cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

2404
Views
35
Helpful
21
Replies
Highlighted
Cisco Employee

API based tool to save the Access Control Policy from FMC as CSV

Hello Everyone,

 

Very often as Network Administrator there is a need to save the ACP on the Firepower Management Center(FMC) as CSV, while the FMC in itself supports the policy import and export option as a full-fledged feature there is no way to save the ACP as CSV.

 

The script attached here solves the problem, however, this is not a replacement for the backup features from FMC.

 

Note: This tool by no means is a replacement for the policy import and export option of FMC. This tool is intended to have the CSV generated for ACP.


It does not take the backup of the objects or IPS/File Policy associated, it just gives a listing of the configuration.

 

What is supported:

1. Policy extraction from the FMC over API.
2. Extracts Zones, Networks, Applications, URL's, Users, IPS Policy, File Policy, Variable Sets, Logging configurations.
3. The output format is in CSV with ";" separated multiple entries within a specific field.
4. Currently supported only on FMC, no FDM support available.


Upcoming features:

1. Auto-listing of available policies across the domains.
2. Support for ISE/SGT attributes.

3. Writing the CSV backup as ACP to the FMC.

 

 

The tool will be updated every month with new features wherever applicable.

 

#Firepower #FMC

P.S: This is not an official tool, so please leave your comment/feedback below and we will try our best to address it as soon as possible.

 

@Anupam Pavithran

Everyone's tags (3)
21 REPLIES 21
Highlighted
Enthusiast

Re: API based tool to save the Access Control Policy from FMC as CSV

Has anyone been able to get this to work successfully?  We would love to have this capability for our firewall policy reviews, but have not been able to get this to work yet.  Is there any more specific documentation available?

Any direction would be greatly appreciated.

Highlighted
Cisco Employee

Re: API based tool to save the Access Control Policy from FMC as CSV

Hi Nelson,

 

The requirements to get this working are as below:

1. A machine that has python 2.7 installed.

2. Connectivity to the FMC from the machine.

3. Install the pre-req mentioned in the requirements.txt when the attachment is unzipped.

4. Ensure that the contents of the folder remain intact.

 

If you are facing any specific errors or challenges let us know.

 

 

Highlighted
Enthusiast

Re: API based tool to save the Access Control Policy from FMC as CSV

Thank you so much for your help!  We have this working and it will be a life saver for us as we do our firewall reviews.  Awesome tool!

Highlighted
Enthusiast

Re: API based tool to save the Access Control Policy from FMC as CSV

one more request - the current conversion does not include the comment field.  would it be possible to include the comments?  we need those for our PCI reviews so that would be very helpful.

 

thanks again for putting this together.

Highlighted
Cisco Employee

Re: API based tool to save the Access Control Policy from FMC as CSV

Hi Nelson,

Thanks for the feedback, i am really glad that the tool is useful.

As far as the comments section is concerned in the tool, we will surely look into it and keep you posted.

 

Really appreciate all the feedback which helps us make it better.

Highlighted
Cisco Employee

Re: API based tool to save the Access Control Policy from FMC as CSV

Hi Nelson,

The next build of the tool will have the comments also.

Currently working on the beta testing of the same internally.

Highlighted
Enthusiast

Re: API based tool to save the Access Control Policy from FMC as CSV

Thank you so much! That will be great to have the comments in the output as well. We appreciate you adding this feature and will watch for the next build.
Highlighted
Cisco Employee

Re: API based tool to save the Access Control Policy from FMC as CSV

The new build is available as an attachment in the main post.

Features added:

1. Support for Python3

2. Auto listing of the ACP configured on the box.

3. Support for multi-domains.

4. Comments added as part of the export.

Highlighted
Beginner

Re: API based tool to save the Access Control Policy from FMC as CSV

Hi,

 

is there anyway to export the nat rules?

 

Thanks,

Highlighted
Beginner

Re: API based tool to save the Access Control Policy from FMC as CSV

Hi @Raghunath Kulkarni 

 

I was wondering if you could help me with this issue i´m having with the script. I get the following error mid rule export. Im using python 2.7.18. I tried with both releases.

UnicodeEncodeError: 'ascii' codec can't encode character u'\xf3'

 

erro.jpeg

Thanks

Highlighted
Cisco Employee

Re: API based tool to save the Access Control Policy from FMC as CSV

This looks to be a problem with the logging configuration on Rule # 17 or the next rule.

Can you share the screen shot of the logging tab within the rule 17 and next one, so that i can quickly check what is causing the unicode error

Highlighted
Beginner

Re: API based tool to save the Access Control Policy from FMC as CSV

Thank you very much! @Raghunath Kulkarni 

 

Both rules 17 and 18 have the exact logging configuration, but so do the rest of the rules on top and those did export to csv. The only difference I´m seeing is that rule 17 has a comment.

 

rule17.PNG

Highlighted
Cisco Employee

Re: API based tool to save the Access Control Policy from FMC as CSV

Comments should not be a problem as the latest build which was shared includes that.

This looks to be a different problem.

Will this be okay, if you can log the TAC case and share the number here so that i can have a look at it. (Sharing the configuration here would not be a right thing to do here)

Highlighted
Beginner

Re: API based tool to save the Access Control Policy from FMC as CSV

Hi,

 

Wanted to tell you that i found the issue I was having while exporting policies. The issue was that everytime the code tries to export a rule with a rule name containing an accent mark, it threw the error above. I had to rename the rules with accent marks, for example from "Intrusión" to "intrusion" so it wouldn´t happen.

This error will probbaly show up a lot to spanish and french speaking admins.

 

Thanks