def test__etherchannel_interfaces(fmc):
logging.info(
"Test EtherchannelInterfaces. get, post, put, delete EtherchannelInterfaces Objects. "
"Requires registered physical device")
starttime = str(int(time.time()))
namer = f"_fmcapi_test_{starttime}"
sz1 = fmcapi.SecurityZones(fmc=fmc)
sz1.name = "_sz1" + namer
sz1.post()
time.sleep(1)
sz2 = fmcapi.SecurityZones(fmc=fmc)
sz2.name = "_sz2" + namer
sz2.post()
time.sleep(1)
eth1 = fmcapi.EtherchannelInterfaces(fmc=fmc, device_name="device_name")
eth1.p_interfaces(
p_interfaces=["GigabitEthernet0/3", "GigabitEthernet0/5"],
device_name="device_name",
)
eth1.enabled = True
eth1.ifname = "_eth1" + namer
eth1.etherChannelId = "1"
eth1.static(ipv4addr="192.0.2.1", ipv4mask=24)
eth1.sz(name=sz1.name)
eth1.mode = "NONE"
eth1.MTU = "1500"
eth1.lacpMode = "ACTIVE"
eth1.loadBalancing = "SRC_DST_IP_PORT"
eth1.post()
time.sleep(2)
eth1.get()
eth1.enabled = False
eth1.sz(name=sz2.name)
eth1.put()
time.sleep(1)
eth1.get()
eth1.delete()
sz1.delete()
sz2.delete()
logging.info("Testing EtherchannelInterfaces class done.\n")
def test__slamonitor(fmc):
logging.info(
"Test SLAMonitor. Post, get, put, delete SLAMonitor Objects.")
starttime = str(int(time.time()))
namer = f"_fmcapi_test_{starttime}"
sz1 = fmcapi.SecurityZones(fmc=fmc)
sz1.name = "SZ-OUTSIDE1"
sz1.interfaceMode = "ROUTED"
sz1.post()
time.sleep(1)
sz2 = fmcapi.SecurityZones(fmc=fmc)
sz2.name = "SZ-OUTSIDE2"
sz2.interfaceMode = "ROUTED"
sz2.post()
time.sleep(1)
obj1 = fmcapi.SLAMonitors(fmc=fmc)
obj1.name = namer
obj1.frequency = 30
obj1.slaId = 1
obj1.monitorAddress = "8.8.8.7"
obj1.timeout = 5000
obj1.threshold = 2
obj1.noOfPackets = 1
obj1.dataSize = 28
obj1.tos = 1
obj1.interfaces(names=["SZ-OUTSIDE1", "SZ-OUTSIDE2"])
obj1.post()
logging.info("SLAMonitor Post -->")
logging.info(obj1.format_data())
logging.info("\n")
obj1.get(name=namer)
obj1.monitorAddress = "8.8.8.8"
obj1.put()
logging.info("SLAMonitor Put -->")
logging.info(obj1.format_data())
logging.info("\n")
time.sleep(1)
obj1.delete()
sz1.delete()
sz2.delete()
def test__bridge_group_interfaces(fmc):
logging.info(
"Test BridgeGroupInterfaces. get, post, put, delete BridgeGroupInterfaces Objects. "
"Requires registered device")
starttime = str(int(time.time()))
namer = f"_fmcapi_test_{starttime}"
sz1 = fmcapi.SecurityZones(fmc=fmc)
sz1.name = "_sz1" + namer
sz1.post()
time.sleep(1)
sz2 = fmcapi.SecurityZones(fmc=fmc)
sz2.name = "_sz2" + namer
sz2.post()
time.sleep(1)
br1 = fmcapi.BridgeGroupInterfaces(fmc=fmc, device_name="device_name")
br1.p_interfaces(
p_interfaces=["GigabitEthernet0/3", "GigabitEthernet0/5"],
device_name="device_name",
)
br1.enabled = True
br1.ifname = "_br1" + namer
br1.bridgeGroupId = "1"
br1.static(ipv4addr="192.0.2.1", ipv4mask=24)
br1.sz(name=sz1.name)
br1.post()
time.sleep(2)
br1.get()
br1.enabled = False
br1.sz(name=sz2.name)
br1.put()
time.sleep(1)
br1.get()
br1.delete()
sz1.delete()
sz2.delete()
logging.info("Testing BridgeGroupInterfaces class done.\n")
def test__redundant_interfaces(fmc):
logging.info(
"Test RedundantInterfaces. get, post, put, delete RedundantInterfaces Objects. Requires registered device"
)
starttime = str(int(time.time()))
namer = f"_fmcapi_test_{starttime}"
sz1 = fmcapi.SecurityZones(fmc=fmc)
sz1.name = "_sz1" + namer
sz1.post()
time.sleep(1)
sz2 = fmcapi.SecurityZones(fmc=fmc)
sz2.name = "_sz2" + namer
sz2.post()
time.sleep(1)
