Re: API based tool to save the Access Control Policy from FMC as CSV - Page 2

Raghunath Kulkarni · ‎10-18-2019

Hello Everyone,

Very often as Network Administrator there is a need to save the ACP on the Firepower Management Center(FMC) as CSV, while the FMC in itself supports the policy import and export option as a full-fledged feature there is no way to save the ACP as CSV.

The script attached here solves the problem, however, this is not a replacement for the backup features from FMC.

Note: This tool by no means is a replacement for the policy import and export option of FMC. This tool is intended to have the CSV generated for ACP.

It does not take the backup of the objects or IPS/File Policy associated, it just gives a listing of the configuration.

What is supported:

1. Policy extraction from the FMC over API.
2. Extracts Zones, Networks, Applications, URL's, Users, IPS Policy, File Policy, Variable Sets, Logging configurations.
3. The output format is in CSV with ";" separated multiple entries within a specific field.
4. Currently supported only on FMC, no FDM support available.

Upcoming features:

1. Auto-listing of available policies across the domains.
2. Support for ISE/SGT attributes.

3. Writing the CSV backup as ACP to the FMC.

Link on Devnet:

https://developer.cisco.com/codeexchange/github/repo/raghukul-cisco/csvExportFirepower/

The tool will be updated every month with new features wherever applicable.

#Firepower #FMC

P.S: This is not an official tool, so please leave your comment/feedback below and we will try our best to address it as soon as possible.

Version 3: Support for large rule sets. @Anupam Pavithran

@Anupam Pavithran

gihernandezn91 · ‎04-30-2020

Thank you very much! @Raghunath Kulkarni

Both rules 17 and 18 have the exact logging configuration, but so do the rest of the rules on top and those did export to csv. The only difference I´m seeing is that rule 17 has a comment.

Raghunath Kulkarni · ‎05-03-2020

Comments should not be a problem as the latest build which was shared includes that.

This looks to be a different problem.

Will this be okay, if you can log the TAC case and share the number here so that i can have a look at it. (Sharing the configuration here would not be a right thing to do here)

gihernandezn91 · ‎05-18-2020

Hi,

Wanted to tell you that i found the issue I was having while exporting policies. The issue was that everytime the code tries to export a rule with a rule name containing an accent mark, it threw the error above. I had to rename the rules with accent marks, for example from "Intrusión" to "intrusion" so it wouldn´t happen.

This error will probbaly show up a lot to spanish and french speaking admins.

Thanks

martin5641289 · ‎10-13-2021

I got similar error and based on previous hint about wrong logging options I found that regional letters were used in a rule name. After changing to pure ASCII the script continued in rule processing and the rule that had failed was processed correctly.

Than I found your response so I can confirm that the script has problems with rule name containing non-english characters. So I suggest to check rule names in case of this error. Classic ASCII characters are OK.

Neal Noem · ‎04-29-2020

How difficult would it be to modify the script to pull the object listing from the FMC? That would be useful for cleaning up duplicate objects.

1snelson · ‎04-29-2020

That would be a great addition - we have a great need to be able to see and review all of our objects and groups.

Raghunath Kulkarni · ‎05-03-2020

The extension of the tool is available, it would be great if you can have TAC case opened for it so that we will be able to assist with the request there.

Raghunath Kulkarni · ‎10-22-2020

The enhancements pertaining to object groups are added inherently included in the product.

You can have a quick check for the same in releases 6.4 (which gives object usage) and 6.6 which has further features.

1snelson · ‎10-23-2020

Would you kindly post a link to those releases that shows object usage? I can't seem to find them.

Thanks in advance.

ngoradia · ‎05-05-2020

Hello,

I downloaded this script, edited the required fields (device, username etc.). Tried to execute it but got the attached errors. New to using API's. I did a test API call via postman using the URL https://device_IP/api/fmc_platform/v1/auth/generatetoken and it worked. Any assistance is appreciated.

Thanks

1snelson · ‎07-27-2020

Is this an official tool yet? We would love to have the capability to export the group and object membership to a CSV as well if possible. I opened a TAC case with this request, but they don't seem to know about this tool.

Please advise.

Raghunath Kulkarni · ‎07-27-2020

The tool is not official yet, because as part of the product feature the policy export serves this purpose as SFO and so does backup/restore.

This utility is more API driven and hence we started out with the biggest use case of ACP as CSV. I completely understand the required for having the nested objects to be retrieved as part of this along with NAT.

Let me check once internally on the roadmap and only then I will be able to comment on the availability of the API version as a utility.

1snelson · ‎07-28-2020

I am not so much concerned about whether the tool becomes officially supported or not, but rather whether it will ever be able to export the objects and groups? We appreciate all the time and effort you have put into this - it saves us so much time when we do our firewall reviews.

thank you!

JohnPeterson20175 · ‎10-01-2020

Hi

This utility works perfectly to report on policies on one of my FMCs where all policies are less than 20 lines and are defined in the Global domain. Unfortunately, I encounter traceback errors when running it against two other FMCs which have domains defined. It does successfully connect and returns the names of the policies defined, but fails after I select the policy to export, but before writing a single line to the empty CSV created. Here are the errors produced:

Traceback (most recent call last):
File "Export-Pololicies.py", line 129, in <module>
acp_id = api.get_acp_id_by_name(ac_policy)
File "C:\scripts\Policy CSV\fireREST\__init__.py", line 321, in get_acp_id_by_name
for payload in item.json()['items']:

Both the domain and the policy have '-' hypens within the text.

These policies I am as yet unable to export each have more than 100 rules.

Any guidance appreciated.

pmn007 · ‎03-23-2022

Hello JohnPeterson20175,

Please were you able to resolve the error? I am getting the same error as well.

Thanks

Paul