def test__devicerecords(fmc): logging.info( 'Test Device. Though you can "Post" devices I do not have one handy. So ' "add/remove licenses on Device Objects." ) starttime = str(int(time.time())) namer = f"_fmcapi_test_{starttime}" acp1 = fmcapi.AccessPolicies(fmc=fmc, name=namer) acp1.post() obj1 = fmcapi.DeviceRecords(fmc=fmc) obj1.name = namer obj1.acp(name=acp1.name) obj1.licensing(action="add", name="MALWARE") obj1.licensing(action="add", name="VPN") obj1.licensing(action="remove", name="VPN") obj1.licensing(action="clear") obj1.licensing(action="add", name="BASE") logging.info("Device -->") logging.info(obj1.format_data()) acp1.delete() logging.info("Test Device done.\n")
def make_policy(self, fmc: fmcapi.FMC, policy_name: str): acp = fmcapi.AccessPolicies(fmc=fmc) acp.name = policy_name p = acp.get() if "paging" in p: if p["paging"]["count"] == 0: p = acp.post() self.logger.info(p) return p
def test__access_control_policy(fmc): logging.info( "Test AccessControlPolicy. Post, get, put, delete ACP Objects.") starttime = str(int(time.time())) namer = f"_fmcapi_test_{starttime}" obj1 = fmcapi.AccessPolicies(fmc=fmc) obj1.name = namer obj1.post() time.sleep(1) del obj1 obj1 = fmcapi.AccessPolicies(fmc=fmc, name=namer) obj1.get() obj1.name = "asdfasdf" obj1.put() time.sleep(1) obj1.delete() logging.info("Test AccessControlPolicy done.\n")
def create_access_policies(fmc, acp_list): """Create Access Policies and their associated AccessRules""" for acp in acp_list: policy = fmcapi.AccessPolicies(fmc=fmc, name=acp["name"], defaultAction=acp["default_action"]) policy.post() time.sleep(1) policy.get() # Build access_rules associated with this acp. if "rules" in acp: for rule in acp["rules"]: acp_rule = fmcapi.AccessRules(fmc=fmc, acp_id=policy.id, name=rule["name"]) if "log_begin" in rule: acp_rule.logBegin = rule["log_begin"] if "log_end" in rule: acp_rule.logEnd = rule["log_end"] if "send_events_to_fmc" in rule: acp_rule.sendEventsToFMC = rule["send_events_to_fmc"] if "enabled" in rule: acp_rule.enabled = rule["enabled"] if "action" in rule: acp_rule.action = rule["action"] if "source_networks" in rule: for sn in rule["source_networks"]: acp_rule.source_network(action="add", name=sn["name"]) if "destination_networks" in rule: for dn in rule["destination_networks"]: acp_rule.destination_network(action="add", name=dn["name"]) if "source_ports" in rule: for sp in rule["source_ports"]: acp_rule.source_port(action="add", name=sp["name"]) if "destination_ports" in rule: for dp in rule["destination_ports"]: acp_rule.destination_port(action="add", name=dp["name"]) if "intrusion_policy" in rule: acp_rule.intrusion_policy(action="add", name=rule["intrusion_policy"]) """ Using SGTs isn't implemented in fmcapi yet. if 'source_ise_sgts' in rule: for sgt in rule['source_ise_sgts']: acp_rule.source_ise_sgt(action='add', name=sgt['name']) if 'destination_ise_sgts' in rule: for sgt in rule['destination_ise_sgts']: acp_rule.destination_ise_sgt(action='add', name=sgt['name']) """ acp_rule.post()
def test(self): # TODO: Get log contents to pass to ConnectionTestException with fmcapi.FMC(host=self.host, username=self.username, password=self.password, autodeploy=True, limit=10) as fmc1: acp = fmcapi.AccessPolicies(fmc=fmc1) policy = acp.get() if policy: return else: raise ConnectionTestException( cause= 'Unable to connect to Cisco Firepower Management Center.', assistance='Please check the log for more information.')
