Re: NSO-FMC - Access Policy Rule creation

tasamani · ‎12-08-2020

Hello Experts,

I would like to know if it is possible to create access policy rules using NSO (CLI preferably) and the respective FMC NED.

Should ,like FMC REST API, all objects used in the access rules be referenced via their object IDs or you can use object names (and leave name translation to object ID to NSO)?

Any config examples are welcomed.

Thanks a lot

tcragg1 · ‎12-08-2020

You reference all objects using their names and the NED handles the translation of object names to FMC object IDs for you. Below is an example of an FMC access rule from an NSO show run:

devices device lab-fmc
 config
  cisco-fmc:policy accesspolicies Lab_Policy
   categories "Internet Access"
    accessrules "General Internet Access"
     category        "Internet Access"
     action          ALLOW
     sendEventsToFMC false
     logFiles        false
     logBegin        false
     logEnd          false
     variableSet name Default-Set
     sourceZones objects Lab
     !
     destinationPorts objects DNS
      type PortObjectGroup
     !
     destinationPorts objects HTTP
      protocol TCP
      type     ProtocolPortObject
     !
     destinationPorts objects HTTPS
      protocol TCP
      type     ProtocolPortObject
     !
     destinationPorts objects NTP-TCP
      protocol TCP
      type     ProtocolPortObject
     !
     destinationPorts objects NTP-UDP
      protocol UDP
      type     ProtocolPortObject
     !
     destinationPorts objects icmp-any
      type ICMPV4Object
     !
     destinationZones objects UNTRUST
     !
     sourceNetworks objects Lab
      type Network
     !
     destinationNetworks objects any-ipv4
      type Network
     !
     enabled
    !
   !
  !
 !
!