Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3044
Views
20
Helpful
7
Replies

Cleaning up Access Control Policies and Objects using FMT

Go to solution
atsukane
Level 3
Level 3

‎11-15-2021 02:18 AM - edited ‎11-15-2021 05:04 AM

Hi all,

 

We've migrated some locally managed ASAs to FMC using Firepower Migration Tool.

This resulted in having the same object but with with different object names (e.g. with suffix 'FTD-Mig' appended at the end of object name), single ASA ACE that had single object-group split into multiple groups and having multiple entries in the migrated ACPs due to lookup ran by FMT etc,. (https://community.cisco.com/t5/network-security/modifying-rules-migrated-via-firepower-migration-tool/td-p/4493298)

 

Is there any way of:

1. identifying duplicate objects/object-groups

2. identify rules using objects/object-groups identified in 1.

3. Once identified, update all ACPs so that all policies use the same object/object-group across multiple devices?

4. ASDM has 'Not used' feature(?) that can find and remove unused objects, but I don't see that option in FMC. Can we find and remove/delete unnecessary objects with minimum effort?

 

If it cannot be done with built-in FMC features, then any suggestion on tools that can be achieve this is greatly appreciated.

Or maybe this can be done via API or Terraform? If so, please let me know how to!

 

Many thanks,

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
giovanni.augusto
Level 1
Level 1

‎11-16-2021 12:43 AM

I think you can use a python script to interact with FMC API, I am currently using such a script to regularly clean up unused objects (it's a matter of sociological discussions how many duplicate objects can be created just out of negligence ).

 

Probably if you look into the FMC python library (it's unofficial but seems regularly maintained, wish Cisco had his own), so you could create the logic that

  • parse all your objects
  • create a matrix of objects with the same data (data,object1,object2,...,objectN for each row)
  • apply a logic to select which one is your preferred (naming convention standards or simply usage)
  • apply and replace that into ACPs
  • delete the unused objects (for this you could just parse the whole resulting objects and attempt a delete, if the object is in use it won't be deleted but you can apply patterns or confirmations if you REALLY want that)

View solution in original post

7 Replies 7

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-15-2021 11:39 PM

Unfortunately FMC does not (as of the current 7.0.1) have a way to easily identify duplicate objects/object-groups. Thus your #2 and #3 questions are moot. Regarding #4, we can see "where used" in the Objects in FMC. Click the binocular icon next to a given object to use this feature. Unfortunately it is a "one at a time" feature.

FMC Object UsageFMC Object Usage

Go to solution
atsukane
Level 3
Level 3
In response to Marvin Rhoads

‎11-16-2021 12:45 AM

Thank you @Marvin Rhoads 

It's a shame but it is what it is

thanks again.

 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to atsukane

‎11-18-2021 07:18 AM

Sorry - I missed that we can select the box on the top right of the FMC Object display which will filter all of the objects to show only unused ones. From there you can delete them, albeit one-by-one.

Go to solution
giovanni.augusto
Level 1
Level 1

‎11-16-2021 12:43 AM

I think you can use a python script to interact with FMC API, I am currently using such a script to regularly clean up unused objects (it's a matter of sociological discussions how many duplicate objects can be created just out of negligence ).

 

Probably if you look into the FMC python library (it's unofficial but seems regularly maintained, wish Cisco had his own), so you could create the logic that

  • parse all your objects
  • create a matrix of objects with the same data (data,object1,object2,...,objectN for each row)
  • apply a logic to select which one is your preferred (naming convention standards or simply usage)
  • apply and replace that into ACPs
  • delete the unused objects (for this you could just parse the whole resulting objects and attempt a delete, if the object is in use it won't be deleted but you can apply patterns or confirmations if you REALLY want that)

Go to solution
atsukane
Level 3
Level 3
In response to giovanni.augusto

‎11-16-2021 01:25 AM

Hi @giovanni.augusto 

 

Thant looks promising. 

I've only just started learning Python (day 2 today on ACG Python Entry Level Cert course) so this would be a good goal to aim for.

I'll play round with API explorer and python as I learn. 

 

Thank you

 

 

0 Helpful

Go to solution
atsukane
Level 3
Level 3

‎11-19-2021 04:35 AM

Found "A Python package designed to help users of Cisco's FMC interface with its API." on DevNet, i'll run through this and see how I get round to it! 

https://developer.cisco.com/codeexchange/github/repo/daxm/fmcapi/

 

0 Helpful

Go to solution
mrlorincz
Level 1
Level 1

‎10-21-2022 04:26 PM

Not fully automated but you can prune the unused objects using the object manager and selecting the 'show unused' option. Then once those are cleaned up you can run this script to identify duplicate objects.

You'd have to manually update the entries to consolidate but at least it saves a little time

https://github.com/raghukul-cisco/objectDuplicationFirepower

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card