def test__devicerecords(fmc):
logging.info(
'Test Device. Though you can "Post" devices I do not have one handy. So '
"add/remove licenses on Device Objects."
)
starttime = str(int(time.time()))
namer = f"_fmcapi_test_{starttime}"
acp1 = fmcapi.AccessPolicies(fmc=fmc, name=namer)
acp1.post()
obj1 = fmcapi.DeviceRecords(fmc=fmc)
obj1.name = namer
obj1.acp(name=acp1.name)
obj1.licensing(action="add", name="MALWARE")
obj1.licensing(action="add", name="VPN")
obj1.licensing(action="remove", name="VPN")
obj1.licensing(action="clear")
obj1.licensing(action="add", name="BASE")
logging.info("Device -->")
logging.info(obj1.format_data())
acp1.delete()
logging.info("Test Device done.\n")
def test__hitcounts(fmc, device_name="", prefilter_id=""):
if not device_name and not prefilter_id:
return f"Name of an actual device or prefilter ID is required for the HitCounts test to work... skipping test."
logging.info(
"In preparation for testing HitCounts method, set up some known objects in the FMC."
)
starttime = str(int(time.time()))
namer = f"test__hitcounts_{starttime}"
# Get the device
device1 = fmcapi.DeviceRecords(fmc=fmc, name=device_name)
device1.get()
# In case there is no ACP Rule build a temp one.
acprule1 = fmcapi.AccessRules(fmc=fmc, acp_id=device1.accessPolicy["id"])
# acprule1 = fmcapi.AccessRules(fmc=fmc, acp_name=device1.accessPolicy['name'])
acprule1.name = namer
acprule1.action = "ALLOW"
acprule1.post()
time.sleep(1)
acprule1.get()
hitcounter1 = None
if prefilter_id:
hitcounter1 = fmcapi.HitCounts(fmc=fmc,
prefilter_id=prefilter_id,
device_name=device_name)
else:
hitcounter1 = fmcapi.HitCounts(fmc=fmc,
acp_id=device1.accessPolicy["id"],
device_name=device_name)
"""
Searching for AccessRule by name returns the "correct" ID for the rule but HitCount shows a completely
different ID so it doesn't match.
# hitcounter1.acp_rules(action="add", name="Permit HQ LAN")
If you know the ID that HitCount is looking for a specific rule:
# hitcounter1.acp_rules(action="add", acp_rule_id="005056B5-44E6-0ed3-0000-000268434433")
"""
for result in hitcounter1.get():
print(result)
logging.info("Test HitCount done.")
logging.info("Cleanup of testing HitCount methods.")
acprule1.delete()
time.sleep(1)
logging.info("Cleanup of objects for HitCount test done.\n\n")
def main():
"""
The FTD device already has 100.127.100.15 on its management interface and the command 'configure network manager
100.64.0.155 cisco123' has already been manually typed on the FTD's CLI.
"""
with fmcapi.FMC(host='100.64.0.166',
username='******',
password='******',
autodeploy=True) as fmc1:
# Create Security Zones
sz1 = fmcapi.SecurityZones(fmc=fmc1)
sz1.name = 'Restricted'
sz1.post()
sz2 = fmcapi.SecurityZones(fmc=fmc1)
sz2.name = 'Outside'
sz2.post()
# Create Objects
border1 = fmcapi.NetworkAddresses(fmc=fmc1,
name='Border-1',
value='100.126.1.13')
border1.post()
finance = fmcapi.NetworkAddresses(fmc=fmc1,
name='finance.dcloud.cisco.com',
value='100.64.0.134')
finance.post()
pci = fmcapi.NetworkAddresses(fmc=fmc1,
name='pci.dcloud.cisco.com',
value='100.64.0.133')
pci.post()
ftd_border1_net = fmcapi.Networks(fmc=fmc1,
name='FTD-Border1-net',
value='100.126.1.12/30')
ftd_border1_net.post()
restricted_vn_net = fmcapi.Networks(fmc=fmc1,
name='Restricted-VN-net',
value='100.110.0.0/16')
restricted_vn_net.post()
# Create ACPs
acp1 = fmcapi.AccessPolicies(
fmc=fmc1,
name='Restricted-VN-Initial-Policy',
defaultAction='NETWORK_DISCOVERY',
)
acp1.post()
acp2 = fmcapi.AccessPolicies(
fmc=fmc1,
name='Restricted-VN-RTC-Policy',