red1 = fmcapi.RedundantInterfaces(fmc=fmc, device_name="device_name")
red1.primary(p_interface="GigabitEthernet0/3", device_name="device_name")
red1.secondary(p_interface="GigabitEthernet0/5", device_name="device_name")
red1.enabled = "True"
red1.ifname = "_red1" + namer
red1.redundantId = "1"
red1.static(ipv4addr="192.0.2.1", ipv4mask=24)
red1.sz(name=sz1.name)
red1.post()
time.sleep(2)
red1.get()
logging.info(red1.format_data())
red1.enabled = False
red1.sz(name=sz2.name)
red1.put()
time.sleep(1)
red1.get()
logging.info(red1.format_data())
red1.delete()
sz1.delete()
sz2.delete()
logging.info("Testing RedundantInterfaces class done.\n")
def test__subinterfaces(fmc):
logging.info(
"Test SubInterfaces. get, post, put, delete SubInterfaces Objects. Requires registered device"
)
starttime = str(int(time.time()))
namer = f"_fmcapi_test_{starttime}"
sz1 = fmcapi.SecurityZones(fmc=fmc)
sz1.name = "_sz1" + namer
sz1.post()
time.sleep(1)
sz2 = fmcapi.SecurityZones(fmc=fmc)
sz2.name = "_sz2" + namer
sz2.post()
time.sleep(1)
sub1 = fmcapi.SubInterfaces(fmc=fmc, device_name="device_name")
sub1.p_interface(p_interface="GigabitEthernet0/3",
device_name="device_name")
sub1.enabled = True
sub1.ifname = "_sub1" + namer
sub1.subIntfId = "300"
sub1.vlanId = "300"
sub1.static(ipv4addr="192.0.2.1", ipv4mask=24)
sub1.sz(name=sz1.name)
sub1.post()
logging.info(sub1.format_data())
time.sleep(2)
sub1.get()
sub1.enabled = False
sub1.sz(name=sz2.name)
sub1.put()
time.sleep(1)
sub1.get()
sub1.delete()
sz1.delete()
sz2.delete()
logging.info("Testing SubInterfaces class done.\n")
def test__security_zone(fmc):
logging.info(
"Test SecurityZone. Post, get, put, delete Security Zone Objects.")
starttime = str(int(time.time()))
namer = f"_fmcapi_test_{starttime}"
obj1 = fmcapi.SecurityZones(fmc=fmc)
obj1.name = namer
obj1.interfaceMode = "ROUTED"
obj1.post()
time.sleep(1)
del obj1
obj1 = fmcapi.SecurityZones(fmc=fmc, name=namer)
obj1.get()
obj1.name = "DEMO"
obj1.put()
time.sleep(1)
obj1.delete()
logging.info("Test SecurityZone done.\n")
def main():
"""
The FTD device already has 100.127.100.15 on its management interface and the command 'configure network manager
100.64.0.155 cisco123' has already been manually typed on the FTD's CLI.
"""
with fmcapi.FMC(host='100.64.0.166',
username='******',
password='******',
autodeploy=True) as fmc1:
# Create Security Zones
sz1 = fmcapi.SecurityZones(fmc=fmc1)
sz1.name = 'Restricted'
sz1.post()
sz2 = fmcapi.SecurityZones(fmc=fmc1)
sz2.name = 'Outside'
sz2.post()
# Create Objects
border1 = fmcapi.NetworkAddresses(fmc=fmc1,
name='Border-1',
value='100.126.1.13')
border1.post()
finance = fmcapi.NetworkAddresses(fmc=fmc1,
name='finance.dcloud.cisco.com',
value='100.64.0.134')
finance.post()
pci = fmcapi.NetworkAddresses(fmc=fmc1,
name='pci.dcloud.cisco.com',
value='100.64.0.133')
pci.post()
ftd_border1_net = fmcapi.Networks(fmc=fmc1,
name='FTD-Border1-net',
value='100.126.1.12/30')
ftd_border1_net.post()
restricted_vn_net = fmcapi.Networks(fmc=fmc1,
name='Restricted-VN-net',
value='100.110.0.0/16')
restricted_vn_net.post()
# Create ACPs
acp1 = fmcapi.AccessPolicies(
fmc=fmc1,
name='Restricted-VN-Initial-Policy',
defaultAction='NETWORK_DISCOVERY',
)
acp1.post()
acp2 = fmcapi.AccessPolicies(
fmc=fmc1,
name='Restricted-VN-RTC-Policy',
defaultAction='NETWORK_DISCOVERY',
)
acp2.post()
# Create ACP Rules for the ACPs
initial_rule1 = fmcapi.AccessRules(fmc=fmc1,
