Re: FMC Put API

ericl42 · ‎02-08-2018

Hello,

I just upgraded my FMCs to v.6.2.2.1 and I'm trying to work making our block IP automation a little cleaner. My initial plan was to put them in a security intel feed and have it update on a 5 min interval but unfortunately custom feeds can only update on a 30 min interval.

Therefore my plan was to use the network groups PUT API and add a host to the "Malicious IPs" group and then have a second API to push policy. I got the PUT API code working fine but it always overwrites my previous objects instead of just adding to them. Has anyone else ran into this or do you have a better way of implementing it? Below is a portion of my PUT code.

{
"id": "035F881Z-991S-0ed3-0000-038238327",
"name": "Malicious_IPs",
"type": "NetworkGroup",
"literals": [
{
"type": "Network",
"value": "1.2.3.4/30"
},
{
"type": "Host",
"value": "1.2.3.4"
}
]
}

vaibhav.parlekar1 · ‎02-11-2018

You could use Security intelligence feeds using external feeds/list or AMP intelligence if your FMC is having additional memory. Have not tried the API method.

Vaibhav

ericl42 · ‎02-12-2018

I would use the security intel feeds but custom feeds will only update on a 30 min basis and that's too long in these attack scenarios.

Oliver Kaiser · ‎02-15-2018

The PUT operation is working as expected, it overwrites your existing object with input you provide. You will need to execute a GET and append your literal to the payload, then executing a PUT to update your object group.