Solved: FTD 2130 (FDM Managed) - API for Start Before Login

vineshchauhan · ‎11-11-2022

Hi,

I am in the process of setting up a pair of FTD 2130 (HA). These are replacing our ASA's.

FTD2130 purely used for Cisco AnyConnect.

All my profiles are in place and remote AC connection works well. I am stuck on loading SBL Modules.

I've followed a guide to use API to modify AnyConnectClientProfile but this errors with "Invalid module type in AnyConnect Client profile"

Output:

### GET

{
"version": "n7we6hajbewrl",
"name": "AnyConnect",
"md5Checksum": "#########################",
"description": "AnyConnectProfile",
"diskFileName": "22aecefa-619b-11ed-bf32-e537ba40aa5f.xml",
"anyConnectModuleType": "ANY_CONNECT_CLIENT_PROFILE",
"id": "ec5508f7-6110-11ed-bf32-a5d6e1269696",
"type": "anyconnectclientprofile",
"links": {
"self": "https://FTD-FDM-IP/api/fdm/v6/object/anyconnectclientprofiles/ec5508f7-6110-11ed-bf32-a5d6e1269696"
}

### PUT

{
"version": "n7we6hajbewrl",
"name": "AnyConnect",
"md5Checksum": "#########################",
"description": "AnyConnectProfile",
"diskFileName": "22aecefa-619b-11ed-bf32-e537ba40aa5f.xml",
"anyConnectModuleType": START_BEFORE_LOGIN,
"id": "ec5508f7-6110-11ed-bf32-a5d6e1269696",
"type": "anyconnectclientprofile"
}

Any ideas?

Thanks

Vinny

Marvin Rhoads · ‎11-14-2022

FDM is quite limited. I always strongly discourage its use for anything but the most basic setup

Using FMC is much preferred as it provides all features and never requires resorting to manually setting up anything using the API directly.

Back to your issue, you first upload an AnyConnect profile via the GUI. Then use the API Explorer to GET it and ascertain the file definition that you just uploaded. Finally, change it to an SBL type with an API PUT operation

View solution in original post

Marvin Rhoads · ‎11-14-2022

Did you upload the SBL profile first by creating it under the main GUI? As I understand it, you need to do that first and then retrieve the object with a GET to ascertain the diskFileName. You then use PUT to reassign the anyConnectModuleType value.

vineshchauhan · ‎11-14-2022

Hi Marvin,

Thanks for your reply.

I am using FDM to manage and configure AnyConnect. I can't see an option for SBL Profile.

I've seen documentation on SBL for appliances managed by FMC.

FDM seems a bit limited with functionality and very different to ASA's.

Marvin Rhoads · ‎11-14-2022

FDM is quite limited. I always strongly discourage its use for anything but the most basic setup

Using FMC is much preferred as it provides all features and never requires resorting to manually setting up anything using the API directly.

Back to your issue, you first upload an AnyConnect profile via the GUI. Then use the API Explorer to GET it and ascertain the file definition that you just uploaded. Finally, change it to an SBL type with an API PUT operation

vineshchauhan · ‎11-15-2022

Agree with the limitation with FDM

We do have FMC so looking to migrate the 2130's. It will mean I will need to wipe them and re-start.

Also the 2130's are running a later code than our FMC's so might be an issue.

SBL update.....

I've been doing some testing yesterday.

Test machines - installed SBL Gina via SCCM.

On the 2130's, I uploaded a newer AnyConnect.PKG file.

When the test machines connected to VPN, clients downloaded the update for AnyConnect and also updated the SBL module.

I've not added any additional API's.

So going forward, I just need to ensure all our machines have SBL Gina pre-installed and we should be good to go.

Marvin Rhoads · ‎11-15-2022

Yes, the headend deployment pkg file contains all the modules. If you use 7-Zip and "unzip" it you will see the same bits that are in the pre-deployment package zip file.

vineshchauhan · ‎11-17-2022

Hi

I have now moved away from FDM and migrated the appliances to FMCv.

So much better!