def main(): """ The FTD device already has 100.127.100.15 on its management interface and the command 'configure network manager 100.64.0.155 cisco123' has already been manually typed on the FTD's CLI. """ with fmcapi.FMC(host='100.64.0.166', username='******', password='******', autodeploy=True) as fmc1: # Create Security Zones sz1 = fmcapi.SecurityZones(fmc=fmc1) sz1.name = 'Restricted' sz1.post() sz2 = fmcapi.SecurityZones(fmc=fmc1) sz2.name = 'Outside' sz2.post() # Create Objects border1 = fmcapi.NetworkAddresses(fmc=fmc1, name='Border-1', value='100.126.1.13') border1.post() finance = fmcapi.NetworkAddresses(fmc=fmc1, name='finance.dcloud.cisco.com', value='100.64.0.134') finance.post() pci = fmcapi.NetworkAddresses(fmc=fmc1, name='pci.dcloud.cisco.com', value='100.64.0.133') pci.post() ftd_border1_net = fmcapi.Networks(fmc=fmc1, name='FTD-Border1-net', value='100.126.1.12/30') ftd_border1_net.post() restricted_vn_net = fmcapi.Networks(fmc=fmc1, name='Restricted-VN-net', value='100.110.0.0/16') restricted_vn_net.post() # Create ACPs acp1 = fmcapi.AccessPolicies( fmc=fmc1, name='Restricted-VN-Initial-Policy', defaultAction='NETWORK_DISCOVERY', ) acp1.post() acp2 = fmcapi.AccessPolicies( fmc=fmc1, name='Restricted-VN-RTC-Policy', defaultAction='NETWORK_DISCOVERY', ) acp2.post() # Create ACP Rules for the ACPs initial_rule1 = fmcapi.AccessRules(fmc=fmc1, acp_name=acp1.name, name='Permit-ANY') initial_rule1.logBegin = True initial_rule1.logEnd = True initial_rule1.action = 'ALLOW' initial_rule1.post() rapid_threat_rule1 = fmcapi.AccessRules(fmc=fmc1, acp_name=acp2.name, name='PCIUsers-to-sources') rapid_threat_rule1.source_network(action='add', name=restricted_vn_net.name) rapid_threat_rule1.destination_port(action='add', name='HTTP') # rapid_threat_rule1.isesgt(name='PCI_user') rapid_threat_rule1.logBegin = True rapid_threat_rule1.logEnd = True rapid_threat_rule1.intrusion_policy(action='add', name='Restricted-VN-IPS-Policy') rapid_threat_rule1.action = 'ALLOW' rapid_threat_rule1.enabled = True rapid_threat_rule1.post() rapid_threat_rule2 = fmcapi.AccessRules( fmc=fmc1, acp_name=acp2.name, name='FinanceUsers2PCIResource') rapid_threat_rule2.source_network(action='add', name=restricted_vn_net.name) rapid_threat_rule2.destination_network(action='add', name=finance.name) rapid_threat_rule2.destination_port(action='add', name='HTTP') # rapid_threat_rule2.isesgt(name='PCI_user') # rapid_threat_rule2.isesgt(name='finance_user') rapid_threat_rule2.logBegin = True rapid_threat_rule2.logEnd = True rapid_threat_rule2.intrusion_policy(action='add', name='Restricted-VN-IPS-Policy') rapid_threat_rule2.action = 'ALLOW' rapid_threat_rule2.enabled = True rapid_threat_rule2.post() rapid_threat_rule3 = fmcapi.AccessRules( fmc=fmc1, acp_name=acp2.name, name='DenyUnauthenticatedUsers') rapid_threat_rule3.source_network(action='add', name=restricted_vn_net.name) rapid_threat_rule3.destination_network(action='add', name=finance.name) rapid_threat_rule3.destination_network(action='add', name=pci.name) rapid_threat_rule3.destination_port(action='add', name='HTTP') rapid_threat_rule3.logBegin = True rapid_threat_rule3.action = 'BLOCK' rapid_threat_rule3.enabled = True rapid_threat_rule3.post() rapid_threat_rule4 = fmcapi.AccessRules(fmc=fmc1, acp_name=acp2.name, name='Permit-ANY') rapid_threat_rule4.source_network(action='add', name='ipv4-any') rapid_threat_rule4.destination_network(action='add', name='ipv4-any') rapid_threat_rule4.action = 'ALLOW' rapid_threat_rule4.enabled = True rapid_threat_rule4.post() # Add FTD device to FMC ftd1 = fmcapi.DeviceRecords(fmc=fmc1) ftd1.hostName = '100.127.100.15' ftd1.regKey = 'C1sco12345' ftd1.acp(name='Restricted-VN-Initial-Policy') ftd1.name = 'FTD' ftd1.licensing(action='add', name='MALWARE') ftd1.licensing(action='add', name='VPN') ftd1.licensing(action='add', name='BASE') ftd1.licensing(action='add', name='THREAT') ftd1.licensing(action='add', name='URL') # Push to FMC to start device registration. ftd1.post(post_wait_time=300) # Once registration is complete configure the interfaces of ftd. int101 = fmcapi.PhysicalInterfaces(fmc=fmc1, device_name=ftd1.name) int101.get(name='GigabitEthernet0/0') int101.enabled = True int101.ifname = 'FTD-to-Fusion' int101.sz(name=sz2.name) int101.static(ipv4addr='100.127.101.254', ipv4mask=24) int101.put() int3004 = fmcapi.PhysicalInterfaces(fmc=fmc1, device_name=ftd1.name) int3004.get(name='GigabitEthernet0/1') int3004.enabled = True int3004.ifname = 'FTD-to-Border1' int3004.sz(name=sz1.name) int3004.static(ipv4addr='100.126.1.14', ipv4mask=30) int3004.put()
def test__device_with_task(fmc): logging.info( 'Test Device1 with Task. This requires having an actual device with the "configure manager add" ' "statement enabled." ) starttime = str(int(time.time())) namer = f"_fmcapi_test_{starttime}" acp1 = fmcapi.AccessPolicies(fmc=fmc, name=namer) acp1.post() starttime = str(int(time.time())) obj1_namer = f"_fmcapi_test_{starttime}" obj1 = fmcapi.Device(fmc=fmc) obj1.hostName = "10.255.0.43" obj1.name = obj1_namer obj1.regKey = "cisco123" obj1.natID = "cisco123" obj1.acp(name=acp1.name) obj1.licensing(action="add", name="BASE") obj1.licensing(action="add", name="THREAT") obj1.licensing(action="add", name="MALWARE") logging.info("Device -->") logging.info(obj1.format_data()) response = obj1.post() wait_for_task(response["metadata"]["task"], 30) logging.info( 'Test Device2 with Task. This requires having an actual device with the "configure manager add" ' "statement enabled." ) starttime = str(int(time.time())) obj2_namer = f"_fmcapi_test_{starttime}" obj2 = fmcapi.Device(fmc=fmc) obj2.hostName = "10.255.0.44" obj2.name = obj2_namer obj2.regKey = "cisco123" obj2.natID = "cisco123" obj2.acp(name=acp1.name) obj2.licensing(action="add", name="BASE") obj2.licensing(action="add", name="THREAT") obj2.licensing(action="add", name="MALWARE") logging.info("Device -->") logging.info(obj2.format_data()) logging.info("\n") obj2.post() # wait_for_task(response["metadata"]["task"], 30) # Wait some additional time to complete device registration before deletion time.sleep(180) obj1 = fmcapi.Device(fmc=fmc) obj2 = fmcapi.Device(fmc=fmc) obj1.get(name=obj1_namer) obj2.get(name=obj2_namer) obj1.delete() time.sleep(30) obj2.delete() time.sleep(30) acp1.delete()
def main(): """ The hq-ftd device already has 10.0.0.254 on its manage interface and the command 'configure network manager 10.0.0.10 cisco123' has already been manually typed on the FTD's CLI. """ # ### Set these variables to match your environment. ### # host = "10.0.0.10" username = "******" password = "******" with fmcapi.FMC( host=host, username=username, password=password, autodeploy=True, file_logging="hq-ftd.log", ) as fmc1: # Create an ACP acp = fmcapi.AccessPolicies(fmc=fmc1, name="ACP Policy") acp.defaultAction = "BLOCK" # I intentionally put a "space" in the ACP name to show that fmcapi will "fix" that for you. acp.post() # Create Security Zones sz_inside = fmcapi.SecurityZones(fmc=fmc1, name="inside", interfaceMode="ROUTED") sz_inside.post() sz_outside = fmcapi.SecurityZones(fmc=fmc1, name="outside", interfaceMode="ROUTED") sz_outside.post() sz_dmz = fmcapi.SecurityZones(fmc=fmc1, name="dmz", interfaceMode="ROUTED") sz_dmz.post() # Create Network Objects hq_dfgw_gateway = fmcapi.Hosts(fmc=fmc1, name="hq-default-gateway", value="100.64.0.1") hq_dfgw_gateway.post() hq_lan = fmcapi.Networks(fmc=fmc1, name="hq-lan", value="10.0.0.0/24") hq_lan.post() all_lans = fmcapi.Networks(fmc=fmc1, name="all-lans", value="10.0.0.0/8") all_lans.post() hq_fmc = fmcapi.Hosts(fmc=fmc1, name="hq_fmc", value="10.0.0.10") hq_fmc.post() fmc_public = fmcapi.Hosts(fmc=fmc1, name="fmc_public_ip", value="100.64.0.10") fmc_public.post() # Create ACP Rule to permit hq_lan traffic inside to outside. hq_acprule = fmcapi.AccessRules( fmc=fmc1, acp_name=acp.name, name="Permit HQ LAN", action="ALLOW", enabled=True, ) hq_acprule.source_zone(action="add", name=sz_inside.name) hq_acprule.destination_zone(action="add", name=sz_outside.name) hq_acprule.source_network(action="add", name=hq_lan.name) hq_acprule.destination_network(action="add", name="any-ipv4") # hq_acprule.logBegin = True # hq_acprule.logEnd = True hq_acprule.post() # Build NAT Policy nat = fmcapi.FTDNatPolicies(fmc=fmc1, name="NAT Policy") nat.post() # Build NAT Rule to NAT all_lans to interface outside autonat = fmcapi.AutoNatRules(fmc=fmc1) autonat.natType = "DYNAMIC" autonat.interfaceInTranslatedNetwork = True autonat.original_network(all_lans.name) autonat.source_intf(name=sz_inside.name) autonat.destination_intf(name=sz_outside.name) autonat.nat_policy(name=nat.name) autonat.post() # Build NAT Rule to allow inbound traffic to FMC (Branches need to register to FMC.) fmc_nat = fmcapi.ManualNatRules(fmc=fmc1) fmc_nat.natType = "STATIC" fmc_nat.original_source(hq_fmc.name) fmc_nat.translated_source(fmc_public.name) fmc_nat.source_intf(name=sz_inside.name) fmc_nat.destination_intf(name=sz_outside.name) fmc_nat.nat_policy(name=nat.name) fmc_nat.enabled = True fmc_nat.post() # Add hq-ftd device to FMC hq_ftd = fmcapi.DeviceRecords(fmc=fmc1) # Minimum things set. hq_ftd.hostName = "10.0.0.254" hq_ftd.regKey = "cisco123" hq_ftd.acp(name=acp.name) # Other stuff I want set. hq_ftd.name = "hq-ftd" hq_ftd.licensing(action="add", name="MALWARE") hq_ftd.licensing(action="add", name="VPN") hq_ftd.licensing(action="add", name="BASE") hq_ftd.licensing(action="add", name="THREAT") hq_ftd.licensing(action="add", name="URLFilter") # Push to FMC to start device registration. hq_ftd.post(post_wait_time=300) # Once registration is complete configure the interfaces of hq-ftd. hq_ftd_g00 = fmcapi.PhysicalInterfaces(fmc=fmc1, device_name=hq_ftd.name) hq_ftd_g00.get(name="GigabitEthernet0/0") hq_ftd_g00.enabled = True hq_ftd_g00.ifname = "IN" hq_ftd_g00.static(ipv4addr="10.0.0.1", ipv4mask=24) hq_ftd_g00.sz(name="inside") hq_ftd_g00.put() hq_ftd_g01 = fmcapi.PhysicalInterfaces(fmc=fmc1, device_name=hq_ftd.name) hq_ftd_g01.get(name="GigabitEthernet0/1") hq_ftd_g01.enabled = True hq_ftd_g01.ifname = "OUT" hq_ftd_g01.static(ipv4addr="100.64.0.200", ipv4mask=24) hq_ftd_g01.sz(name="outside") hq_ftd_g01.put() # Build static default route for HQ FTD hq_default_route = fmcapi.IPv4StaticRoutes(fmc=fmc1, name="hq_default_route") hq_default_route.device(device_name=hq_ftd.name) hq_default_route.networks(action="add", networks=["any-ipv4"]) hq_default_route.gw(name=hq_dfgw_gateway.name) hq_default_route.interfaceName = hq_ftd_g01.ifname hq_default_route.metricValue = 1 hq_default_route.post() # Associate NAT policy with HQ FTD device. devices = [{"name": hq_ftd.name, "type": "device"}] assign_nat_policy = fmcapi.PolicyAssignments(fmc=fmc1) assign_nat_policy.ftd_natpolicy(name=nat.name, devices=devices) assign_nat_policy.post()
