10-18-2019 12:09 AM - edited 04-29-2022 04:03 AM
Hello Everyone,
Very often as Network Administrator there is a need to save the ACP on the Firepower Management Center(FMC) as CSV, while the FMC in itself supports the policy import and export option as a full-fledged feature there is no way to save the ACP as CSV.
The script attached here solves the problem, however, this is not a replacement for the backup features from FMC.
Note: This tool by no means is a replacement for the policy import and export option of FMC. This tool is intended to have the CSV generated for ACP.
It does not take the backup of the objects or IPS/File Policy associated, it just gives a listing of the configuration.
What is supported:
1. Policy extraction from the FMC over API.
2. Extracts Zones, Networks, Applications, URL's, Users, IPS Policy, File Policy, Variable Sets, Logging configurations.
3. The output format is in CSV with ";" separated multiple entries within a specific field.
4. Currently supported only on FMC, no FDM support available.
Upcoming features:
1. Auto-listing of available policies across the domains.
2. Support for ISE/SGT attributes.
3. Writing the CSV backup as ACP to the FMC.
Link on Devnet:
https://developer.cisco.com/codeexchange/github/repo/raghukul-cisco/csvExportFirepower/
The tool will be updated every month with new features wherever applicable.
#Firepower #FMC
P.S: This is not an official tool, so please leave your comment/feedback below and we will try our best to address it as soon as possible.
Version 3: Support for large rule sets. @Anupam Pavithran
10-29-2019 10:45 AM
Has anyone been able to get this to work successfully? We would love to have this capability for our firewall policy reviews, but have not been able to get this to work yet. Is there any more specific documentation available?
Any direction would be greatly appreciated.
10-29-2019 07:51 PM
Hi Nelson,
The requirements to get this working are as below:
1. A machine that has python 2.7 installed.
2. Connectivity to the FMC from the machine.
3. Install the pre-req mentioned in the requirements.txt when the attachment is unzipped.
4. Ensure that the contents of the folder remain intact.
If you are facing any specific errors or challenges let us know.
10-30-2019 12:54 PM
Thank you so much for your help! We have this working and it will be a life saver for us as we do our firewall reviews. Awesome tool!
10-30-2019 01:27 PM
one more request - the current conversion does not include the comment field. would it be possible to include the comments? we need those for our PCI reviews so that would be very helpful.
thanks again for putting this together.
10-31-2019 10:00 AM
Hi Nelson,
Thanks for the feedback, i am really glad that the tool is useful.
As far as the comments section is concerned in the tool, we will surely look into it and keep you posted.
Really appreciate all the feedback which helps us make it better.
11-02-2019 07:10 AM
Hi Nelson,
The next build of the tool will have the comments also.
Currently working on the beta testing of the same internally.
11-04-2019 06:01 AM
11-25-2019 07:53 PM
The new build is available as an attachment in the main post.
Features added:
1. Support for Python3
2. Auto listing of the ACP configured on the box.
3. Support for multi-domains.
4. Comments added as part of the export.
09-17-2020 06:34 AM - edited 09-17-2020 07:41 AM
This is a great script, but I've had to make a few changes.
The readme.md in Policy CSV-rel2.zip still says it requires Python 2.7!
Newlines and commas in comments cause the remaining columns to split to a new line in CSV. Insert the middle 2 lines below (below line 182) to replace newline char with ;LF; text.
for obj in temp['comments']:
obj['comment'] = obj['comment'].replace('\n',';LF;')
obj['comment'] = obj['comment'].replace(',',';')
comment = obj['comment']
Our rules appear to have comments that were added in during a rule import. These comments have no user attached, which crashes the script out.
After line 184 I added:
if not 'name' in obj['user']:
obj['user']['name'] = "Admin_Import"
Result:
date = date.split(".")[0]
if not 'name' in obj['user']:
obj['user']['name'] = "Admin_Import"
user = obj['user']['name']
The above changes force a username into a comment with no user, allowing the script to complete.
Commas in rule name also need sanitisation.
Find (around line 157):
line['name'] = rule['name']
Replace line to show:
line['name'] = rule['name'].replace(",",";")
EDIT1: However the remaining columns don't input until the next line. So there's still some tidying to do on the change. But at least it completes....
EDIT2: Confirmed that newlines within comment were causing issues, added code to replace newline with text. Also replace commas in comments and names.
09-20-2020 05:40 PM
Hi Kieran,
Thanks for making those necessary changes.
Comments section in the rules was not heavily focussed hence you can feel free to share the modified code for larger community
07-25-2020 09:24 AM
Hi,
is there anyway to export the nat rules?
Thanks,
09-20-2020 05:41 PM
Sorry for coming back late on this, have not started working on the NAT config part, but through API it should be possible
04-28-2020 11:02 AM
I was wondering if you could help me with this issue i´m having with the script. I get the following error mid rule export. Im using python 2.7.18. I tried with both releases.
UnicodeEncodeError: 'ascii' codec can't encode character u'\xf3'
Thanks
04-29-2020 09:22 PM
This looks to be a problem with the logging configuration on Rule # 17 or the next rule.
Can you share the screen shot of the logging tab within the rule 17 and next one, so that i can quickly check what is causing the unicode error
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide