cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
58069
Views
80
Helpful
67
Replies

API based tool to save the Access Control Policy from FMC as CSV

Raghunath Kulkarni
Cisco Employee
Cisco Employee

Hello Everyone,

 

Very often as Network Administrator there is a need to save the ACP on the Firepower Management Center(FMC) as CSV, while the FMC in itself supports the policy import and export option as a full-fledged feature there is no way to save the ACP as CSV.

 

The script attached here solves the problem, however, this is not a replacement for the backup features from FMC.

 

Note: This tool by no means is a replacement for the policy import and export option of FMC. This tool is intended to have the CSV generated for ACP.


It does not take the backup of the objects or IPS/File Policy associated, it just gives a listing of the configuration.

 

What is supported:

1. Policy extraction from the FMC over API.
2. Extracts Zones, Networks, Applications, URL's, Users, IPS Policy, File Policy, Variable Sets, Logging configurations.
3. The output format is in CSV with ";" separated multiple entries within a specific field.
4. Currently supported only on FMC, no FDM support available.


Upcoming features:

1. Auto-listing of available policies across the domains.
2. Support for ISE/SGT attributes.

3. Writing the CSV backup as ACP to the FMC.

 

Link on Devnet: 

https://developer.cisco.com/codeexchange/github/repo/raghukul-cisco/csvExportFirepower/

 

The tool will be updated every month with new features wherever applicable.

 

#Firepower #FMC

P.S: This is not an official tool, so please leave your comment/feedback below and we will try our best to address it as soon as possible.

 

Version 3: Support for large rule sets. @Anupam Pavithran 

 

@Anupam Pavithran

67 Replies 67

pmn007
Level 1
Level 1

@Raghunath Kulkarni 

 

Thank you for creating such a great tool! Please can you help resolve the error I am getting? See below;

File "Export-Policies.py", line 128, in <module>
acp_id = api.get_acp_id_by_name(ac_policy)
File "Policy/fireREST/__init__.py", line 321, in get_acp_id_by_name
for payload in item.json()['items']:
KeyError: 'items'

 

Thank you,

Paul

Great tool! I'm noticing some lines in the CSV are misaligned, pushed one cell to the right when they have multiple application filters. Instead of keeping these comma separated in one cell, they're splitting the two items between two adjacent cells. I don't believe I deviated from the instructions in the GH.

Thanks so much for creating this!

Raghunath Kulkarni
Cisco Employee
Cisco Employee

Hi All,

 

The latest version of this tool is available now on devnet.

Link: https://developer.cisco.com/codeexchange/github/repo/raghukul-cisco/csvExportFirepower

 

The migration to the devnet portal will give additional benefits for release management, updates, and seamless bug fixes.

Also, it provides an easy way to track the requests/bugs/enhancements which can be now raised via issues on GitHub.

 

All further updates and discussions will happen on the new thread there.

Eric R. Jones
Level 4
Level 4
Hello, I tried to reply from within the community but the reply window never
opened.
I understand this was written a few years ago but I've seen posts as recent
as this year.
I'm assuming this is still a viable.

A few questions.
1. The pip3 command doesn't appear when I login to either the FMC or FTD
using "expert" mode.
Is this the proper way to run the install command to pull the
requirements.txt file from GitHub?

2. Does this get installed on the FMC the FTD(s) or both?
>From my understanding it looks like it gets installed on the FMC where the
ACPs are created.

3. Does one need to create an API user account on the FMC as laid out in the
DevNet labs?



Raghunath Kulkarni
Cisco Employee
Cisco Employee

Hi Eric,

 

The latest version is available on the devnet link shared. It has been posted only a week back.

 

1. The tool will be installed on your local machine and not on either FMC or FTD.

2. You can register to the devnet portal with your CCO credentials or any OAuth mechanism.

3. The API user is just to ensure that other network admins who are using the "Admin" credentials are not logged out while the tool runs.

rampampam
Level 1
Level 1

hello,

really great tool - many thanks for that, just two question.

1. is it normal, that when I have several objects in ex. source networks, it move each object to next row , shouldnt it be seperated by , or ; 

2. is plan to get hit counts from ACE ?

Best regards

manofsteel03
Level 1
Level 1

Does this work for FMC's that are 7.x? I haven't' been able to get this to work correctly but does work with FMC 6.x.

Gskim
Level 1
Level 1

Good day Raghunath, would you be able to offer a guided step-by-step as I have no clue where to begin with this tool. If it helps, I have installed Python 3.10 in my computer, and downloaded csvExportFirepower-main folder.

How do I start to connect my FMC/FTD using Python?

Review Cisco Networking for a $25 gift card