I am pleased to share a script that I have created to emulate the Time-Based Access Lists (ACL) functionality on Cisco Firepower Threat Defense (FTD) using the APIs available in Cisco Firepower Management Center (FMC). This can be used until the feature is available natively into the later versions of FTD/FMC.
This script - called as tba.py is a Python Script. It is available for download as an attachment from the bottom of this page.
How does it work:
- The user creates a text file containing the list of Policy Name, Rule ID and enable/disable timestamps.
- This script runs every 1 minute as a cronjob / scheduled task. It reads the file created by the user, checks if a rule is supposed to be enabled or disabled. If yes, then it makes the change on FMC by making the API calls. Then it pushes the Policy Changes onto the affected NGFW devices by triggering a Policy Deployment for those devices.
- Additionally, the script reports all its Activities and Errors to an Audit Log file. There are various error handling and reporting functions built in the script. The script can also send out an email notification after making any Policy updates.
What are the Dependencies / Requirements:
- Run this script on any separate host that has reachability to FMC via HTTPS for Management. Currently, it has been tested on Linux (however any OS should be fine as long as it has Python & the required Python modules installed).
- This script has been tested on Python 3.6, however it should work fine on any recent version of Python 3 or Python 2
- It requires Python 'requests' module. This can be installed by executing the command "python -m pip install requests" on the CLI of the host where you will be running this script after installing Python.
- Create a new user on FMC specifically for executing this script. This user must have the Read-Write Privilege to Modify the required the Access Policies to enable/disable a particular rule, and this user must have the Privilege to Deploy the Policies on the NGFW devices. In case if you want to do manual deployment of the policy updates done by this script, then you will not need the Deploy Privilege for this user.
Which FMC / FTD softwares versions are supported:
This script is created and tested on FMC version 6.2.2.x. The script makes API calls to the FMC only. So anything above FMC 6.2.2 and above should be fine.
The script does not talk to FTD device, hence its version does not matter.
What are the Inputs required:
The script will require the user to update the following variables inside the script BEFORE executing it for the first time.
fmc_hostname = "x.x.x.x" # REQUIRED - Provide the IP or Hostname of FMC.
fmc_username = "xxxx" # REQUIRED - Create a new user on FMC specifically for executing this script. DO NOT keep it same as your regular FMC user account.
fmc_password = "xxxx" # REQUIRED -
domain_in_fmc = "Global" # REQUIRED - FMC Management Domain. Leave it as it is, if you do not know what this is.
smtp_server = 'smtp.mydomain.com:25' # OPTIONAL - provide this if you want email notifications about policy changes done by this script. Make it blank otherwise
sender = 'no-reply@mydomain.com' # OPTIONAL - provide this if you want email notifications about policy changes done by this script. Make it blank otherwise
receivers = ['securityadmin@mydomain.com'] # OPTIONAL - note the [] brackets in this one. do not delete them
deploy_policy_changes_automatically = 1 # REQUIRED - 1 = automatic / 0 = manual, policy deployment to devices
The script will further require the user create a file named - tba-db.txt This file will contain the list of Policy Name, Rule ID and enable/disable timestamps for the Rules which the user wants to enable/disable at a particular pre-defined time. If you run the script without creating this file, then the script will create a sample file for you with simple documentation inside it around how to proceed further.
Here is how the tba-db.txt file would look like in production:
ADD YOUR TIME BASED ACL DETAILS HERE IN THE BELOW SYNTAX:
<ENABLE Date in YYYY-MM-DD HH:MM> #### <DISABLE Date in YYYY-MM-DD HH:MM> #### "<Policy Name>" #### <Rule ID>
FOR EXAMPLE:
2018-03-25 00:00 #### 2018-04-24 23:59 #### "PFW Policy" #### 55
2018-03-25 00:00 #### 2018-04-24 23:59 #### "PFW Policy" #### 88
2018-03-30 00:00 #### 2018-04-31 23:59 #### "PFW Policy" #### 100
NOTE: IT IS ASSUMED THAT YOU HAVE ALREADY CREATED THE POLICIES AND RULES IN FMC BEFORE ADDING THEM HERE.
