I am pleased to share a script that I have created to emulate the Time-Based Access Lists (ACL) functionality on Cisco Firepower Threat Defense (FTD) using the APIs available in Cisco Firepower Management Center (FMC). This can be used until the feature is available natively into the later versions of FTD/FMC.
This script - called as tba.py is a Python Script. It is available for download as an attachment from the bottom of this page.
How does it work:
What are the Dependencies / Requirements:
Which FMC / FTD softwares versions are supported:
This script is created and tested on FMC version 6.2.2.x. The script makes API calls to the FMC only. So anything above FMC 6.2.2 and above should be fine.
The script does not talk to FTD device, hence its version does not matter.
What are the Inputs required:
The script will require the user to update the following variables inside the script BEFORE executing it for the first time.
fmc_hostname = "x.x.x.x" # REQUIRED - Provide the IP or Hostname of FMC. fmc_username = "xxxx" # REQUIRED - Create a new user on FMC specifically for executing this script. DO NOT keep it same as your regular FMC user account. fmc_password = "xxxx" # REQUIRED - domain_in_fmc = "Global" # REQUIRED - FMC Management Domain. Leave it as it is, if you do not know what this is. smtp_server = 'smtp.mydomain.com:25' # OPTIONAL - provide this if you want email notifications about policy changes done by this script. Make it blank otherwise sender = 'no-reply@mydomain.com' # OPTIONAL - provide this if you want email notifications about policy changes done by this script. Make it blank otherwise receivers = ['securityadmin@mydomain.com'] # OPTIONAL - note the [] brackets in this one. do not delete them deploy_policy_changes_automatically = 1 # REQUIRED - 1 = automatic / 0 = manual, policy deployment to devices
The script will further require the user create a file named - tba-db.txt This file will contain the list of Policy Name, Rule ID and enable/disable timestamps for the Rules which the user wants to enable/disable at a particular pre-defined time. If you run the script without creating this file, then the script will create a sample file for you with simple documentation inside it around how to proceed further.
Here is how the tba-db.txt file would look like in production:
ADD YOUR TIME BASED ACL DETAILS HERE IN THE BELOW SYNTAX: <ENABLE Date in YYYY-MM-DD HH:MM> #### <DISABLE Date in YYYY-MM-DD HH:MM> #### "<Policy Name>" #### <Rule ID> FOR EXAMPLE: 2018-03-25 00:00 #### 2018-04-24 23:59 #### "PFW Policy" #### 55 2018-03-25 00:00 #### 2018-04-24 23:59 #### "PFW Policy" #### 88 2018-03-30 00:00 #### 2018-04-31 23:59 #### "PFW Policy" #### 100 NOTE: IT IS ASSUMED THAT YOU HAVE ALREADY CREATED THE POLICIES AND RULES IN FMC BEFORE ADDING THEM HERE. ----------- THE RULE NAME, POLICY UUID AND RULE UUID WILL BE AUTO-POPULATED WHEN YOU EXECUTE THE TBA.PY SCRIPT. THEN THE SAME FILE WILL LOOK LIKE: <ENABLE Date in YYYY-MM-DD HH:MM> #### <DISABLE Date in YYYY-MM-DD HH:MM> #### "<Policy Name>" #### <Rule ID> #### "<Rule Name - auto-populated>" #### <Policy UUID - auto-populated> #### <Rule UUID - auto-populated> FOR EXAMPLE: 2018-03-25 00:00 #### 2018-04-24 23:59 #### "PFW Policy" #### 55 #### "Debug Rule - Ref CHG10861" #### 0050568E-5C8B-0ed3-0000-146028897141 #### 0050568E-5C8B-0ed3-0000-000268437508 ----------- FOR ADDING ANY NEW RULE, JUST FOLLOW THE SIMPLE SYNTAX GIVEN IN THE BEGINNING. FOR REMOVING ANY NEW RULE, JUST DELETE THE WHOLE RULE LINE. FOR MAKING ANY EDITS TO AN EXISTING RULE, SIMPLY UPDATE THE START TIME / END TIME. DO NOT CHANGE ANYTHING ELSE. ADD YOUR CONTENT BELOW THIS HASHED LINE ONLY ########################################################################################### 2018-04-01 00:00 #### 2018-04-10 23:59 #### "DMZ FW Policy" #### 100 2018-04-01 00:00 #### 2018-04-10 23:59 #### "DMZ FW Policy" #### 101 2018-04-01 00:00 #### 2018-04-10 23:59 #### "DMZ FW Policy" #### 102 2018-04-02 00:00 #### 2018-04-11 23:59 #### "Data Center FW Policy" #### 200 2018-04-03 09:00 #### 2018-04-12 17:59 #### "Data Center FW Policy" #### 201 2018-04-03 09:00 #### 2018-04-12 17:59 #### "Data Center FW Policy" #### 202
When you run the script, it pulls up the UUIDs of the above Access Policies and Rules. All the updates in FMC are done using these UUIDs. UUID is an automatically generated unique identifier of any entity like Access Policy, Access Rule, Network Object and more inside the FMC.
Using UUIDs ensure that a different Rule is not accidentally enabled or disabled by this script in case if the Rule ID changes anytime due to any Rule Addition / Deletion done by the user directly in FMC.
Where can I track the activities of this script:
The script documents all its Activities and Errors, if any, in a log file named - tba-audit.log file. This log file can be found in the same directory where the script is saved. Keep the script and the rules file in the same directory.
How to use this script:
How to add a CronJob for this script:
The CronJob for this script can be added just like you do for any other script or task. No special privileges are required for this. Even a non-admin user can add a CronJob.
Here is an article for reference - How do I set up a Cron job? - Ask Ubuntu
Here is the line that he would need to add for this script:
* * * * * /usr/bin/python3 /absolute_full_path/tba.py > /dev/null
Where can I get Support / Can I make any changes to this script:
This script is available for use to everyone in 'AS-IS' basis WITHOUT any form of support on the script itself. The user is free to make any modifications to the script code as required. It is strongly advised to test the script in a lab environment before using it in production. Also it is strongly advised to take periodic configuration backups before making any changes on the FMC through external medium like API calls. That will make it easier to restore in case if any undesired change happens.
I would like to explicitly call out and thank plakatos and neipatel for their useful inputs and for their attempts to create the initial versions of this. Also I would like to thank @hevyapan for providing an update with support added to deploy the same on Firewalls configured as High Availability (HA) pairs.
Hope the script is useful.
PS: 14/Dec/2018 - Updated the script with support added to deploy the same on Firewalls configured as High Availability (HA) pairs.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.