Solved: Cisco Firepower Management Center and reporting

Dave Diependaal · ‎02-22-2017

Hi all,

Within my organisation we need to report over the status of our security devices.

I want to use reporting within Firepower Management Center.

I am looking for a way to list the devices (my ASA SFR sensors) in a report.

Anyone has a clue how to do this?

Thank you in advance for your replies,

Dave Diependaal

Marvin Rhoads · ‎02-25-2017

I don't think you can get a report per se directly from the FMC GUI showing what you are asking for. You can probably run a query from an external system using the REST API. Look at the following to see how it works:

http://www.cisco.com/c/en/us/td/docs/security/firepower/620/api/REST/Firepower_REST_API_Quick_Start_Guide/Objects_in_the_REST_API.html#id_19413

http://blog.cdw.com/security/programing-ciscos-firepower-6-1-rest-api

I was able to do this on my internal FirePOWER with the Postman GET query:

https://<FMC URL>/api/fmc_config/v1/domain/<domain UUID>/devices/devicerecords

Here is the output one gets:

{
 "links": {
 "self": "https://firepower.disyssolutions.com/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/devices/devicerecords?offset=0&limit=2"
 },
 "items": [
 {
 "id": "93f19bb4-a914-11e3-b270-ef49e8adeeb6",
 "type": "Device",
 "links": {
 "self": "https://firepower.disyssolutions.com/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/devices/devicerecords/93f19bb4-a914-11e3-b270-ef49e8adeeb6"
 },
 "name": "Production 3D7125 NGIPS"
 },
 {
 "id": "4bab3c38-7a00-11e6-9a95-be310377015b",
 "type": "Device",
 "links": {
 "self": "https://firepower.disyssolutions.com/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/devices/devicerecords/4bab3c38-7a00-11e6-9a95-be310377015b"
 },
 "name": "ASA - Transparent from SPAN port"
 }
 ],
 "paging": {
 "offset": 0,
 "limit": 2,
 "count": 2,
 "pages": 1
 }
}

View solution in original post

Marvin Rhoads · ‎02-22-2017

If you create a new report template by importing the Table View of Health events that will include events for the FMC and any registered devices. You can further constrain it by editing the search parameters to include only the devices and not the FMC.

Once you have saved the new report template, you can schedule it to run periodically (System > Tool > Scheduling). If you have a mail relay host configured, you can have the scheduled report sent to recipients via email.

(open in new tab to zoom)

Dave Diependaal · ‎02-24-2017

Hi Marvin,

First of all, thank you for your response!

I am getting close to what I need to see. I've did like you instructed and changed my search parameters to match the device names. Only now I am getting an endless list of my devices. I just need to have a list of the SFR sensors that are connected to this FMC.

Any suggestions how to get this done?

For now I wish you a great weekend!

Dave

Marvin Rhoads · ‎02-25-2017

If you only want a list of devices then just look at the devices > device management tab. It will show the status of each device (healthy or not) the model, licenses and Access control Policy applied.

If you want their health status then you can look under System > Health > Monitor. Click the little arrow next to each Health status and the lower section of the page will then show detailed health status of each sensor.

Dave Diependaal · ‎02-25-2017

Thank you Marvin, ofc I know how to find this information in the GUI but I would like to have it in a report so I can send it every week to our audit & control team.

Marvin Rhoads · ‎02-25-2017

I don't think you can get a report per se directly from the FMC GUI showing what you are asking for. You can probably run a query from an external system using the REST API. Look at the following to see how it works:

http://www.cisco.com/c/en/us/td/docs/security/firepower/620/api/REST/Firepower_REST_API_Quick_Start_Guide/Objects_in_the_REST_API.html#id_19413

http://blog.cdw.com/security/programing-ciscos-firepower-6-1-rest-api

I was able to do this on my internal FirePOWER with the Postman GET query:

https://<FMC URL>/api/fmc_config/v1/domain/<domain UUID>/devices/devicerecords

Here is the output one gets:

{
 "links": {
 "self": "https://firepower.disyssolutions.com/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/devices/devicerecords?offset=0&limit=2"
 },
 "items": [
 {
 "id": "93f19bb4-a914-11e3-b270-ef49e8adeeb6",
 "type": "Device",
 "links": {
 "self": "https://firepower.disyssolutions.com/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/devices/devicerecords/93f19bb4-a914-11e3-b270-ef49e8adeeb6"
 },
 "name": "Production 3D7125 NGIPS"
 },
 {
 "id": "4bab3c38-7a00-11e6-9a95-be310377015b",
 "type": "Device",
 "links": {
 "self": "https://firepower.disyssolutions.com/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/devices/devicerecords/4bab3c38-7a00-11e6-9a95-be310377015b"
 },
 "name": "ASA - Transparent from SPAN port"
 }
 ],
 "paging": {
 "offset": 0,
 "limit": 2,
 "count": 2,
 "pages": 1
 }
}

Dave Diependaal · ‎02-27-2017

Hi Marvin,

Thank you for pointing this out to me.

A shame that this can not be accomplished through the reporting function.

I think that more enterprise environments would benefit from such option since it is becoming a sort of "common" practive to show proof that your security devices are managed and up-2-date.

I am going to test with the API :-)

Thank you once again!

Kind regards,

Dave Diependaal