acp_name=acp1.name,
name='Permit-ANY')
initial_rule1.logBegin = True
initial_rule1.logEnd = True
initial_rule1.action = 'ALLOW'
initial_rule1.post()
rapid_threat_rule1 = fmcapi.AccessRules(fmc=fmc1,
acp_name=acp2.name,
name='PCIUsers-to-sources')
rapid_threat_rule1.source_network(action='add',
name=restricted_vn_net.name)
rapid_threat_rule1.destination_port(action='add', name='HTTP')
# rapid_threat_rule1.isesgt(name='PCI_user')
rapid_threat_rule1.logBegin = True
rapid_threat_rule1.logEnd = True
rapid_threat_rule1.intrusion_policy(action='add',
name='Restricted-VN-IPS-Policy')
rapid_threat_rule1.action = 'ALLOW'
rapid_threat_rule1.enabled = True
rapid_threat_rule1.post()
rapid_threat_rule2 = fmcapi.AccessRules(
fmc=fmc1, acp_name=acp2.name, name='FinanceUsers2PCIResource')
rapid_threat_rule2.source_network(action='add',
name=restricted_vn_net.name)
rapid_threat_rule2.destination_network(action='add', name=finance.name)
rapid_threat_rule2.destination_port(action='add', name='HTTP')
# rapid_threat_rule2.isesgt(name='PCI_user')
# rapid_threat_rule2.isesgt(name='finance_user')
rapid_threat_rule2.logBegin = True
rapid_threat_rule2.logEnd = True
rapid_threat_rule2.intrusion_policy(action='add',
name='Restricted-VN-IPS-Policy')
rapid_threat_rule2.action = 'ALLOW'
rapid_threat_rule2.enabled = True
rapid_threat_rule2.post()
rapid_threat_rule3 = fmcapi.AccessRules(
fmc=fmc1, acp_name=acp2.name, name='DenyUnauthenticatedUsers')
rapid_threat_rule3.source_network(action='add',
name=restricted_vn_net.name)
rapid_threat_rule3.destination_network(action='add', name=finance.name)
rapid_threat_rule3.destination_network(action='add', name=pci.name)
rapid_threat_rule3.destination_port(action='add', name='HTTP')
rapid_threat_rule3.logBegin = True
rapid_threat_rule3.action = 'BLOCK'
rapid_threat_rule3.enabled = True
rapid_threat_rule3.post()
rapid_threat_rule4 = fmcapi.AccessRules(fmc=fmc1,
acp_name=acp2.name,
name='Permit-ANY')
rapid_threat_rule4.source_network(action='add', name='ipv4-any')
rapid_threat_rule4.destination_network(action='add', name='ipv4-any')
rapid_threat_rule4.action = 'ALLOW'
rapid_threat_rule4.enabled = True
rapid_threat_rule4.post()
# Add FTD device to FMC
ftd1 = fmcapi.DeviceRecords(fmc=fmc1)
ftd1.hostName = '100.127.100.15'
ftd1.regKey = 'C1sco12345'
ftd1.acp(name='Restricted-VN-Initial-Policy')
ftd1.name = 'FTD'
ftd1.licensing(action='add', name='MALWARE')
ftd1.licensing(action='add', name='VPN')
ftd1.licensing(action='add', name='BASE')
ftd1.licensing(action='add', name='THREAT')
ftd1.licensing(action='add', name='URL')
# Push to FMC to start device registration.
ftd1.post(post_wait_time=300)
# Once registration is complete configure the interfaces of ftd.
int101 = fmcapi.PhysicalInterfaces(fmc=fmc1, device_name=ftd1.name)
int101.get(name='GigabitEthernet0/0')
int101.enabled = True
int101.ifname = 'FTD-to-Fusion'
int101.sz(name=sz2.name)
int101.static(ipv4addr='100.127.101.254', ipv4mask=24)
int101.put()
int3004 = fmcapi.PhysicalInterfaces(fmc=fmc1, device_name=ftd1.name)
int3004.get(name='GigabitEthernet0/1')
int3004.enabled = True
int3004.ifname = 'FTD-to-Border1'
int3004.sz(name=sz1.name)
int3004.static(ipv4addr='100.126.1.14', ipv4mask=30)
int3004.put()
def main():
"""
The hq-ftd device already has 10.0.0.254 on its manage interface and the command 'configure network manager
10.0.0.10 cisco123' has already been manually typed on the FTD's CLI.
