def create_nat_policies(fmc, nat_list):
"""Create Nat Policies and their rules"""
for natp in nat_list:
policy = fmcapi.FTDNatPolicies(fmc=fmc, name=natp["name"])
policy.post()
# Build nat_rules associated with this nat policy.
if "rules" in natp:
if "auto" in natp["rules"]:
for this_rule in natp["rules"]["auto"]:
autonat = fmcapi.AutoNatRules(fmc=fmc)
if "nat_type" in this_rule:
autonat.natType = this_rule["nat_type"]
if "interface_in_translated_network" in this_rule:
autonat.interfaceInTranslatedNetwork = this_rule[
"interface_in_translated_network"
]
if "original_network" in this_rule:
autonat.original_network(this_rule["original_network"])
if "source_interface" in this_rule:
autonat.source_intf(name=this_rule["source_interface"])
if "destination_interface" in this_rule:
autonat.destination_intf(
name=this_rule["destination_interface"]
)
autonat.nat_policy(name=natp["name"])
autonat.post()
if "manual" in natp["rules"]:
for this_rule in natp["rules"]["manual"]:
manualnat = fmcapi.ManualNatRules(fmc=fmc)
if "nat_type" in this_rule:
manualnat.natType = this_rule["nat_type"]
if "original_source" in this_rule:
manualnat.original_source(this_rule["original_source"])
if "translated_source" in this_rule:
manualnat.translated_source(this_rule["translated_source"])
if "source_interface" in this_rule:
manualnat.source_intf(name=this_rule["source_interface"])
if "destination_interface" in this_rule:
manualnat.destination_intf(
name=this_rule["destination_interface"]
)
if "enabled" in this_rule:
manualnat.enabled = this_rule["enabled"]
manualnat.nat_policy(name=natp["name"])
manualnat.post()
def main():
"""
The hq-ftd device already has 10.0.0.254 on its manage interface and the command 'configure network manager
10.0.0.10 cisco123' has already been manually typed on the FTD's CLI.
"""
# ### Set these variables to match your environment. ### #
host = "10.0.0.10"
username = "******"
password = "******"
with fmcapi.FMC(
host=host,
username=username,
password=password,
autodeploy=True,
file_logging="hq-ftd.log",
) as fmc1:
# Create an ACP
acp = fmcapi.AccessPolicies(fmc=fmc1, name="ACP Policy")
acp.defaultAction = "BLOCK"
# I intentionally put a "space" in the ACP name to show that fmcapi will "fix" that for you.
acp.post()
# Create Security Zones
sz_inside = fmcapi.SecurityZones(fmc=fmc1,
name="inside",
interfaceMode="ROUTED")
sz_inside.post()
sz_outside = fmcapi.SecurityZones(fmc=fmc1,
name="outside",
interfaceMode="ROUTED")
sz_outside.post()
sz_dmz = fmcapi.SecurityZones(fmc=fmc1,
name="dmz",
interfaceMode="ROUTED")
sz_dmz.post()
# Create Network Objects
hq_dfgw_gateway = fmcapi.Hosts(fmc=fmc1,
name="hq-default-gateway",
value="100.64.0.1")
hq_dfgw_gateway.post()
hq_lan = fmcapi.Networks(fmc=fmc1, name="hq-lan", value="10.0.0.0/24")
hq_lan.post()
all_lans = fmcapi.Networks(fmc=fmc1,
name="all-lans",
value="10.0.0.0/8")
all_lans.post()
hq_fmc = fmcapi.Hosts(fmc=fmc1, name="hq_fmc", value="10.0.0.10")
hq_fmc.post()
fmc_public = fmcapi.Hosts(fmc=fmc1,
name="fmc_public_ip",
value="100.64.0.10")
fmc_public.post()
# Create ACP Rule to permit hq_lan traffic inside to outside.
hq_acprule = fmcapi.AccessRules(
fmc=fmc1,
acp_name=acp.name,
name="Permit HQ LAN",
action="ALLOW",
enabled=True,
)
hq_acprule.source_zone(action="add", name=sz_inside.name)
hq_acprule.destination_zone(action="add", name=sz_outside.name)
hq_acprule.source_network(action="add", name=hq_lan.name)
hq_acprule.destination_network(action="add", name="any-ipv4")
# hq_acprule.logBegin = True
# hq_acprule.logEnd = True
hq_acprule.post()
# Build NAT Policy
nat = fmcapi.FTDNatPolicies(fmc=fmc1, name="NAT Policy")
nat.post()
# Build NAT Rule to NAT all_lans to interface outside
autonat = fmcapi.AutoNatRules(fmc=fmc1)
autonat.natType = "DYNAMIC"
autonat.interfaceInTranslatedNetwork = True
autonat.original_network(all_lans.name)
autonat.source_intf(name=sz_inside.name)
autonat.destination_intf(name=sz_outside.name)
autonat.nat_policy(name=nat.name)
autonat.post()
