FMC (API based tool): Merge Two Access Control Policy's Rules Into One

Dinesh Verma · ‎06-25-2020

Problem

Firepower management center has multiple policies and right now there is no facility to merge rules of two access control policies into one. Although on newer codes FMC does provide option to create nested access control policy where the child policy inherit the rules/setting from parent or base policy.

Use Case:

Many customers use Firepower Migration Tool to put existing device config into FMC. Once migration is successful, FMC creates separate Access Control Policy. There was ask from customers to merge the existing ACP rule into the new one or vice versa for simpler management.

Solution

@Anupam Pavithran and I created a script which merges the 2nd Access Control Policy's rules into 1st Access Control Policy.

Script is attached here in the document.

Here's an example from lab that explains prerequisite, how to use it and output of rules.

Goal: FMC has two access control policies Major_Policy & Minor_Policy. Task here is to copy Minor_Policy's rule into Major_Policy

1) Preparation:

Step 1: Download the script on PC

Step 2: Make sure python is installed on PC and have reachability to FMC on 443)

Step 3: Make sure API is enabled on FMC (System -> Configuration -> Rest API Preference -> Enable REST API )

Step 4: Create a separate user on FMC to use during script execution

Step 5: Make sure proper permission is given to script to execute (This applies specifically if you're executing script from linux machine)

2) Execution:

$ python merge_acp.py


###########################################################
# ACCESS CONTROL POLICY MERGING SCRIPT #
###########################################################
Enter the device IP address: 10.197.212.213
Enter the username of the FMC( recommended to have a seperate API User):api
Enter the password of the FMC:
###########################################################
# ACCESS CONTROL POLICY LIST #
###########################################################
1 aaa
2 ACP_URL
3 Demo_Policy
4 FTDv_ACP
5 Major_Policy
6 Minor_Policy
7 Repro_ACP
###########################################################
Choose the First ACP Number (integer value):5
Choose the Second ACP Number (integer value):6
###########################################################
Rules of ACP Minor_Policy will be added to Major_Policy
###########################################################
Enter Section (mandatory | default) or category name : mandatory
###########################################################
Retriving all rules from ACP-1,
Please Wait...!
Retrived all rules from ACP-1
Number of rules in ACP-1: 11
###########################################################
Retriving all rules,
Please Wait...!
Retrived all rules from ACP-2
Numer of duplicate rule name: 1
Number of rules in ACP-2: 1
###########################################################
auth token--> 6e32b66b-8a41-492a-9db7-377bf9c95349
refresh token--> 7ee68250-1f00-4ba5-8c12-2b98615b02d9
Successfully refreshed authorization token
###########################################################
Posting rule, please wait!
Post was successful!
###########################################################
$

Script execution is successful and Minor_Policy's rule are merged with Major_Policy's Default Section.

Please take a look at screenshot of "ACPs before script execution" & "ACP after script execution".

Note: To be on safer side, create copy of existing policies you want to merge and run the script on them.

Please use the script and let us know if you run into any issues. Let us know for any other improvement on this as well.

Build 1.5 - Updated 4th May 2021

-> Fixed issue with posting rule with user object.

- @Anupam Pavithran

- @Dinesh Verma

Konstantinos Gerakaris · ‎10-15-2020

Hi Dv.

This script is really useful, but i'm having an issue when trying to run it.

I get the following error, when i try to input the FMC details.

###########################################################
# ACCESS CONTROL POLICY MERGING SCRIPT #
###########################################################
Enter the device IP address: 10.255.0.99
Traceback (most recent call last):
File "FMC_Merge_ACPs.py", line 89, in <module>
device = input("Enter the device IP address: ")
File "<string>", line 1
10.255.0.99
^
SyntaxError: invalid syntax

Can you please advise?

Kind regards

Kostas

Dinesh Verma · ‎10-15-2020

@Konstantinos Gerakaris : Script works fine on Python3. As per our discussion over message, you used python3.x and script worked fine. Glad, we worked that out.
-Dv

Konstantinos Gerakaris · ‎10-15-2020

@Dinesh Verma , thank you once more for contacting me to resolve the issue i had.

This script will be extremely useful to me since i have to migrate 10 different contexts from an ASA cluster to a single FTD cluster!

msameerkn · ‎01-28-2021

Hi Dev .

Thanks Dv and Anupam ,

Script is working fine , is it possible to merge pre filter rules ?