"""
# ### Set these variables to match your environment. ### #
host = "10.0.0.10"
username = "******"
password = "******"
with fmcapi.FMC(
host=host,
username=username,
password=password,
autodeploy=True,
file_logging="hq-ftd.log",
) as fmc1:
# Create an ACP
acp = fmcapi.AccessPolicies(fmc=fmc1, name="ACP Policy")
acp.defaultAction = "BLOCK"
# I intentionally put a "space" in the ACP name to show that fmcapi will "fix" that for you.
acp.post()
# Create Security Zones
sz_inside = fmcapi.SecurityZones(fmc=fmc1,
name="inside",
interfaceMode="ROUTED")
sz_inside.post()
sz_outside = fmcapi.SecurityZones(fmc=fmc1,
name="outside",
interfaceMode="ROUTED")
sz_outside.post()
sz_dmz = fmcapi.SecurityZones(fmc=fmc1,
name="dmz",
interfaceMode="ROUTED")
sz_dmz.post()
# Create Network Objects
hq_dfgw_gateway = fmcapi.Hosts(fmc=fmc1,
name="hq-default-gateway",
value="100.64.0.1")
hq_dfgw_gateway.post()
hq_lan = fmcapi.Networks(fmc=fmc1, name="hq-lan", value="10.0.0.0/24")
hq_lan.post()
all_lans = fmcapi.Networks(fmc=fmc1,
name="all-lans",
value="10.0.0.0/8")
all_lans.post()
hq_fmc = fmcapi.Hosts(fmc=fmc1, name="hq_fmc", value="10.0.0.10")
hq_fmc.post()
fmc_public = fmcapi.Hosts(fmc=fmc1,
name="fmc_public_ip",
value="100.64.0.10")
fmc_public.post()
# Create ACP Rule to permit hq_lan traffic inside to outside.
hq_acprule = fmcapi.AccessRules(
fmc=fmc1,
acp_name=acp.name,
name="Permit HQ LAN",
action="ALLOW",
enabled=True,
)
hq_acprule.source_zone(action="add", name=sz_inside.name)
hq_acprule.destination_zone(action="add", name=sz_outside.name)
hq_acprule.source_network(action="add", name=hq_lan.name)
hq_acprule.destination_network(action="add", name="any-ipv4")
# hq_acprule.logBegin = True
# hq_acprule.logEnd = True
hq_acprule.post()
# Build NAT Policy
nat = fmcapi.FTDNatPolicies(fmc=fmc1, name="NAT Policy")
nat.post()
# Build NAT Rule to NAT all_lans to interface outside
autonat = fmcapi.AutoNatRules(fmc=fmc1)
autonat.natType = "DYNAMIC"
autonat.interfaceInTranslatedNetwork = True
autonat.original_network(all_lans.name)
autonat.source_intf(name=sz_inside.name)
autonat.destination_intf(name=sz_outside.name)
autonat.nat_policy(name=nat.name)
autonat.post()
# Build NAT Rule to allow inbound traffic to FMC (Branches need to register to FMC.)
fmc_nat = fmcapi.ManualNatRules(fmc=fmc1)
fmc_nat.natType = "STATIC"
fmc_nat.original_source(hq_fmc.name)
fmc_nat.translated_source(fmc_public.name)
fmc_nat.source_intf(name=sz_inside.name)
fmc_nat.destination_intf(name=sz_outside.name)
fmc_nat.nat_policy(name=nat.name)
fmc_nat.enabled = True
fmc_nat.post()
# Add hq-ftd device to FMC
hq_ftd = fmcapi.DeviceRecords(fmc=fmc1)
# Minimum things set.
hq_ftd.hostName = "10.0.0.254"
hq_ftd.regKey = "cisco123"
hq_ftd.acp(name=acp.name)
# Other stuff I want set.
hq_ftd.name = "hq-ftd"
hq_ftd.licensing(action="add", name="MALWARE")
hq_ftd.licensing(action="add", name="VPN")
hq_ftd.licensing(action="add", name="BASE")
hq_ftd.licensing(action="add", name="THREAT")
hq_ftd.licensing(action="add", name="URLFilter")
# Push to FMC to start device registration.
hq_ftd.post(post_wait_time=300)
# Once registration is complete configure the interfaces of hq-ftd.
hq_ftd_g00 = fmcapi.PhysicalInterfaces(fmc=fmc1,
device_name=hq_ftd.name)
hq_ftd_g00.get(name="GigabitEthernet0/0")
hq_ftd_g00.enabled = True
hq_ftd_g00.ifname = "IN"
hq_ftd_g00.static(ipv4addr="10.0.0.1", ipv4mask=24)
hq_ftd_g00.sz(name="inside")
hq_ftd_g00.put()
hq_ftd_g01 = fmcapi.PhysicalInterfaces(fmc=fmc1,
device_name=hq_ftd.name)
hq_ftd_g01.get(name="GigabitEthernet0/1")
hq_ftd_g01.enabled = True
hq_ftd_g01.ifname = "OUT"
hq_ftd_g01.static(ipv4addr="100.64.0.200", ipv4mask=24)
hq_ftd_g01.sz(name="outside")
hq_ftd_g01.put()
# Build static default route for HQ FTD
hq_default_route = fmcapi.IPv4StaticRoutes(fmc=fmc1,
name="hq_default_route")
hq_default_route.device(device_name=hq_ftd.name)
hq_default_route.networks(action="add", networks=["any-ipv4"])
hq_default_route.gw(name=hq_dfgw_gateway.name)
hq_default_route.interfaceName = hq_ftd_g01.ifname
hq_default_route.metricValue = 1
hq_default_route.post()