# Build NAT Rule to allow inbound traffic to FMC (Branches need to register to FMC.)
fmc_nat = fmcapi.ManualNatRules(fmc=fmc1)
fmc_nat.natType = "STATIC"
fmc_nat.original_source(hq_fmc.name)
fmc_nat.translated_source(fmc_public.name)
fmc_nat.source_intf(name=sz_inside.name)
fmc_nat.destination_intf(name=sz_outside.name)
fmc_nat.nat_policy(name=nat.name)
fmc_nat.enabled = True
fmc_nat.post()
# Add hq-ftd device to FMC
hq_ftd = fmcapi.DeviceRecords(fmc=fmc1)
# Minimum things set.
hq_ftd.hostName = "10.0.0.254"
hq_ftd.regKey = "cisco123"
hq_ftd.acp(name=acp.name)
# Other stuff I want set.
hq_ftd.name = "hq-ftd"
hq_ftd.licensing(action="add", name="MALWARE")
hq_ftd.licensing(action="add", name="VPN")
hq_ftd.licensing(action="add", name="BASE")
hq_ftd.licensing(action="add", name="THREAT")
hq_ftd.licensing(action="add", name="URLFilter")
# Push to FMC to start device registration.
hq_ftd.post(post_wait_time=300)
# Once registration is complete configure the interfaces of hq-ftd.
hq_ftd_g00 = fmcapi.PhysicalInterfaces(fmc=fmc1,
device_name=hq_ftd.name)
hq_ftd_g00.get(name="GigabitEthernet0/0")
hq_ftd_g00.enabled = True
hq_ftd_g00.ifname = "IN"
hq_ftd_g00.static(ipv4addr="10.0.0.1", ipv4mask=24)
hq_ftd_g00.sz(name="inside")
hq_ftd_g00.put()
hq_ftd_g01 = fmcapi.PhysicalInterfaces(fmc=fmc1,
device_name=hq_ftd.name)
hq_ftd_g01.get(name="GigabitEthernet0/1")
hq_ftd_g01.enabled = True
hq_ftd_g01.ifname = "OUT"
hq_ftd_g01.static(ipv4addr="100.64.0.200", ipv4mask=24)
hq_ftd_g01.sz(name="outside")
hq_ftd_g01.put()
# Build static default route for HQ FTD
hq_default_route = fmcapi.IPv4StaticRoutes(fmc=fmc1,
name="hq_default_route")
hq_default_route.device(device_name=hq_ftd.name)
hq_default_route.networks(action="add", networks=["any-ipv4"])
hq_default_route.gw(name=hq_dfgw_gateway.name)
hq_default_route.interfaceName = hq_ftd_g01.ifname
hq_default_route.metricValue = 1
hq_default_route.post()
# Associate NAT policy with HQ FTD device.
devices = [{"name": hq_ftd.name, "type": "device"}]
assign_nat_policy = fmcapi.PolicyAssignments(fmc=fmc1)
assign_nat_policy.ftd_natpolicy(name=nat.name, devices=devices)
assign_nat_policy.post()
def main():
"""
The hq-ftd device already has 10.0.0.254 on its manage interface and the command 'configure network manager
10.0.0.10 cisco123' has already been manually typed on the FTD's CLI.
"""
with fmcapi.FMC(host=host,
username=username,
password=password,
autodeploy=autodeploy) as fmc1:
# Create an ACP
acp = fmcapi.AccessControlPolicy(fmc=fmc1, name='ACP Policy')
# I intentially put a "space" in the ACP name to show that fmcapi will "fix" that for you.
acp.post()
# Create Security Zones
sz_inside = fmcapi.SecurityZone(fmc=fmc1,
name='inside',
interfaceMode='ROUTED')
sz_inside.post()
# sz_inside.get()
sz_outside = fmcapi.SecurityZone(fmc=fmc1,
name='outside',
interfaceMode='ROUTED')
sz_outside.post()
# sz_outside.get()
sz_dmz = fmcapi.SecurityZone(fmc=fmc1,
name='dmz',
interfaceMode='ROUTED')
sz_dmz.post()
# sz_dmz.get()
# Create Network Objects
hq_dfgw_gateway = fmcapi.IPHost(fmc=fmc1,
name='hq-default-gateway',
value='100.64.0.1')
hq_dfgw_gateway.post()
hq_lan = fmcapi.IPNetwork(fmc=fmc1, name='hq-lan', value='10.0.0.0/24')
hq_lan.post()
all_lans = fmcapi.IPNetwork(fmc=fmc1,
name='all-lans',
value='10.0.0.0/8')
all_lans.post()
hq_fmc = fmcapi.IPHost(fmc=fmc1, name='hq_fmc', value='10.0.0.10')
hq_fmc.post()
fmc_public = fmcapi.IPHost(fmc=fmc1,
name='fmc_public_ip',
value='100.64.0.10')
fmc_public.post()
