Solved: Retrieve version info when performing an FMC backup

Tyson Joachims · ‎01-02-2020

When attempting to restore an FMC from a backup, 3 things must match from when the backup occurred:

1. Snort Version

2. FMC version

3. Vulnerability Database Version

When performing scheduled backups, this information is not retrieved and I'm looking for either a way to run a report or a script to pull the info on the same night that the FMC is backed up. What has everyone else done to fix this problem?

Tyson Joachims · ‎02-12-2020

I finally found what I was looking for! You can run a report daily that is sent to an email that lists all the necessary information about the FMC. Located under System > Configuration > Change Reconciliation provides settings to turn this on.

You do have to have System > Configuration > Email Notification configured first before you can start generating this report. The report runs every 24 hours (you can only configure which hour of the day that it runs). I'd suggest enabling this feature and just set a rule in Outlook or whatever email you use to divert those reports to a folder so you aren't burdened with them everyday in your main inbox.

Here is a pic of the first page of that report:

Hope this helps someone out there

View solution in original post

Tyson Joachims · ‎01-08-2020

I've been working on a Python script that will log into the firewall and perform a "show version". If anyone else has a more elegant way of doing this, I would love to get your input.

To create the script yourself, you will need to download and install Python (https://www.python.org/downloads/) and netmiko using the pip command within Python

$ pip install netmiko

Here is the script I wrote. It will SSH to the firewall's IP address, perform a "show version", then push that output to a file named Firewall_Info.txt with the current date. Each time it is run, it will append to the existing file with the output and date so you don't have a million files after running it several times. Just make sure to run this script in scheduled tasks at the same interval and time as the regular backups of your Firepower system otherwise you won't have accurate data which defeats the entire point.

#!/usr/bin/env python
from netmiko import Netmiko
from netmiko import ConnectHandler
from getpass import getpass
from datetime import datetime
import time

timenow = datetime.now()
timestamp = timenow.strftime('%Y/%m/%d')

cisco = {
    "host": "10.1.1.1",
    "username": "admin",
    "password": "MyP@$$w0rdIStheB3st2020!!",
    "device_type": "cisco_ios",
}

#Netmiko SSH Connection to Handler
connection = Netmiko(**cisco)
time.sleep(1)

# Open file
file = open('Firewall_Info.txt', 'a+')

#Execute commands
output = connection.send_command("show version")

# Print output to console screen
print(timestamp)
print(output)

# Write output to file & close file
file.write(timestamp + "\n")
file.write(output)
file.close()

# Gracefully disconnect
connection.disconnect()

One thing I had to do was modify a file located at C:\Users\admin\AppData\Local\Programs\Python\Python38\Lib\site-packages\netmiko\cisco\cisco_ios.py using notepad or notepad++

Comment out the following by placing a hashtag in front of:

#self.disable_paging()
#self.set_terminal_width(command="terminal width 511")
#Clear the read buffer

If you are doing this for customers, you can also try to convert the Python script to an .exe file so that the customer doesn't have to download and install Python and Netmiko.

Hope this helps someone

Marvin Rhoads · ‎01-08-2020

Have you thought about using the Firepower API?

"GET domain" or "GET serverversion" would seem to be a good place to check.

Reference:

https://www.cisco.com/c/en/us/td/docs/security/firepower/650/api/REST/Firepower_Management_Center_REST_API_Quick_Start_Guide_650/objects_in_the_rest_api.html#id_118487

Tyson Joachims · ‎01-20-2020

That would have been so much more helpful than working with netmiko lol Thank you very much for that suggestion. I had never tried messing with the API until now. I was able to generate a Python script from the GET serverversion, modified it so the output from the query was stored in a text file, converted it to an .exe (so the customer wouldn't have to install Python and all the extensions), and it worked well!

#
# Generated FMC REST API sample script
#
 
import json
import sys
import requests
from datetime import datetime
import time

timenow = datetime.now()
timestamp = timenow.strftime('%Y/%m/%d')

server = "https://10.1.1.51"
 
username = "admin"
if len(sys.argv) > 1:
    username = sys.argv[1]
password = "thisISmyPassword(notreally)"
if len(sys.argv) > 2:
    password = sys.argv[2]
               
r = None
headers = {'Content-Type': 'application/json'}
api_auth_path = "/api/fmc_platform/v1/auth/generatetoken"
auth_url = server + api_auth_path
try:
    # 2 ways of making a REST call are provided:
    # One with "SSL verification turned off" and the other with "SSL verification turned on".
    # The one with "SSL verification turned off" is commented out. If you like to use that then 
    # uncomment the line where verify=False and comment the line with =verify='/path/to/ssl_certificate'
    # REST call with SSL verification turned off: 
    r = requests.post(auth_url, headers=headers, auth=requests.auth.HTTPBasicAuth(username,password), verify=False)
    # REST call with SSL verification turned on: Download SSL certificates from your FMC first and provide its path for verification.
    # r = requests.post(auth_url, headers=headers, auth=requests.auth.HTTPBasicAuth(username,password), verify='/path/to/ssl_certificate')
    auth_headers = r.headers
    auth_token = auth_headers.get('X-auth-access-token', default=None)
    if auth_token == None:
        print("auth_token not found. Exiting...")
        sys.exit()
except Exception as err:
    print ("Error in generating auth token --> "+str(err))
    sys.exit()
 
headers['X-auth-access-token']=auth_token
 
api_path = "/api/fmc_platform/v1/info/serverversion"    # param
url = server + api_path
if (url[-1] == '/'):
    url = url[:-1]
 
# GET OPERATION
 

try:
    # REST call with SSL verification turned off: 
    r = requests.get(url, headers=headers, verify=False)
    # REST call with SSL verification turned on:
    # r = requests.get(url, headers=headers, verify='/path/to/ssl_certificate')
    status_code = r.status_code
    resp = r.text
    if (status_code == 200):
        file = open('FMC_Info.txt', 'a+')
        print(timestamp)
        json_resp = json.loads(resp)
        print(json.dumps(json_resp,sort_keys=True,indent=4, separators=(',', ': ')))
        file.write(timestamp + "\n")
        file.write(json.dumps(json_resp,sort_keys=True,indent=4, separators=(',', ': ')))
        file.close()
    else:
        r.raise_for_status()
        print("Error occurred in GET --> "+resp)
except requests.exceptions.HTTPError as err:
    print ("Error in connection --> "+str(err)) 
finally:
    if r : r.close()

Tyson Joachims · ‎02-12-2020

I finally found what I was looking for! You can run a report daily that is sent to an email that lists all the necessary information about the FMC. Located under System > Configuration > Change Reconciliation provides settings to turn this on.

You do have to have System > Configuration > Email Notification configured first before you can start generating this report. The report runs every 24 hours (you can only configure which hour of the day that it runs). I'd suggest enabling this feature and just set a rule in Outlook or whatever email you use to divert those reports to a folder so you aren't burdened with them everyday in your main inbox.

Here is a pic of the first page of that report:

Hope this helps someone out there