def test__acp_rule(fmc): logging.info( "In preparation for testing ACPRule methods, set up some known objects in the FMC." ) starttime = str(int(time.time())) namer = f"_fmcapi_test_{starttime}" # Build an IP host object iphost1 = fmcapi.Hosts(fmc=fmc, name="_iphost1", value="7.7.7.7") iphost1.post() # Build an IP Network object ipnet1 = fmcapi.Networks(fmc=fmc, name="_ipnet1", value="1.2.3.0/24") ipnet1.post() # Build an IP range object iprange1 = fmcapi.Ranges(fmc=fmc, name="_iprange1", value="6.6.6.6-7.7.7.7") iprange1.post() # Build a Network Group object ipnet2 = fmcapi.Networks(fmc=fmc, name="_ipnet2", value="5.5.5.0/24") ipnet2.post() time.sleep(1) # Build an FQDNS object fqdns1 = fmcapi.FQDNS(fmc=fmc, name="_fqdns1", value="www.cisco.com") fqdns1.post() obj1 = fmcapi.NetworkGroups(fmc=fmc, name="_fmcapi_test_networkgroup") obj1.named_networks(action="add", name=ipnet2.name) obj1.unnamed_networks(action="add", value="4.4.4.4/32") obj1.post() # Build a URL object url1 = fmcapi.URLs(fmc=fmc, name="_url1", url="asdf.org") url1.post() url1.get() # lists = [{"type": url1.type, "id": url1.id, "name": url1.name}] # Build a VLAN Tag object vlantag1 = fmcapi.VlanTags(fmc=fmc, name="_vlantag1", data={ "startTag": "888", "endTag": "999" }) vlantag1.post() # Build a Port object pport1 = fmcapi.ProtocolPortObjects(fmc=fmc, name="_pport1", port="9090", protocol="UDP") pport1.post() # Build a Port Group Object obj10 = fmcapi.ProtocolPortObjects(fmc=fmc, name="_porttcp1", port="8443", protocol="TCP") obj10.post() obj11 = fmcapi.ProtocolPortObjects(fmc=fmc, name="_portudp1", port="161", protocol="UDP") obj11.post() obj12 = fmcapi.ProtocolPortObjects(fmc=fmc, name="_portrangetcp1", port="0-1023", protocol="TCP") obj12.post() obj2 = fmcapi.PortObjectGroups(fmc=fmc, name="_fmcapi_test_portobjectgroup") obj2.named_ports(action="add", name=obj10.name) obj2.named_ports(action="add", name=obj11.name) obj2.named_ports(action="add", name=obj12.name) obj2.post() # Build a Security Zone object sz1 = fmcapi.SecurityZones(fmc=fmc, name="_sz1", interfaceMode="ROUTED") sz1.post() # Build an ACP Object acp1 = fmcapi.AccessPolicies(fmc=fmc, name=namer) acp1.post() # Get a file_policy # fp = fmcapi.FilePolicies(fmc=fmc1, name='daxm_test') time.sleep(1) logging.info("Setup of objects for ACPRule test done.\n") logging.info( "Test ACPRule. Try to test all features of all methods of the ACPRule class." ) acprule1 = fmcapi.AccessRules(fmc=fmc, acp_name=acp1.name) acprule1.name = namer acprule1.action = "ALLOW" acprule1.enabled = False acprule1.sendEventsToFMC = True acprule1.logFiles = False acprule1.logBegin = True acprule1.logEnd = True acprule1.variable_set(action="set", name="Default-Set") acprule1.source_zone(action="add", name=sz1.name) acprule1.destination_zone(action="add", name=sz1.name) acprule1.intrusion_policy(action="set", name="Security Over Connectivity") acprule1.vlan_tags(action="add", name=vlantag1.name) acprule1.source_port(action="add", name=pport1.name) acprule1.destination_port(action="add", name=pport1.name) acprule1.destination_port(action="add", name=obj2.name) acprule1.source_network(action="add", name=iphost1.name) acprule1.source_network(action="add", name=obj1.name) acprule1.source_network(action="add", name=iprange1.name) acprule1.destination_network(action="add", name=ipnet1.name) acprule1.destination_network(action="add", name=iprange1.name) acprule1.destination_network(action="add", name=fqdns1.name) # acprule1.urls(name=url1.name) # acprule1.file_policy(action='set', name=fp.name) acprule1.post() logging.info("Test ACPRule done.\n") logging.info("Cleanup of testing ACPRule methods.") acprule1.delete() time.sleep(1) acp1.delete() iphost1.delete() ipnet1.delete() iprange1.delete() fqdns1.delete() obj1.delete() ipnet2.delete() url1.delete() vlantag1.delete() pport1.delete() sz1.delete() obj2.delete() obj10.delete() obj11.delete() obj12.delete() logging.info("Cleanup of objects for ACPRule test done.\n")