-----------
THE RULE NAME, POLICY UUID AND RULE UUID WILL BE AUTO-POPULATED WHEN YOU EXECUTE THE TBA.PY SCRIPT. THEN THE SAME FILE WILL LOOK LIKE:
<ENABLE Date in YYYY-MM-DD HH:MM> #### <DISABLE Date in YYYY-MM-DD HH:MM> #### "<Policy Name>" #### <Rule ID> #### "<Rule Name - auto-populated>" #### <Policy UUID - auto-populated> #### <Rule UUID - auto-populated>
FOR EXAMPLE:
2018-03-25 00:00 #### 2018-04-24 23:59 #### "PFW Policy" #### 55 #### "Debug Rule - Ref CHG10861" #### 0050568E-5C8B-0ed3-0000-146028897141 #### 0050568E-5C8B-0ed3-0000-000268437508
-----------
FOR ADDING ANY NEW RULE, JUST FOLLOW THE SIMPLE SYNTAX GIVEN IN THE BEGINNING.
FOR REMOVING ANY NEW RULE, JUST DELETE THE WHOLE RULE LINE.
FOR MAKING ANY EDITS TO AN EXISTING RULE, SIMPLY UPDATE THE START TIME / END TIME. DO NOT CHANGE ANYTHING ELSE.
ADD YOUR CONTENT BELOW THIS HASHED LINE ONLY
###########################################################################################
2018-04-01 00:00 #### 2018-04-10 23:59 #### "DMZ FW Policy" #### 100
2018-04-01 00:00 #### 2018-04-10 23:59 #### "DMZ FW Policy" #### 101
2018-04-01 00:00 #### 2018-04-10 23:59 #### "DMZ FW Policy" #### 102
2018-04-02 00:00 #### 2018-04-11 23:59 #### "Data Center FW Policy" #### 200
2018-04-03 09:00 #### 2018-04-12 17:59 #### "Data Center FW Policy" #### 201
2018-04-03 09:00 #### 2018-04-12 17:59 #### "Data Center FW Policy" #### 202
When you run the script, it pulls up the UUIDs of the above Access Policies and Rules. All the updates in FMC are done using these UUIDs. UUID is an automatically generated unique identifier of any entity like Access Policy, Access Rule, Network Object and more inside the FMC.
Using UUIDs ensure that a different Rule is not accidentally enabled or disabled by this script in case if the Rule ID changes anytime due to any Rule Addition / Deletion done by the user directly in FMC.
Where can I track the activities of this script:
The script documents all its Activities and Errors, if any, in a log file named - tba-audit.log file. This log file can be found in the same directory where the script is saved. Keep the script and the rules file in the same directory.
How to use this script:
- Install the pre-requisites as mentioned in the above section.
- Save the Script (tba.py) and the Rules File (tba-db.txt) in the directory of your choice.
- Modify the script and add the variables FMC hostname, username, password, etc as mentioned in the above section
- Update the Rules File and add the details in the syntax as mentioned in the above section
- Execute the script once manually to test that it is working fine
- Add the script as a CronJob in case of Linux / Mac or Scheduled Task in case of Windows. The script should be invoked EVERY 1 MINUTE. All the activities of the script can be viewed in the tba-audit.log file. The user may receive email notifications if email details are configured in the script.
- The Rules File (tba-db.txt) can be updated at any point of time. Any entries due to syntax error or due to the deletion of the Rule from FMC will be automatically commented out in the Rules File and reported in the Log file.
How to add a CronJob for this script:
The CronJob for this script can be added just like you do for any other script or task. No special privileges are required for this. Even a non-admin user can add a CronJob.
Here is an article for reference - How do I set up a Cron job? - Ask Ubuntu
Here is the line that he would need to add for this script:
* * * * * /usr/bin/python3 /absolute_full_path/tba.py > /dev/null
Where can I get Support / Can I make any changes to this script:
This script is available for use to everyone in 'AS-IS' basis WITHOUT any form of support on the script itself. The user is free to make any modifications to the script code as required. It is strongly advised to test the script in a lab environment before using it in production. Also it is strongly advised to take periodic configuration backups before making any changes on the FMC through external medium like API calls. That will make it easier to restore in case if any undesired change happens.
I would like to explicitly call out and thank plakatos and neipatel for their useful inputs and for their attempts to create the initial versions of this. Also I would like to thank @hevyapan for providing an update with support added to deploy the same on Firewalls configured as High Availability (HA) pairs.
Hope the script is useful.
PS: 14/Dec/2018 - Updated the script with support added to deploy the same on Firewalls configured as High Availability (HA) pairs.