# Associate NAT policy with HQ FTD device.
devices = [{"name": hq_ftd.name, "type": "device"}]
assign_nat_policy = fmcapi.PolicyAssignments(fmc=fmc1)
assign_nat_policy.ftd_natpolicy(name=nat.name, devices=devices)
assign_nat_policy.post()
def test__acp_rule(fmc):
logging.info(
"In preparation for testing ACPRule methods, set up some known objects in the FMC."
)
starttime = str(int(time.time()))
namer = f"_fmcapi_test_{starttime}"
# Build an IP host object
iphost1 = fmcapi.Hosts(fmc=fmc, name="_iphost1", value="7.7.7.7")
iphost1.post()
# Build an IP Network object
ipnet1 = fmcapi.Networks(fmc=fmc, name="_ipnet1", value="1.2.3.0/24")
ipnet1.post()
# Build an IP range object
iprange1 = fmcapi.Ranges(fmc=fmc,
name="_iprange1",
value="6.6.6.6-7.7.7.7")
iprange1.post()
# Build a Network Group object
ipnet2 = fmcapi.Networks(fmc=fmc, name="_ipnet2", value="5.5.5.0/24")
ipnet2.post()
time.sleep(1)
# Build an FQDNS object
fqdns1 = fmcapi.FQDNS(fmc=fmc, name="_fqdns1", value="www.cisco.com")
fqdns1.post()
obj1 = fmcapi.NetworkGroups(fmc=fmc, name="_fmcapi_test_networkgroup")
obj1.named_networks(action="add", name=ipnet2.name)
obj1.unnamed_networks(action="add", value="4.4.4.4/32")
obj1.post()
# Build a URL object
url1 = fmcapi.URLs(fmc=fmc, name="_url1", url="asdf.org")
url1.post()
url1.get()
# lists = [{"type": url1.type, "id": url1.id, "name": url1.name}]
# Build a VLAN Tag object
vlantag1 = fmcapi.VlanTags(fmc=fmc,
name="_vlantag1",
data={
"startTag": "888",
"endTag": "999"
})
vlantag1.post()
# Build a Port object
pport1 = fmcapi.ProtocolPortObjects(fmc=fmc,
name="_pport1",
port="9090",
protocol="UDP")
pport1.post()
# Build a Port Group Object
obj10 = fmcapi.ProtocolPortObjects(fmc=fmc,
name="_porttcp1",
port="8443",
protocol="TCP")
obj10.post()
obj11 = fmcapi.ProtocolPortObjects(fmc=fmc,
name="_portudp1",
port="161",
protocol="UDP")
obj11.post()
obj12 = fmcapi.ProtocolPortObjects(fmc=fmc,
name="_portrangetcp1",
port="0-1023",
protocol="TCP")
obj12.post()
obj2 = fmcapi.PortObjectGroups(fmc=fmc,
name="_fmcapi_test_portobjectgroup")
obj2.named_ports(action="add", name=obj10.name)
obj2.named_ports(action="add", name=obj11.name)
obj2.named_ports(action="add", name=obj12.name)
obj2.post()
# Build a Security Zone object
sz1 = fmcapi.SecurityZones(fmc=fmc, name="_sz1", interfaceMode="ROUTED")
sz1.post()
# Build an ACP Object
acp1 = fmcapi.AccessPolicies(fmc=fmc, name=namer)
acp1.post()
# Get a file_policy
# fp = fmcapi.FilePolicies(fmc=fmc1, name='daxm_test')
time.sleep(1)
logging.info("Setup of objects for ACPRule test done.\n")
logging.info(
"Test ACPRule. Try to test all features of all methods of the ACPRule class."
)
acprule1 = fmcapi.AccessRules(fmc=fmc, acp_name=acp1.name)
acprule1.name = namer
acprule1.action = "ALLOW"
acprule1.enabled = False
acprule1.sendEventsToFMC = True
acprule1.logFiles = False
acprule1.logBegin = True
acprule1.logEnd = True
acprule1.variable_set(action="set", name="Default-Set")
acprule1.source_zone(action="add", name=sz1.name)
acprule1.destination_zone(action="add", name=sz1.name)
acprule1.intrusion_policy(action="set", name="Security Over Connectivity")
acprule1.vlan_tags(action="add", name=vlantag1.name)
acprule1.source_port(action="add", name=pport1.name)
acprule1.destination_port(action="add", name=pport1.name)
acprule1.destination_port(action="add", name=obj2.name)
acprule1.source_network(action="add", name=iphost1.name)
acprule1.source_network(action="add", name=obj1.name)
acprule1.source_network(action="add", name=iprange1.name)
acprule1.destination_network(action="add", name=ipnet1.name)
acprule1.destination_network(action="add", name=iprange1.name)
acprule1.destination_network(action="add", name=fqdns1.name)
# acprule1.urls(name=url1.name)
# acprule1.file_policy(action='set', name=fp.name)
acprule1.post()
logging.info("Test ACPRule done.\n")
logging.info("Cleanup of testing ACPRule methods.")
