Re: Firewall configuration provided as a .txt file?

acfreema · ‎09-11-2023

I have a customer who wants a new site to have the same firepower firewall configuration (except the site-specific items) as another properly functioning site. When asked for the firewall configuration information, they sent a 34MB .txt file that looks like what I have pasted below. I haven't seen this before, and the other network engineer on my team is also confused by this. Can anyone help?

{"metadata":{"Exported version":"6.6.5-81","Generated on":"08-24-2023","Masked":true}}
{"version":"cllh35qmc4bq2","hardwareName":"Ethernet1/3","monitorInterface":true,"ipv4":{"ipType":"STATIC","defaultRouteUsingDHCP":false,"dhcp":false,"addressNull":true,"type":"interfaceipv4"},"ipv6":{"enabled":false,"autoConfig":false,"dhcpForManagedConfig":false,"dhcpForOtherConfig":false,"enableRA":false,"dadAttempts":1,"linkLocalAddress":

Marius Gunnerud · ‎09-11-2023

This is the API GET output for the FTD configuration. Technically you could just change what you need to in these files and then send them vial a POST call to the new FTD and you are good to go.

--
Please remember to select a correct answer and rate helpful posts

Marvin Rhoads · ‎09-12-2023

Assuming they are managed by the same FMC, you could also just onboard the new firewall with a basic config, add the full set of device specific details in FMC and then associate the same Access Control, NAT and platform policies to the new firewall.

acfreema · ‎09-12-2023

Thanks guys, that helps, but I'm still really confused. The first hurdle is "change what you need". This is my first exposure to a firepower firewall configuration, and without any contact with the firewall from which this configuration was pulled, so I don't know what would need to be changed. How do I find what I need to change? How is it arranged? After applying this configuration, would the firewall still be accessible to make changes that I didn't make prior to uploading the configuration? If it matters, these are both using FTD.

Marius Gunnerud · ‎09-12-2023

The answers to your questions depends on how you intend to configure the firewall. Through the GUI or through API. If you are going to configure via API I suggest looking at the API page and then look at the POST examples for each area you are going to configure. In FDM there is a link to the API page on the dashboard and in FMC add /api/api-explorer to the end of the FMC IP.

FDM and FMC APIs have slight differences in naming standards but for the most part they have the same structure.

So, this will not be a plain copy paste into the CLI, if you intend to use APIs you will need to do a separate API call for each configuration (interfaces, security zones, objects, NAT, Routing, etc.).

If you are not used to using APIs and programming this should not be a big deal, if not it looks more difficult than it actually is. It might take a little time to get used to the structure of the APIs but once that is down i goes like a breeze.

You can also have a look at the developer page for some insight into the firewall APIs.

https://developer.cisco.com/secure-firewall/

--
Please remember to select a correct answer and rate helpful posts