defaultAction='NETWORK_DISCOVERY',
)
acp2.post()
# Create ACP Rules for the ACPs
initial_rule1 = fmcapi.AccessRules(fmc=fmc1,
acp_name=acp1.name,
name='Permit-ANY')
initial_rule1.logBegin = True
initial_rule1.logEnd = True
initial_rule1.action = 'ALLOW'
initial_rule1.post()
rapid_threat_rule1 = fmcapi.AccessRules(fmc=fmc1,
acp_name=acp2.name,
name='PCIUsers-to-sources')
rapid_threat_rule1.source_network(action='add',
name=restricted_vn_net.name)
rapid_threat_rule1.destination_port(action='add', name='HTTP')
# rapid_threat_rule1.isesgt(name='PCI_user')
rapid_threat_rule1.logBegin = True
rapid_threat_rule1.logEnd = True
rapid_threat_rule1.intrusion_policy(action='add',
name='Restricted-VN-IPS-Policy')
rapid_threat_rule1.action = 'ALLOW'
rapid_threat_rule1.enabled = True
rapid_threat_rule1.post()
rapid_threat_rule2 = fmcapi.AccessRules(
fmc=fmc1, acp_name=acp2.name, name='FinanceUsers2PCIResource')
rapid_threat_rule2.source_network(action='add',
name=restricted_vn_net.name)
rapid_threat_rule2.destination_network(action='add', name=finance.name)
rapid_threat_rule2.destination_port(action='add', name='HTTP')
# rapid_threat_rule2.isesgt(name='PCI_user')
# rapid_threat_rule2.isesgt(name='finance_user')
rapid_threat_rule2.logBegin = True
rapid_threat_rule2.logEnd = True
rapid_threat_rule2.intrusion_policy(action='add',
name='Restricted-VN-IPS-Policy')
rapid_threat_rule2.action = 'ALLOW'
rapid_threat_rule2.enabled = True
rapid_threat_rule2.post()
rapid_threat_rule3 = fmcapi.AccessRules(
fmc=fmc1, acp_name=acp2.name, name='DenyUnauthenticatedUsers')
rapid_threat_rule3.source_network(action='add',
name=restricted_vn_net.name)
rapid_threat_rule3.destination_network(action='add', name=finance.name)
rapid_threat_rule3.destination_network(action='add', name=pci.name)
rapid_threat_rule3.destination_port(action='add', name='HTTP')
rapid_threat_rule3.logBegin = True
rapid_threat_rule3.action = 'BLOCK'
rapid_threat_rule3.enabled = True
rapid_threat_rule3.post()
rapid_threat_rule4 = fmcapi.AccessRules(fmc=fmc1,
acp_name=acp2.name,
name='Permit-ANY')
rapid_threat_rule4.source_network(action='add', name='ipv4-any')
rapid_threat_rule4.destination_network(action='add', name='ipv4-any')
rapid_threat_rule4.action = 'ALLOW'
rapid_threat_rule4.enabled = True
rapid_threat_rule4.post()
# Add FTD device to FMC
ftd1 = fmcapi.DeviceRecords(fmc=fmc1)
ftd1.hostName = '100.127.100.15'
ftd1.regKey = 'C1sco12345'
ftd1.acp(name='Restricted-VN-Initial-Policy')
ftd1.name = 'FTD'
ftd1.licensing(action='add', name='MALWARE')
ftd1.licensing(action='add', name='VPN')
ftd1.licensing(action='add', name='BASE')
ftd1.licensing(action='add', name='THREAT')
ftd1.licensing(action='add', name='URL')
# Push to FMC to start device registration.
ftd1.post(post_wait_time=300)
# Once registration is complete configure the interfaces of ftd.
int101 = fmcapi.PhysicalInterfaces(fmc=fmc1, device_name=ftd1.name)
int101.get(name='GigabitEthernet0/0')
int101.enabled = True
int101.ifname = 'FTD-to-Fusion'
int101.sz(name=sz2.name)
int101.static(ipv4addr='100.127.101.254', ipv4mask=24)
int101.put()
int3004 = fmcapi.PhysicalInterfaces(fmc=fmc1, device_name=ftd1.name)
int3004.get(name='GigabitEthernet0/1')
int3004.enabled = True
int3004.ifname = 'FTD-to-Border1'
int3004.sz(name=sz1.name)
int3004.static(ipv4addr='100.126.1.14', ipv4mask=30)
int3004.put()
def main():
"""
The hq-ftd device already has 10.0.0.254 on its manage interface and the command 'configure network manager
10.0.0.10 cisco123' has already been manually typed on the FTD's CLI.