acprule1.delete()
time.sleep(1)
acp1.delete()
iphost1.delete()
ipnet1.delete()
iprange1.delete()
fqdns1.delete()
obj1.delete()
ipnet2.delete()
url1.delete()
vlantag1.delete()
pport1.delete()
sz1.delete()
obj2.delete()
obj10.delete()
obj11.delete()
obj12.delete()
logging.info("Cleanup of objects for ACPRule test done.\n")
def create_security_zones(fmc, sz_list):
"""Create Security Zones"""
for sz in sz_list:
if "name" in sz:
sz1 = fmcapi.SecurityZones(fmc=fmc, name=sz["name"])
sz1.post()
def test__autonat(fmc):
logging.info("Testing AutoNatPolicy class.")
starttime = str(int(time.time()))
namer = f"_fmcapi_test_{starttime}"
# Create a container policy for FTD NAT rules
natpol1 = fmcapi.FTDNatPolicies(fmc=fmc, name=namer)
natpol1.post()
natpol1.get()
# Create original and translate objects
obj1 = fmcapi.Networks(fmc=fmc)
obj1.name = "_net_original"
obj1.value = "10.0.0.0/8"
obj1.post()
time.sleep(1)
obj2 = fmcapi.Hosts(fmc=fmc)
obj2.name = "_net_xlate"
obj2.value = "192.0.2.1"
obj2.post()
time.sleep(1)
# Create identity nat object
obj3 = fmcapi.Networks(fmc=fmc)
obj3.name = "_net_identity"
obj3.value = "192.168.0.0/24"
obj3.post()
time.sleep(1)
# Create nat pool objects
obj4 = fmcapi.Networks(fmc=fmc)
obj4.name = "_net_original_pool"
obj4.value = "172.16.0.0/24"
obj4.post()
time.sleep(1)
# PAT Pool must be a range, not a subnet
obj5 = fmcapi.Ranges(fmc=fmc)
obj5.name = "_net_xlate_pool"
obj5.value = "192.0.2.128-192.0.2.254"
obj5.post()
time.sleep(1)
# Create interface PAT object
obj6 = fmcapi.Networks(fmc=fmc)
obj6.name = "_net_original_intf"
obj6.value = "192.168.1.0/24"
obj6.post()
time.sleep(1)
# Create Security Zones
sz1 = fmcapi.SecurityZones(fmc=fmc, name="IG-INSIDE")
sz1.post()
sz2 = fmcapi.SecurityZones(fmc=fmc, name="SZ-OUTSIDE1")
sz2.post()
# Autonat a network object to a host
autonat1 = fmcapi.AutoNatRules(fmc=fmc)
autonat1.original_network(name="_net_original")
autonat1.translated_network(name="_net_xlate")
autonat1.natType = "STATIC"
# Source and destination interface can be either an interface group or security zone
autonat1.source_intf(name="IG-INSIDE")
autonat1.destination_intf(name="SZ-OUTSIDE1")
autonat1.nat_policy(name=namer)
# Autonat identity nat
autonat2 = fmcapi.AutoNatRules(fmc=fmc)
autonat2.identity_nat(name="_net_identity")
autonat2.source_intf(name="IG-INSIDE")
autonat2.destination_intf(name="SZ-OUTSIDE1")
autonat2.nat_policy(name=namer)
# Autonat nat pool
autonat3 = fmcapi.AutoNatRules(fmc=fmc)
autonat3.original_network(name="_net_original_pool")
autonat3.patPool(name="_net_xlate_pool")
autonat3.source_intf(name="IG-INSIDE")
autonat3.destination_intf(name="SZ-OUTSIDE1")
autonat3.nat_policy(name=namer)
# Autonat interface PAT
autonat4 = fmcapi.AutoNatRules(fmc=fmc)
autonat4.original_network(name="_net_original_intf")
autonat4.natType = "DYNAMIC"
autonat4.source_intf(name="IG-INSIDE")
autonat4.destination_intf(name="SZ-OUTSIDE1")
autonat4.nat_policy(name=namer)
autonat4.interfaceInTranslatedNetwork = True
autonat1.post()
autonat2.post()
autonat3.post()
autonat4.post()
"""
# Associate a nat policy to a device
# Do not uncomment if you do not have a device registered to FMC
# Use name of device or deviceHAPair as applicable
pol_devices = [{"name": "deviceHAName", "type": "deviceHAPair"}]
assign1 = fmcapi.PolicyAssignments(fmc=fmc)
assign1.ftd_natpolicy(name=namer, devices=pol_devices)
assign1.post()
assign1.ftd_natpolicy(name=namer, devices=[])
assign1.put()
"""
natpol1.delete()
obj1.delete()
obj2.delete()
obj3.delete()
obj4.delete()
obj5.delete()
obj6.delete()
sz1.delete()
sz2.delete()
def test__manualnat(fmc):
logging.info("Testing ManualNatRules class.")