# Create ACP Rule to permit hq_lan traffic inside to outside.
hq_acprule = fmcapi.ACPRule(
fmc=fmc1,
acp_name=acp.name,
name='Permit HQ LAN',
action='ALLOW',
enabled=True,
)
hq_acprule.source_zone(action='add', name=sz_inside.name)
hq_acprule.destination_zone(action='add', name=sz_outside.name)
hq_acprule.source_network(action='add', name=hq_lan.name)
hq_acprule.destination_network(action='add', name='any-ipv4')
hq_acprule.post()
# Build NAT Policy
nat = fmcapi.FTDNatPolicy(fmc=fmc1, name='NAT Policy')
nat.post()
# Build NAT Rule to NAT all_lans to interface outside
autonat = fmcapi.AutoNatRules(fmc=fmc1)
autonat.natType = "DYNAMIC"
autonat.interfaceInTranslatedNetwork = True
autonat.original_network(all_lans.name)
autonat.source_intf(name=sz_inside.name)
autonat.destination_intf(name=sz_outside.name)
autonat.nat_policy(name=nat.name)
autonat.post()
# Build NAT Rule to allow inbound traffic to FMC (Branches need to register to FMC.)
fmc_nat = fmcapi.ManualNatRules(fmc=fmc1)
fmc_nat.natType = "STATIC"
fmc_nat.original_source(hq_fmc.name)
fmc_nat.translated_source(fmc_public.name)
fmc_nat.source_intf(name=sz_inside.name)
fmc_nat.destination_intf(name=sz_outside.name)
fmc_nat.nat_policy(name=nat.name)
fmc_nat.post()
# Add hq-ftd device to FMC
hq_ftd = fmcapi.Device(fmc=fmc1)
# Minimum things set.
hq_ftd.hostName = '10.0.0.254'
hq_ftd.regKey = DEVICE_REGISTRATION_PSK
hq_ftd.acp(name=acp.name)
# Other stuff I want set.
hq_ftd.name = 'hq-ftd'
hq_ftd.licensing(action='add', name='MALWARE')
hq_ftd.licensing(action='add', name='VPN')
hq_ftd.licensing(action='add', name='BASE')
# Push to FMC to start device registration.
hq_ftd.post(post_wait_time=300)
# Once registration is complete configure the interfaces of hq-ftd.
hq_ftd_g00 = fmcapi.PhysicalInterface(fmc=fmc1,
device_name=hq_ftd.name)
hq_ftd_g00.get(name="GigabitEthernet0/0")
hq_ftd_g00.enabled = True # This doesn't work yet for some reason.
hq_ftd_g00.ifname = "IN"
hq_ftd_g00.static(ipv4addr="10.0.0.1", ipv4mask=24)
hq_ftd_g00.sz(name="inside")
hq_ftd_g00.put()
hq_ftd_g01 = fmcapi.PhysicalInterface(fmc=fmc1,
device_name=hq_ftd.name)
hq_ftd_g01.get(name="GigabitEthernet0/1")
hq_ftd_g01.enabled = False # This doesn't work yet for some reason.
hq_ftd_g01.ifname = "OUT"
hq_ftd_g01.static(ipv4addr="100.64.0.200", ipv4mask=24)
hq_ftd_g01.sz(name="outside")
hq_ftd_g01.put()
# Build static default route for HQ FTD
hq_default_route = fmcapi.IPv4StaticRoute(fmc=fmc1,
name='hq_default_route')
hq_default_route.device(device_name=hq_ftd.name)
hq_default_route.networks(action='add', networks=['any-ipv4'])
hq_default_route.gw(name=hq_dfgw_gateway.name)
hq_default_route.interfaceName = hq_ftd_g01.ifname
hq_default_route.metricValue = 1
hq_default_route.post()
# Associate NAT policy with HQ FTD device.
devices = [{'name': hq_ftd.name, 'type': 'device'}]
assign_nat_policy = fmcapi.PolicyAssignments(fmc=fmc1)
assign_nat_policy.ftd_natpolicy(name=nat.name, devices=devices)
assign_nat_policy.post()
def test__manualnat(fmc):
logging.info("Testing ManualNatRules class.")
