cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

FMC (API based tool): Merge Two Access Control Policy's Rules Into One

879
Views
60
Helpful
3
Comments

Problem

Firepower management center has multiple policies and right now there is no facility to merge rules of two access control policies into one. Although on newer codes FMC does provide option to create nested access control policy where the child policy inherit the rules/setting from parent or base policy.

Use Case:

Many customers use Firepower Migration Tool to put existing device config into FMC. Once migration is successful, FMC creates separate Access Control Policy. There was ask from customers to merge the existing ACP rule into the new one or vice versa for simpler management.

fmc.png

Solution

Anupam and I created a script which merges the 2nd Access Control Policy's rules into 1st Access Control Policy.

Script is attached here in the document.

 

Here's an example from lab that explains prerequisite, how to use it and output of rules.

Goal: FMC has two access control policies Major_Policy & Minor_Policy. Task here is to copy Minor_Policy's rule into Major_Policy

 

1) Preparation:

 

Step 1: Download the script on PC

Step 2: Make sure python is installed on PC and have reachability to FMC on 443)

Step 3: Make sure API is enabled on FMC (System -> Configuration -> Rest API Preference -> Enable REST API )

Step 4: Create a separate user on FMC to use during script execution

Step 5: Make sure proper permission is given to script to execute (This applies specifically if you're executing script from linux machine)

 

2) Execution:

$ python merge_acp.py

 

###########################################################
# ACCESS CONTROL POLICY MERGING SCRIPT #
###########################################################
Enter the device IP address: 10.197.212.213
Enter the username of the FMC( recommended to have a seperate API User):api
Enter the password of the FMC:
###########################################################
# ACCESS CONTROL POLICY LIST #
###########################################################
1 aaa
2 ACP_URL
3 Demo_Policy
4 FTDv_ACP
5 Major_Policy
6 Minor_Policy
7 Repro_ACP
###########################################################
Choose the First ACP Number (integer value):5
Choose the Second ACP Number (integer value):6
###########################################################
Rules of ACP Minor_Policy will be added to Major_Policy
###########################################################
Enter Section (mandatory | default) or category name : mandatory
###########################################################
Retriving all rules from ACP-1,
Please Wait...!
Retrived all rules from ACP-1
Number of rules in ACP-1: 11
###########################################################
Retriving all rules,
Please Wait...!
Retrived all rules from ACP-2
Numer of duplicate rule name: 1
Number of rules in ACP-2: 1
###########################################################
auth token--> 6e32b66b-8a41-492a-9db7-377bf9c95349
refresh token--> 7ee68250-1f00-4ba5-8c12-2b98615b02d9
Successfully refreshed authorization token
###########################################################
Posting rule, please wait!
Post was successful!
###########################################################
$

 

Script execution is successful and Minor_Policy's rule are merged with Major_Policy's Default Section.

Please take a look at screenshot of "ACPs before script execution" & "ACP after script execution".

Note: To be on safer side, create copy of existing policies you want to merge and run the script on them.

Please use the script and let us know if you run into any issues. Let us know for any other improvement on this as well.

 

Thanks @Anupam Pavithran for the great contribution.

Comments

Hi Dv.

 

This script is really useful, but i'm having an issue when trying to run it.

I get the following error, when i try to input the FMC details.

 

###########################################################
# ACCESS CONTROL POLICY MERGING SCRIPT #
###########################################################
Enter the device IP address: 10.255.0.99
Traceback (most recent call last):
File "FMC_Merge_ACPs.py", line 89, in <module>
device = input("Enter the device IP address: ")
File "<string>", line 1
10.255.0.99
^
SyntaxError: invalid syntax

 

Can you please advise?

 

Kind regards

Kostas

Cisco Employee
Cisco Employee

@Konstantinos Gerakaris : Script works fine on Python3. As per our discussion over message, you used python3.x and script worked fine. Glad, we worked that out.
-Dv

@Dv , thank you once more for contacting me to resolve the issue i had.

This script will be extremely useful to me since i have to migrate 10 different contexts from an ASA cluster to a single FTD cluster!