"""
# ### Set these variables to match your environment. ### #
host = "10.0.0.10"
username = "******"
password = "******"
with fmcapi.FMC(
host=host,
username=username,
password=password,
autodeploy=True,
file_logging="hq-ftd.log",
) as fmc1:
# Create an ACP
acp = fmcapi.AccessPolicies(fmc=fmc1, name="ACP Policy")
acp.defaultAction = "BLOCK"
# I intentionally put a "space" in the ACP name to show that fmcapi will "fix" that for you.
acp.post()
# Create Security Zones
sz_inside = fmcapi.SecurityZones(fmc=fmc1,
name="inside",
interfaceMode="ROUTED")
sz_inside.post()
sz_outside = fmcapi.SecurityZones(fmc=fmc1,
name="outside",
interfaceMode="ROUTED")
sz_outside.post()
sz_dmz = fmcapi.SecurityZones(fmc=fmc1,
name="dmz",
interfaceMode="ROUTED")
sz_dmz.post()
# Create Network Objects
hq_dfgw_gateway = fmcapi.Hosts(fmc=fmc1,
name="hq-default-gateway",
value="100.64.0.1")
hq_dfgw_gateway.post()
hq_lan = fmcapi.Networks(fmc=fmc1, name="hq-lan", value="10.0.0.0/24")
hq_lan.post()
all_lans = fmcapi.Networks(fmc=fmc1,
name="all-lans",
value="10.0.0.0/8")
all_lans.post()
hq_fmc = fmcapi.Hosts(fmc=fmc1, name="hq_fmc", value="10.0.0.10")
hq_fmc.post()
fmc_public = fmcapi.Hosts(fmc=fmc1,
name="fmc_public_ip",
value="100.64.0.10")
fmc_public.post()
# Create ACP Rule to permit hq_lan traffic inside to outside.
hq_acprule = fmcapi.AccessRules(
fmc=fmc1,
acp_name=acp.name,
name="Permit HQ LAN",
action="ALLOW",
enabled=True,
)
hq_acprule.source_zone(action="add", name=sz_inside.name)
hq_acprule.destination_zone(action="add", name=sz_outside.name)
hq_acprule.source_network(action="add", name=hq_lan.name)
hq_acprule.destination_network(action="add", name="any-ipv4")
# hq_acprule.logBegin = True
# hq_acprule.logEnd = True
hq_acprule.post()
# Build NAT Policy
nat = fmcapi.FTDNatPolicies(fmc=fmc1, name="NAT Policy")
nat.post()
# Build NAT Rule to NAT all_lans to interface outside
autonat = fmcapi.AutoNatRules(fmc=fmc1)
autonat.natType = "DYNAMIC"
autonat.interfaceInTranslatedNetwork = True
autonat.original_network(all_lans.name)
autonat.source_intf(name=sz_inside.name)
autonat.destination_intf(name=sz_outside.name)
autonat.nat_policy(name=nat.name)
autonat.post()
# Build NAT Rule to allow inbound traffic to FMC (Branches need to register to FMC.)
fmc_nat = fmcapi.ManualNatRules(fmc=fmc1)
fmc_nat.natType = "STATIC"
fmc_nat.original_source(hq_fmc.name)
fmc_nat.translated_source(fmc_public.name)
fmc_nat.source_intf(name=sz_inside.name)
fmc_nat.destination_intf(name=sz_outside.name)
fmc_nat.nat_policy(name=nat.name)
fmc_nat.enabled = True
fmc_nat.post()
# Add hq-ftd device to FMC
hq_ftd = fmcapi.DeviceRecords(fmc=fmc1)
# Minimum things set.
hq_ftd.hostName = "10.0.0.254"
hq_ftd.regKey = "cisco123"
hq_ftd.acp(name=acp.name)
# Other stuff I want set.
hq_ftd.name = "hq-ftd"
hq_ftd.licensing(action="add", name="MALWARE")
hq_ftd.licensing(action="add", name="VPN")
hq_ftd.licensing(action="add", name="BASE")
hq_ftd.licensing(action="add", name="THREAT")
hq_ftd.licensing(action="add", name="URLFilter")
# Push to FMC to start device registration.
hq_ftd.post(post_wait_time=300)
