03-14-2023 02:45 PM
Hello!
I'm trying to automate my FMC deployment to be able to add rules with some ease, been looking at https://github.com/CiscoDevNet/FMCAnsible and their examples but I'm stuck when trying to add a firewall rule with a port number.
I've got as far as being able to add a new network and add the rule to the access-policy but I can can't figure out how to add a port to a firewall rule without being forced to being able to specify id, name, protocol and port.
When using postman I get the following response for example DNS as a port. I'm not sure if there is any "easy" way to solve this or is there is another way without looking up the id for every specific port number and a lot of manually work?
I've tried to get "GetallprotocolObjects" but that comes back as a list and not sure how you can break this down easy to extract the information?
"links": {
"self": "https://10.100.0.56/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/object/protocolportobjects/1834e712-38bb-11e2-86aa-62f0c593a59a",
"parent": "https://10.100.0.56/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/object/ports"
},
"type": "ProtocolPortObject",
"port": "53",
"protocol": "TCP",
"overridable": false,
"description": " ",
"name": "DNS_over_TCP",
"id": "1834e712-38bb-11e2-86aa-62f0c593a59a",
"metadata": {
"readOnly": {
"state": true,
"reason": "SYSTEM"
- hosts: all
connection: httpapi
vars_prompt:
- name: access_rule_name
prompt: "Name of the Rule"
private: false
- name: net1_name
prompt: "What shall the source network be called ie SRV1234"
private: false
- name: net1_network
prompt: "What source prefix?"
private: false
- name: net2_name
prompt: "What shall source network be called ie SRV1234"
private: false
- name: net2_network
prompt: "What destination prefix?"
private: false
- name: port_name
prompt: "What name does the port has ie SSH"
private: false
- name: port_number
prompt: "Which port? ie 22"
private: false
- name: port_prot
prompt: "UDP OR TCP?"
private: false
tasks:
- name: Get Domain
cisco.fmcansible.fmc_configuration:
operation: getAllDomain
register_as: domain
- name: create auxilary network object
cisco.fmcansible.fmc_configuration:
operation: createMultipleNetworkObject
path_params:
domainUUID: '{{ domain[0].uuid }}'
data:
name: '{{ net1_name }}'
value: '{{ net1_network }}'
type: "networkobject"
register_as: net1
- name: create auxilary network object
cisco.fmcansible.fmc_configuration:
operation: createMultipleNetworkObject
path_params:
domainUUID: '{{ domain[0].uuid }}'
data:
name: '{{ net2_name }}'
value: '{{ net2_network }}'
type: "networkobject"
register_as: net2
- name: Get Security zones
cisco.fmcansible.fmc_configuration:
operation: getAllSecurityZoneObject
path_params:
domainUUID: '{{ domain[0].uuid }}'
query_params:
register_as: securityzone
- name: Get a specific Network port
cisco.fmcansible.fmc_configuration:
operation: getAllProtocolPortObject
path_params:
domainUUID: '{{ domain[0].uuid }}'
register_as: ports_list
- name: Get Access Policy
cisco.fmcansible.fmc_configuration:
operation: getAllAccessPolicy
path_params:
domainUUID: '{{ domain[0].uuid }}'
filters:
name: test
register_as: accesspolicy
- name: Create an access rule allowing trafic from Cisco DevNet
cisco.fmcansible.fmc_configuration:
operation: upsertAccessRule
data:
name: '{{ access_rule_name }}'
enabled: True
type: accessrule
enableSyslog: true
logBegin: False
logEnd: True
sendEventsToFMC: True
sourceNetworks:
objects:
- id: '{{ net1.id }}'
name: '{{net1.name }}'
type: '{{ net1.type }}'
destinationNetworks:
objects:
- id: '{{ net2.id }}'
name: '{{net2.name }}'
type: '{{ net2.type }}'
sourceZones:
objects:
- id: "0da15f40-c05c-11ed-bf30-e6c0783cef62"
name: "inside"
type: "SecurityZone"
destinationZones:
objects:
- id: "19681e2e-c06e-11ed-8869-dc0da85893f5"
name: "internet"
type: "SecurityZone"
destinationPorts:
objects:
- id: '{{ ports_list.id }}'
type: "ProtocolPortObject"
name: '{{ port_name }}'
port: '{{ port_number }}'
protocol: '{{ port_prot }}'
section: test
action: ALLOW
path_params:
containerUUID: '{{ accesspolicy[0].id }}'
domainUUID: '{{ domain[0].uuid }}'
SecurityZoneUUID: '{{ securityzone[0].id }}'
PortObjectGroupsUUID: '{{ ports_list[0].id }}'
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide