cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
825
Views
0
Helpful
0
Replies

Ansible for FMC - trying to add access rule with dest port

the_wizard
Level 1
Level 1

Hello!

I'm trying to automate my FMC deployment to be able to add rules with some ease, been looking at https://github.com/CiscoDevNet/FMCAnsible and their examples but I'm stuck when trying to add a firewall rule with a port number.

I've got as far as being able to add a new network and add the rule to the access-policy but I can can't figure out how to add a port to a firewall rule without being forced to being able to specify id, name, protocol and port.

When using postman I get the following response for example DNS as a port. I'm not sure if there is any "easy" way to solve this or is there is another way without looking up the id for every specific port number and a lot of manually work?

I've tried to get  "GetallprotocolObjects" but that comes back as a list and not sure how you can break this down easy to extract the information?


            "links": {
                "self": "https://10.100.0.56/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/object/protocolportobjects/1834e712-38bb-11e2-86aa-62f0c593a59a",
                "parent": "https://10.100.0.56/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/object/ports"
            },
            "type": "ProtocolPortObject",
            "port": "53",
            "protocol": "TCP",
            "overridable": false,
            "description": " ",
            "name": "DNS_over_TCP",
            "id": "1834e712-38bb-11e2-86aa-62f0c593a59a",
            "metadata": {
                "readOnly": {
                    "state": true,
                    "reason": "SYSTEM"

 

 

- hosts: all
  connection: httpapi
  vars_prompt:

    - name: access_rule_name
      prompt: "Name of the Rule"
      private: false

    - name: net1_name
      prompt: "What shall the source network be called ie SRV1234"
      private: false
      
    - name: net1_network
      prompt: "What source prefix?"
      private: false

    - name: net2_name
      prompt: "What shall source network be called ie SRV1234"
      private: false

    - name: net2_network
      prompt: "What destination prefix?"
      private: false
    
    - name: port_name
      prompt: "What name does the port has ie SSH"
      private: false
    
    - name: port_number
      prompt: "Which port? ie 22"
      private: false

    - name: port_prot
      prompt: "UDP OR TCP?"
      private: false


      

  tasks:
    - name: Get Domain
      cisco.fmcansible.fmc_configuration:
        operation: getAllDomain
        register_as: domain

    - name: create auxilary network object
      cisco.fmcansible.fmc_configuration:
        operation: createMultipleNetworkObject
        path_params:
          domainUUID: '{{ domain[0].uuid }}'
        data:
          name:  '{{ net1_name }}'
          value: '{{ net1_network }}'
          type:   "networkobject"
        register_as: net1

    - name: create auxilary network object
      cisco.fmcansible.fmc_configuration:
        operation: createMultipleNetworkObject
        path_params:
          domainUUID: '{{ domain[0].uuid }}'
        data:
          name:  '{{ net2_name }}'
          value: '{{ net2_network }}'
          type: "networkobject"
        register_as: net2

    - name: Get Security zones
      cisco.fmcansible.fmc_configuration:
        operation: getAllSecurityZoneObject
        path_params:
          domainUUID: '{{ domain[0].uuid }}'
          query_params:
        register_as: securityzone
      
    - name: Get a specific Network port
      cisco.fmcansible.fmc_configuration:
        operation: getAllProtocolPortObject
        path_params:
          domainUUID: '{{ domain[0].uuid }}'
        register_as: ports_list

    - name: Get Access Policy
      cisco.fmcansible.fmc_configuration:
        operation: getAllAccessPolicy
        path_params:
          domainUUID: '{{ domain[0].uuid }}'
        filters:
          name: test
        register_as: accesspolicy
                  
    - name: Create an access rule allowing trafic from Cisco DevNet
      cisco.fmcansible.fmc_configuration:
        operation: upsertAccessRule
        data:
          name: '{{ access_rule_name }}'
          enabled: True
          type: accessrule
          enableSyslog: true
          logBegin: False
          logEnd: True
          sendEventsToFMC: True
          sourceNetworks:
            objects:
              - id: '{{ net1.id }}'
                name: '{{net1.name }}'
                type: '{{ net1.type }}'
          destinationNetworks:
            objects:
              - id: '{{ net2.id }}'
                name: '{{net2.name }}'
                type: '{{ net2.type }}'
          sourceZones: 
            objects:
              - id:   "0da15f40-c05c-11ed-bf30-e6c0783cef62"
                name: "inside"
                type: "SecurityZone"
          destinationZones: 
            objects:
              - id:   "19681e2e-c06e-11ed-8869-dc0da85893f5"
                name: "internet"
                type: "SecurityZone"
          destinationPorts:
            objects:
              - id: '{{ ports_list.id }}'
                type: "ProtocolPortObject"
                name: '{{ port_name }}'
                port: '{{ port_number }}'
                protocol: '{{ port_prot }}'

          section: test
          action: ALLOW
        path_params:
          containerUUID: '{{ accesspolicy[0].id }}'
          domainUUID: '{{ domain[0].uuid }}'
          SecurityZoneUUID: '{{ securityzone[0].id }}'
          PortObjectGroupsUUID: '{{ ports_list[0].id }}'

 

0 Replies 0