Regds ,

Sameer .

timothyjohnson40 · ‎04-05-2021

EDIT: Never mind just discovered you have to install the request module after the initial Python installation. Thanks!

When running this in Windows I get the following error. Any thoughts?

C:\Users\jmarkt2\Desktop>py merge_acp.py
Traceback (most recent call last):
File "C:\Users\jmarkt2\Desktop\merge_acp.py", line 14, in <module>
import requests
ModuleNotFoundError: No module named 'requests'

michaelpassalacqua · ‎04-27-2021

Hi.

This script is fantastic and extremely useful!

I am running into an issue when it attempts to process a rule that has a realm configuration. ie. URL rule with a condition of an AD group.

If I remove the User group configurations, it runs fine. I can manually add the AD groups back in after converging the ACP but would like to get this working.

###########################################################
Retriving all rules from ACP-1,
Please Wait...!
Retrived all rules from ACP-1
Number of rules in ACP-1: 317
###########################################################
Retriving all rules,
Please Wait...!
Retrived all rules from ACP-2
Number of rules in ACP-2: 22
###########################################################
auth token--> 8a129a01-41d1-4c6d-866c-7b21294b5884
refresh token--> 734a5a00-a58c-40a0-9936-2560cdd6c439
Successfully refreshed authorization token
###########################################################
Posting rule, please wait!
Status code : Reason --> 422 : {"error":{"category":"OTHER","messages":[{"bulkPayloadIndex":"9","description":"Unprocessable Entity - Unrecognized Field 'realm' in request payload"}],"severity":"ERROR"}}

Dinesh Verma · ‎04-27-2021

msameerkn : No, this script is for ACP only. We haven't seen much request for Pre-filter merge. We might consider creating another script for pre-filter in future. Thank you.

Dinesh Verma · ‎04-27-2021

timothyjohnson40: Module request is not installed. Use "pip3 install requests" to install the same.

Thank you.

Dinesh Verma · ‎04-27-2021

michaelpassalacqua: Thank you for trying the script. Can you please share SFO of both the ACP along with version of FMC at dinverma@cisco.com. We'd import locally and try to fix it.

How to export ACP: https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/configuration_import_and_export.pdf

Thank you.

-Dv

Anupam Pavithran · ‎05-03-2021

@michaelpassalacqua

We have fixed the issue with posting rules with user object in Build 1.5

-/|nupam

kosta.hatzis · ‎07-30-2021

Hello @Dinesh Verma and all.

Awesome script, I found the perfect use case for it. When using the script I came across an interesting issue, was looking to see if use case was creating this error.

As originally designed I used the script to merge multiple access policies imported into the FMC via the ASA FTD conversion tool When attempting to add the largest of the access policies, I received the following error.

comment = obj['comment']
KeyError: 'comment'

It appeared the issue was during the parsing of the key value comment. To get around the error for the time being I commented out line 47 in rule_writer.py. This appears to have allowed the script to finish and I have imported the remaining rules. Any idea what may have caused this error? The list I imported contained over 800 rules, however I did not see a mention of any rule limit.

Thank you,

timothyjohnson40 · ‎01-18-2022

Just wanted to drop a note of thanks for this script. Has saved me countless hours and still works on 7.0.1. Thanks!

sajjadazamkhan-sirius · ‎01-21-2022

Your script is wonderful and thanks for putting the handwork into getting this done. I am running into an issue not sure if its a script limitation or FMC, any feedback would be helpful

Size of data being posted 3704 Bytes

Number of rules being posted is 1
Size of data being posted 64 Bytes
Status code : Reason --> 400 : 400

For more details see below

Retriving all rules from ACP-1,
Please Wait...!
Retrived all rules from ACP-1
Number of rules in ACP-1: 7047
###########################################################
Retriving all rules,
Please Wait...!
Retrived all rules from ACP-2
Numer of duplicate rule name: 4112
Number of rules in ACP-2: 4112
###########################################################
auth token--> 3715ffb9-0de4-40ff-8d6a
refresh token--> b50a0b75-d2a5-4293-9690
Successfully refreshed authorization token
###########################################################
Posting rule, please wait!

Number of rules being posted is 456
Size of data being posted 3704 Bytes

Number of rules being posted is 457
Size of data being posted 3712 Bytes

Number of rules being posted is 456
Size of data being posted 3704 Bytes

Number of rules being posted is 1
Size of data being posted 64 Bytes
Status code : Reason --> 400 : 400