starttime = str(int(time.time()))
namer = f"_fmcapi_test_{starttime}"
# Create a container policy for FTD NAT rules
natpol1 = fmcapi.FTDNatPolicies(fmc=fmc, name=namer)
natpol1.post()
natpol1.get()
# Create original and translate objects
obj1 = fmcapi.Networks(fmc=fmc)
obj1.name = "_net_original"
obj1.value = "10.0.0.0/8"
obj1.post()
time.sleep(1)
obj2 = fmcapi.Hosts(fmc=fmc)
obj2.name = "_net_xlate"
obj2.value = "192.0.2.1"
obj2.post()
time.sleep(1)
# Create identity nat object
obj3 = fmcapi.Networks(fmc=fmc)
obj3.name = "_net_identity"
obj3.value = "192.168.0.0/24"
obj3.post()
time.sleep(1)
# Create nat pool objects
obj4 = fmcapi.Networks(fmc=fmc)
obj4.name = "_net_original_pool"
obj4.value = "172.16.0.0/24"
obj4.post()
time.sleep(1)
# PAT Pool must be a range, not a subnet
obj5 = fmcapi.Ranges(fmc=fmc)
obj5.name = "_net_xlate_pool"
obj5.value = "192.0.2.128-192.0.2.254"
obj5.post()
time.sleep(1)
# Create interface PAT object
obj6 = fmcapi.Networks(fmc=fmc)
obj6.name = "_net_original_intf"
obj6.value = "192.168.1.0/24"
obj6.post()
# Create NAT divert objects
obj7 = fmcapi.Hosts(fmc=fmc)
obj7.name = "_net_source_divert"
obj7.value = "172.30.1.1"
obj7.post()
time.sleep(1)
obj8 = fmcapi.Hosts(fmc=fmc)
obj8.name = "_net_destination_divert"
obj8.value = "4.2.2.2"
obj8.post()
time.sleep(1)
# Create port-based NAT objects
obj9 = fmcapi.Hosts(fmc=fmc)
obj9.name = "_net_source_portbased"
obj9.value = "172.30.1.2"
obj9.post()
time.sleep(1)
obj10 = fmcapi.Hosts(fmc=fmc)
obj10.name = "_net_xlate_portbased"
obj10.value = "192.0.2.254"
obj10.post()
time.sleep(1)
obj11 = fmcapi.ProtocolPortObjects(fmc=fmc)
obj11.name = "_port_original"
obj11.protocol = "TCP"
obj11.port = "443"
obj11.post()
time.sleep(1)
obj12 = fmcapi.ProtocolPortObjects(fmc=fmc)
obj12.name = "_port_xlate"
obj12.protocol = "TCP"
obj12.port = "8443"
obj12.post()
time.sleep(1)
# Create Security Zones
sz1 = fmcapi.SecurityZones(fmc=fmc, name="IG-INSIDE")
sz1.post()
sz2 = fmcapi.SecurityZones(fmc=fmc, name="SZ-OUTSIDE1")
sz2.post()
# Manualnat a network object to a host
manualnat1 = fmcapi.ManualNatRules(fmc=fmc)
manualnat1.original_source(name="_net_original")
manualnat1.translated_source(name="_net_xlate")
manualnat1.natType = "STATIC"
# Source and destination interface can be either an interface group or security zone
manualnat1.source_intf(name="IG-INSIDE")
manualnat1.destination_intf(name="SZ-OUTSIDE1")
manualnat1.enabled = True
manualnat1.nat_policy(name=namer)
# Manualnat identity nat
manualnat2 = fmcapi.ManualNatRules(fmc=fmc)
manualnat2.identity_nat(name="_net_identity")
manualnat2.source_intf(name="IG-INSIDE")
manualnat2.destination_intf(name="SZ-OUTSIDE1")
manualnat2.enabled = True
manualnat2.nat_policy(name=namer)
# Manualnat nat pool
manualnat3 = fmcapi.ManualNatRules(fmc=fmc)
manualnat3.original_source(name="_net_original_pool")
manualnat3.patPool(name="_net_xlate_pool")
manualnat3.source_intf(name="IG-INSIDE")
manualnat3.destination_intf(name="SZ-OUTSIDE1")
manualnat3.enabled = True
manualnat3.nat_policy(name=namer)
# Manualnat interface PAT
manualnat4 = fmcapi.ManualNatRules(fmc=fmc)
manualnat4.original_source(name="_net_original_intf")
manualnat4.natType = "DYNAMIC"
manualnat4.unidirectional = True
manualnat4.source_intf(name="IG-INSIDE")