# Once registration is complete configure the interfaces of hq-ftd.
hq_ftd_g00 = fmcapi.PhysicalInterfaces(fmc=fmc1,
device_name=hq_ftd.name)
hq_ftd_g00.get(name="GigabitEthernet0/0")
hq_ftd_g00.enabled = True
hq_ftd_g00.ifname = "IN"
hq_ftd_g00.static(ipv4addr="10.0.0.1", ipv4mask=24)
hq_ftd_g00.sz(name="inside")
hq_ftd_g00.put()
hq_ftd_g01 = fmcapi.PhysicalInterfaces(fmc=fmc1,
device_name=hq_ftd.name)
hq_ftd_g01.get(name="GigabitEthernet0/1")
hq_ftd_g01.enabled = True
hq_ftd_g01.ifname = "OUT"
hq_ftd_g01.static(ipv4addr="100.64.0.200", ipv4mask=24)
hq_ftd_g01.sz(name="outside")
hq_ftd_g01.put()
# Build static default route for HQ FTD
hq_default_route = fmcapi.IPv4StaticRoutes(fmc=fmc1,
name="hq_default_route")
hq_default_route.device(device_name=hq_ftd.name)
hq_default_route.networks(action="add", networks=["any-ipv4"])
hq_default_route.gw(name=hq_dfgw_gateway.name)
hq_default_route.interfaceName = hq_ftd_g01.ifname
hq_default_route.metricValue = 1
hq_default_route.post()
# Associate NAT policy with HQ FTD device.
devices = [{"name": hq_ftd.name, "type": "device"}]
assign_nat_policy = fmcapi.PolicyAssignments(fmc=fmc1)
assign_nat_policy.ftd_natpolicy(name=nat.name, devices=devices)
assign_nat_policy.post()
def create_device_records(fmc, device_list):
"""DeviceRecords (Registration and Interfaces)"""
for dr in device_list:
# Register this device with the FMC. Assume the device is pre-programmed to listen for the FTD registration.
ftd = fmcapi.DeviceRecords(fmc=fmc)
if "hostname" in dr:
ftd.hostName = dr["hostname"]
if "registration_key" in dr:
ftd.regKey = dr["registration_key"]
if "access_policy" in dr:
ftd.acp(name=dr["access_policy"])
if "name" in dr:
ftd.name = dr["name"]
if "licenses" in dr:
for lice in dr["licenses"]:
ftd.licensing(action="add", name=lice["name"])
# Push to FMC to start device registration.
ftd.post(post_wait_time=dr["wait_for_post"])
# Time to configure interfaces.
if "interfaces" in dr:
if "physical" in dr["interfaces"]:
for interface in dr["interfaces"]["physical"]:
int1 = fmcapi.PhysicalInterfaces(fmc=fmc,
device_name=dr["name"])
if "name" in interface:
int1.get(name=interface["name"])
if "enabled" in interface:
int1.enabled = interface["enabled"]
if "interface_name" in interface:
int1.ifname = interface["interface_name"]
if "security_zone" in interface:
int1.sz(name=interface["security_zone"])
if "addresses" in interface:
if "ipv4" in interface["addresses"]:
if "static" in interface["addresses"]["ipv4"]:
int1.static(
ipv4addr=interface["addresses"]["ipv4"]
["static"]["ip"],
ipv4mask=interface["addresses"]["ipv4"]
["static"]["bitmask"],
)
elif "dhcp" in interface["addresses"]["ipv4"]:
int1.dhcp(
enableDefault=interface["addresses"]
["ipv4"]["dhcp"]["enable_default"],
routeMetric=interface["addresses"]["ipv4"]
["dhcp"]["route_metric"],
)
if "ipv6" in interface["addresses"]:
pass
int1.put()
# Any routing related to this device.
if "routing" in dr:
if "static" in dr["routing"]:
if "ipv4" in dr["routing"]["static"]:
for route in dr["routing"]["static"]["ipv4"]:
rt = fmcapi.IPv4StaticRoutes(fmc=fmc,
device_name=dr["name"])
if "name" in route:
rt.name = route["name"]
if "networks" in route:
for network in route["networks"]:
if "name" in network:
rt.networks(action="add",
networks=[network["name"]])
if "gateway" in route:
rt.gw(name=route["gateway"])
if "interface_name" in route:
rt.interfaceName = route["interface_name"]
if "metric" in route:
rt.metricValue = route["metric"]
rt.post()
if "ipv6" in dr["routing"]["static"]:
pass
# Any NAT Policy assigned to this device.
if "nat_policy" in dr:
natp = fmcapi.PolicyAssignments(fmc=fmc)
natp.ftd_natpolicy(
name=dr["nat_policy"],
devices=[{
"name": dr["name"],
"type": dr["type"]
}],
)
natp.post()