FMC API | ACP - Delete disabled rules and generate report.

Anupam Pavithran · ‎05-06-2021

A python based script to generate report if there are disabled rules under an Access Control Policy and an option to delete those rules in bulk.

Preparation

Step 1 Download the script on PC
Step 2 Make sure python3 is installed on PC and have reachability to FMC on 443)
Step 3 Make sure API is enabled on FMC (System -> Configuration -> Rest API Preference -> Enable REST API )
Step 4 Create a separate user on FMC to use during script execution
Step 5 Make sure proper permission is given to script to execute (This applies specifically if you're executing script from linux machine)

Both the python files "python delete_disabled_rule.py" and "rule_writer.py" is needed.

Execution

1. Enter the IP of the FMC
2. Username and password (Make use of a separate user for running API based script on FMC)
3. Select the ACP you want to delete disabled rules.
4. You can either choose to just generate the report or
5. Generate report along with deleting the disabled rules and save the changes.

    PS C:\Users\anupam> python delete_disabled_rule.py
    ###########################################################
    #               ACCESS CONTROL POLICY                     #
    ###########################################################
    #         anpavith              Cisco Systems India       #
    ###########################################################
    Enter the device IP address  : 10.106.55.55
    Enter the username of the FMC: api
    Enter the password of the FMC:
    ###########################################################
    #             ACCESS CONTROL POLICY LIST                  #
    ###########################################################
    1 5585-SFR
    2 before_optima_copy
    3 Blank Policy
    4 Copy of Delhi Shared
    5 FTD-Mig-ACP-1613142830
    6 FTD-Mig-ACP-1615773808
    7 HELIUM
    8 Helium_COPY
    9 SERVER-FW-ZoneFree
    10 SERVER-FW-ZoneFree-Before-Optima
    11 BERLIN MASTERFIREWALL-Updated
    ###########################################################
    Choose the ACP Number (integer value):10
    ###########################################################
                    Available operations on ACP
    ###########################################################
    1. Report of rules which are disabled
    2. Delete disabled rules
    ###########################################################
    Enter your selection (integer value) : 2
    ###########################################################
    Processing, Please Wait
    >>>>>>>>
    Retrived all rules from  SERVER-FW-ZoneFree-Before-Optima
    ###########################################################
    Total number of rules in Access Control Policy  :  7965
    Number of rules which are disabled              :  154

    ###########################################################
    auth token--> d5f01051-08d3-4776-8d84-ab9f2e38bfc0
    refresh token--> 6f9991ce-b739-4f71-ac9d-10d7e5f5b040
    Successfully refreshed authorization token
    ###########################################################
    Processing, Please Wait!
    Delete was successful!
    Delete was successful!
    Delete was successful!
    Delete was successful!
    Delete was successful!
    Delete was successful!
    Delete was successful!
    Delete was successful!
    ###########################################################

Note: To be on safer side, create copy of policies you want to run the script against.

Please use the script and let us know if you run into any issues. Let us know for any other improvement on this as well.

-/|nupam

Garry Cross · ‎02-01-2022

Hi Anupam, I was excited when I found thisthought I would try it. Not so much to run the script and do as it was designed but more to learn python and the rest api for the FMC.

When I ran it in the IDE, it said there was one disabled rule in the ACP that I picked. It created the output file with 0 bytes in it.