manualnat4.destination_intf(name="SZ-OUTSIDE1")
manualnat4.nat_policy(name=namer)
manualnat4.enabled = True
manualnat4.interfaceInTranslatedSource = True
# Manualnat divert
manualnat5 = fmcapi.ManualNatRules(fmc=fmc)
manualnat5.identity_nat(name="_net_source_divert")
manualnat5.original_destination(name="_net_destination_divert")
manualnat5.source_intf(name="IG-INSIDE")
manualnat5.destination_intf(name="SZ-OUTSIDE1")
manualnat5.enabled = True
manualnat5.nat_policy(name=namer)
# Manualnat port-based
manualnat6 = fmcapi.ManualNatRules(fmc=fmc)
manualnat6.original_source(name="_net_source_portbased")
manualnat6.original_source_port(name="_port_original")
manualnat6.translated_source(name="_net_xlate_portbased")
manualnat6.translated_source_port(name="_port_xlate")
manualnat6.natType = "STATIC"
manualnat6.source_intf(name="IG-INSIDE")
manualnat6.destination_intf(name="SZ-OUTSIDE1")
manualnat6.enabled = True
manualnat6.nat_policy(name=namer)
manualnat1.post()
manualnat2.post()
manualnat3.post()
manualnat4.post()
manualnat5.post()
manualnat6.post()
"""
# Associate a nat policy to a device
# Do not uncomment if you do not have a device registered to FPMC
# Use name of device or deviceHAPair as applicable
pol_devices = [{"name": "ftdv-HA", "type": "deviceHAPair"}]
assign1 = PolicyAssignments(fmc=fmc)
assign1.ftd_natpolicy(name=namer, devices=pol_devices)
assign1.post()
assign1.ftd_natpolicy(name=namer, devices=[])
assign1.put()
"""
logging.info("Cleanup of testing ManualNatRule methods.")
natpol1.delete()
obj1.delete()
obj2.delete()
obj3.delete()
obj4.delete()
obj5.delete()
obj6.delete()
obj7.delete()
obj8.delete()
obj9.delete()
obj10.delete()
obj11.delete()
obj12.delete()
sz1.delete()
sz2.delete()
def test__phys_interfaces(fmc):
logging.info(
"Test PhysicalInterface. get, put PhysicalInterface Objects. Requires registered device"
)
sz1 = fmcapi.SecurityZones(fmc=fmc)
sz1.name = "SZ-OUTSIDE1"
sz1.post()
time.sleep(1)
sz2 = fmcapi.SecurityZones(fmc=fmc)
sz2.name = "SZ-OUTSIDE2"
sz2.post()
time.sleep(1)
intf1 = fmcapi.PhysicalInterfaces(fmc=fmc, device_name="device_name")
intf1.get(name="GigabitEthernet0/0")
intf1.enabled = True
intf1.ifname = "OUTSIDE1"
intf1.activeMACAddress = "0050.5686.718f"
intf1.standbyMACAddress = "0050.5686.0c2e"
intf1.static(ipv4addr="10.254.0.3", ipv4mask=24)
intf1.sz(name=sz1.name)
intf2 = fmcapi.PhysicalInterfaces(fmc=fmc, device_name="device_name")
intf2.get(name="GigabitEthernet0/1")
intf2.enabled = True
intf2.ifname = "OUTSIDE2"
intf2.activeMACAddress = "0050.5686.821d"
intf2.standbyMACAddress = "0050.5686.11cb"
intf2.dhcp()
intf2.sz(name=sz2.name)
intf1.put()
time.sleep(1)
intf2.put()
time.sleep(1)
intf1.get()
intf2.get()
intf1.enabled = False
intf1.activeMACAddress = ""
intf1.standbyMACAddress = ""
intf1.static(ipv4addr="", ipv4mask="")
intf1.securityZone = {}
intf1.activeMACAddress = ""
intf1.standbyMACAddress = ""
intf2.enabled = False
intf2.activeMACAddress = ""
intf2.standbyMACAddress = ""
intf2.static(ipv4addr="", ipv4mask="")
intf2.securityZone = {}
intf2.activeMACAddress = ""
intf2.standbyMACAddress = ""
intf1.put()
time.sleep(1)
intf2.put()
time.sleep(1)
intf1.get()
intf2.get()
intf1.ifname = ""
intf2.ifname = ""
intf1.put()
sz1.delete()
intf2.put()
sz2.delete()
