
@amotolani I am using your Collection and really appreciated.

But I ran into an issue at creating ACP rule and hope you can shed some lights here.
at acp_rule.py, I would like to use destination port groups instead of individual port objects, for example, ADMIN-PORTGROUP ( like SSH, RDP, etc, etc)
destination_ports:
action: add
name: demo_port2
when I tried to use pre-defined port groups the Ansible complains "" "msg": "Check that the destination_ports are existing cisco_fmc objects", though the destination port groups and port objects are defined already. You have port_group.py which defines port groups so I believe the acp_rule.py could use port groups but do not know where I got wrong. Thanks.
Leo

Hello a12288,

Cool to see that the whole thing is useful to someone.

On the issue, currently the source_ports and destination_ports options only gives you the ability to add port objects to the Access rule. That is the reason you get that error message. The collection tries to find port objects with the name ADMIN-PORTGROUP and can't find it obviously.

What you can do is open an issue on the repo about this and i should be able to find some time to make the collection better by adding this option.

Cheers !

a12288 · ‎03-21-2022

Hi, Amotolani.

I opened 2 issues last week and appreciate you could spend some time to improve your collection, this enhancements would be much helpful!

Leo