why we can't push the configuration by CLI in FTD?

Sudqi · ‎01-22-2024

we have many deterrent FW, all of types I worked in have two options for the configuration, GUI of CLI

but in Cisco FTD there is no CLI option, which is make it very hard to add a long object of dynamic template for example

any solution for this weak point?

Thanks

Rob Ingram · ‎01-22-2024

@Sudqi no you cannot push configuration from CLI. You do have the option to use dynamic objects which can be uploaded via RestAPI and do not require a policy to be pushed.

https://integratingit.wordpress.com/2021/06/19/ftd-dynamic-objects/

https://www.youtube.com/watch?v=Azvc7HR_cmo

Sudqi · ‎01-22-2024

Thanks Rob,

I mean the long object-group, and the dynamic template, and this is an example, I need to know the value for deny the CLI configuration in the FTD?

Marius Gunnerud · ‎01-22-2024

It is possible to configure the FTD from the CLI, however this is only useful for small configuration changes, for example adding a static route in the instance where an incorrect static route is deployed from the FMC and access between FMC and FTD has been lost. In these cases you would also be required to make the same changes in the FMC GUI as this configuration will be overwritten during the next deployment push.

You can use API to add these objects to the FTD (https://<FMC IP>/api/api-explorer), or you can use the import Network Objects option in the GUI under Objects > Network and click on add network.

--
Please remember to select a correct answer and rate helpful posts

Sudqi · ‎01-22-2024

Unfortunately Marius, this method to import will import an object, not object group, so if we have 10,000 line, there will be 10,000 object,

Marius Gunnerud · ‎01-23-2024

Then your only option would be to use API to do this.

Here is a script you can use as a starting point for adding an object group to the FMC. You will need to add some logic to it to parse through your object group and add it to the _object dictionary as needed. You will also need to update the DOMAIN_UUID value to the FMC domain UUID.

As always, before using the script in your production environment be sure to test it in a lab to make sure it does what you are expecting it to do.

#!/usr/bin/env python3

import json
from pprint import pprint
import requests
from requests.auth import HTTPBasicAuth
import sys

address = "10.10.10.10"
username = "user"
password = "password"
DOMAIN_UUID = "e276abec-e0f2-11e3-8169-6d9ed49b625f"

headers = {'Content-Type' : 'application/json'}

verify = False
if not verify:
    from requests.packages.urllib3.exceptions import InsecureRequestWarning
    requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

def get_auth_token(address, username, password):
    try:
        _api_uri = "/api/fmc_platform/v1/auth/generatetoken"
        _url = "https://" + address + _api_uri
        _response = requests.request("POST", _url, verify=False, auth=HTTPBasicAuth(username, password))
        accesstoken = _response.headers["X-auth-access-token"]
        refreshtoken = _response.headers["X-auth-refresh-token"]
        DOMAIN_UUID = _response.headers["DOMAIN_UUID"]

        return {"X-auth-access-token" : accesstoken, "X-auth-refresh-token" : refreshtoken, "DOMAIN_UUID" : DOMAIN_UUID}

    except Exception as err:
        print("Error in generating auth token --> " + str(err))
        sys.exit()

def send_data(action, api_uri, rule_data):
    try:
        _api_uri = api_uri
        _url = _api_uri

        #print(rule_data)

        _response = requests.request(f"{action}", _url, data=json.dumps(rule_data), verify = False, headers=headers)
        _status_code = _response.status_code
        _resp = _response.text
        json_rest = json.loads(_resp)
        print(json.dumps(json_rest,sort_keys=True,indent=4, separators=(",", ": ")))
        print()

        if _status_code == 201 or _status_code == 202:
            print(f"### {action} successful #### ")
            print()
            print()

        else:
            _response.raise_for_status()
            print(f"Error occured in {action} --> " + _resp)
            print()
    except requests.exceptions.HTTPError as _err:
        print("Error in connection --> " + str(_err))
        print()
        print()

def objectGroup():
    _object = {
        "name" : "NewObjectGroup",
        "type" : "NetworkGroup",
        "literals": [
            {"type": "Network",
            "value": "1.2.3.0/24"
            },
            {
            "type": "Host",
            "value": "1.2.3.4"
            }
        ],
        "objects": [
            {
            "type": "Network",
            "id": "1dcefdd8-07f7-438a-9221-97d63710614e"
            },
            {
            "type": "Host",
            "id": "04ea3f1f-f5a9-4eca-b051-487ebeb4c97f"
            }
        ]
    }
    return _object

#############
# MAIN CODE #
#############

response = get_auth_token(address, username, password)
headers["X-auth-access-token"] = response["X-auth-access-token"]
headers["X-auth-refresh-token"] = response["X-auth-refresh-token"]

netObjGrp_url = f"https://{address}/api/fmc_config/v1/domain/{DOMAIN_UUID}/object/networkgroups"

send_data("POST", netObjGrp_url, objectGroup())

--
Please remember to select a correct answer and rate helpful posts

MHM Cisco World · ‎01-22-2024

https://www.google.com/url?sa=t&source=web&rct=j&opi=89978449&url=https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/215972-push-objects-in-bulk-to-fmc-using-rest-a.pdf&ved=2ahUKEwiZrL_tkvGDAxUURvEDHVuAAnAQFnoECAoQAQ&usg=...

Check this friend

MHM

Marvin Rhoads · ‎01-22-2024

You may also find CSDAC useful, depending on your use case.

https://secure.cisco.com/secure-firewall/docs/cisco-secure-dynamic-attribute-connector