Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2912
Views
0
Helpful
6
Replies

FMC API 6.2 - API access to Prefilter policies and rules

Go to solution
nosc
Level 1
Level 1

‎09-19-2017 04:36 PM - edited ‎02-21-2020 06:20 AM

Greetings -

I was wondering if there was a way to programmatically access the prefilter policies/rules via the REST API. I don't necessarily need to write to the database - a simple GET to the prefilter table and rules will suffice.

The REST documentation is good for the ACP, but I couldn't find anything regarding the prefilter rules.

 

Thanks in advance!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-19-2017 08:35 PM

I don't believe that's exposed via the API at this stage (i.e. as of FMC 6.2.2).

The best you can do is screen scrape it using one of the ssh tools like Netmiko. The policy is stored in the file structure on the sensor in a place like:

 

./ngfw/var/sf/detection_engines/ea54a18a-92d2-11e7-8daf-2668033706e7/code/SF/Prefilter/PrefilterPolicy.pm

 

The long alphanumeric string in there is a GUID for your policy version. The parent directory contains all of the various policies as you can see here:

 

root@vftd-new:/# ls -al ./ngfw/Volume/6.2.2/sf/detection_engines/ea54a18a-92d2-11e7-8daf-2668033706e7/code/SF
total 144
drwxr-xr-x 17 root root 4096 Sep 18 12:50 .
drwxr-xr-x 4 root root 4096 Sep 18 12:50 ..
drwxr-xr-x 3 root root 4096 Sep 18 12:50 DNS
drwxr-xr-x 4 root root 4096 Sep 18 12:50 Files
drwxr-xr-x 2 root root 4096 Sep 18 12:50 GeoBlocking
drwxr-xr-x 3 root root 4096 Sep 18 12:50 IPReputation
drwxr-xr-x 5 root root 4096 Sep 18 12:50 Intrusion
drwxr-xr-x 2 root root 4096 Sep 18 12:50 ND
drwxr-xr-x 4 root root 4096 Sep 18 12:50 NGFW
drwxr-xr-x 4 root root 4096 Sep 18 12:50 NetworkAnalysis
-r--r--r-- 1 root root 76944 Sep 18 12:50 NetworkDiscovery.pm
drwxr-xr-x 2 root root 4096 Sep 18 12:50 Prefilter
drwxr-xr-x 2 root root 4096 Sep 18 12:50 QoS
drwxr-xr-x 6 root root 4096 Sep 18 12:50 RNA
drwxr-xr-x 6 root root 4096 Sep 18 12:50 SSL
drwxr-xr-x 2 root root 4096 Sep 18 12:50 System
drwxr-xr-x 2 root root 4096 Sep 18 12:50 Transaction
drwxr-xr-x 3 root root 4096 Sep 18 12:50 UMPD
root@vftd-new:/#

 

@Oliver Kaiser may be able to shed some light as his blog has some tips for working with the API.

 

http://dependencyhell.net/2017/07/09/Dumping-Firepower-ACP/

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-19-2017 08:35 PM

I don't believe that's exposed via the API at this stage (i.e. as of FMC 6.2.2).

The best you can do is screen scrape it using one of the ssh tools like Netmiko. The policy is stored in the file structure on the sensor in a place like:

 

./ngfw/var/sf/detection_engines/ea54a18a-92d2-11e7-8daf-2668033706e7/code/SF/Prefilter/PrefilterPolicy.pm

 

The long alphanumeric string in there is a GUID for your policy version. The parent directory contains all of the various policies as you can see here:

 

root@vftd-new:/# ls -al ./ngfw/Volume/6.2.2/sf/detection_engines/ea54a18a-92d2-11e7-8daf-2668033706e7/code/SF
total 144
drwxr-xr-x 17 root root 4096 Sep 18 12:50 .
drwxr-xr-x 4 root root 4096 Sep 18 12:50 ..
drwxr-xr-x 3 root root 4096 Sep 18 12:50 DNS
drwxr-xr-x 4 root root 4096 Sep 18 12:50 Files
drwxr-xr-x 2 root root 4096 Sep 18 12:50 GeoBlocking
drwxr-xr-x 3 root root 4096 Sep 18 12:50 IPReputation
drwxr-xr-x 5 root root 4096 Sep 18 12:50 Intrusion
drwxr-xr-x 2 root root 4096 Sep 18 12:50 ND
drwxr-xr-x 4 root root 4096 Sep 18 12:50 NGFW
drwxr-xr-x 4 root root 4096 Sep 18 12:50 NetworkAnalysis
-r--r--r-- 1 root root 76944 Sep 18 12:50 NetworkDiscovery.pm
drwxr-xr-x 2 root root 4096 Sep 18 12:50 Prefilter
drwxr-xr-x 2 root root 4096 Sep 18 12:50 QoS
drwxr-xr-x 6 root root 4096 Sep 18 12:50 RNA
drwxr-xr-x 6 root root 4096 Sep 18 12:50 SSL
drwxr-xr-x 2 root root 4096 Sep 18 12:50 System
drwxr-xr-x 2 root root 4096 Sep 18 12:50 Transaction
drwxr-xr-x 3 root root 4096 Sep 18 12:50 UMPD
root@vftd-new:/#

 

@Oliver Kaiser may be able to shed some light as his blog has some tips for working with the API.

 

http://dependencyhell.net/2017/07/09/Dumping-Firepower-ACP/

0 Helpful

Go to solution
nosc
Level 1
Level 1
In response to Marvin Rhoads

‎09-19-2017 09:32 PM

Thanks Marvin! That's actually really helpful and may get me where I need to go. Hopefully Cisco decides to expose it via REST in the future, but I can definitely work with this.

 

Appreciate the help!

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to nosc

‎09-20-2017 03:41 AM

Glad it helped. Please mark the reply as helpful if you found it to be so.

0 Helpful

Go to solution
Oliver Kaiser
Level 7
Level 7
In response to Marvin Rhoads

‎09-20-2017 04:24 AM

As Marvin pointed out there is currently no way to get prefilter policy rules from the FMC REST API as of now. I checked the roadmap from mid 2017 and didnt find any information on when it will be added to the API... I think it will probably take one year since routing and nat will be implemented in the near future.

 

regards

Oliver

0 Helpful

Go to solution
Ty Rost
Cisco Employee
Cisco Employee
In response to Oliver Kaiser

‎03-06-2020 04:46 AM

FWIW it looks like the prefilter rest APIs are now exposed in 6.4.  I don't see anyway to write prefilter policies yet...

image.png

0 Helpful

Go to solution
Oliver Kaiser
Level 7
Level 7
In response to Ty Rost

‎03-07-2020 12:25 AM

You will need to upgrade to 6.5.0 - CRUD operations for prefilter rules have been added. See release notes for details: https://www.cisco.com/c/en/us/td/docs/security/firepower/650/relnotes/firepower-release-notes-650/features.html

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card