starttime = str(int(time.time()))
namer = f"_fmcapi_test_{starttime}"
# Create a container policy for FTD NAT rules
natpol1 = fmcapi.FTDNatPolicies(fmc=fmc, name=namer)
natpol1.post()
natpol1.get()
# Create original and translate objects
obj1 = fmcapi.Networks(fmc=fmc)
obj1.name = "_net_original"
obj1.value = "10.0.0.0/8"
obj1.post()
time.sleep(1)
obj2 = fmcapi.Hosts(fmc=fmc)
obj2.name = "_net_xlate"
obj2.value = "192.0.2.1"
obj2.post()
time.sleep(1)
# Create identity nat object
obj3 = fmcapi.Networks(fmc=fmc)
obj3.name = "_net_identity"
obj3.value = "192.168.0.0/24"
obj3.post()
time.sleep(1)
# Create nat pool objects
obj4 = fmcapi.Networks(fmc=fmc)
obj4.name = "_net_original_pool"
obj4.value = "172.16.0.0/24"
obj4.post()
time.sleep(1)
# PAT Pool must be a range, not a subnet
obj5 = fmcapi.Ranges(fmc=fmc)
obj5.name = "_net_xlate_pool"
obj5.value = "192.0.2.128-192.0.2.254"
obj5.post()
time.sleep(1)
# Create interface PAT object
obj6 = fmcapi.Networks(fmc=fmc)
obj6.name = "_net_original_intf"
obj6.value = "192.168.1.0/24"
obj6.post()
# Create NAT divert objects
obj7 = fmcapi.Hosts(fmc=fmc)
obj7.name = "_net_source_divert"
obj7.value = "172.30.1.1"
obj7.post()
time.sleep(1)
obj8 = fmcapi.Hosts(fmc=fmc)
obj8.name = "_net_destination_divert"
obj8.value = "4.2.2.2"
obj8.post()
time.sleep(1)
# Create port-based NAT objects
obj9 = fmcapi.Hosts(fmc=fmc)
obj9.name = "_net_source_portbased"
obj9.value = "172.30.1.2"
obj9.post()
time.sleep(1)
obj10 = fmcapi.Hosts(fmc=fmc)
obj10.name = "_net_xlate_portbased"
obj10.value = "192.0.2.254"
obj10.post()
time.sleep(1)
obj11 = fmcapi.ProtocolPortObjects(fmc=fmc)
obj11.name = "_port_original"
obj11.protocol = "TCP"
obj11.port = "443"
obj11.post()
time.sleep(1)
obj12 = fmcapi.ProtocolPortObjects(fmc=fmc)
obj12.name = "_port_xlate"
obj12.protocol = "TCP"
obj12.port = "8443"
obj12.post()
time.sleep(1)
# Create Security Zones
sz1 = fmcapi.SecurityZones(fmc=fmc, name="IG-INSIDE")
sz1.post()
sz2 = fmcapi.SecurityZones(fmc=fmc, name="SZ-OUTSIDE1")
sz2.post()
# Manualnat a network object to a host
manualnat1 = fmcapi.ManualNatRules(fmc=fmc)
manualnat1.original_source(name="_net_original")
manualnat1.translated_source(name="_net_xlate")
manualnat1.natType = "STATIC"
# Source and destination interface can be either an interface group or security zone
manualnat1.source_intf(name="IG-INSIDE")
manualnat1.destination_intf(name="SZ-OUTSIDE1")
manualnat1.enabled = True
manualnat1.nat_policy(name=namer)
# Manualnat identity nat
manualnat2 = fmcapi.ManualNatRules(fmc=fmc)
manualnat2.identity_nat(name="_net_identity")
manualnat2.source_intf(name="IG-INSIDE")
manualnat2.destination_intf(name="SZ-OUTSIDE1")
manualnat2.enabled = True
manualnat2.nat_policy(name=namer)
# Manualnat nat pool
manualnat3 = fmcapi.ManualNatRules(fmc=fmc)
manualnat3.original_source(name="_net_original_pool")
manualnat3.patPool(name="_net_xlate_pool")
manualnat3.source_intf(name="IG-INSIDE")
manualnat3.destination_intf(name="SZ-OUTSIDE1")
manualnat3.enabled = True
manualnat3.nat_policy(name=namer)
# Manualnat interface PAT
manualnat4 = fmcapi.ManualNatRules(fmc=fmc)
manualnat4.original_source(name="_net_original_intf")
manualnat4.natType = "DYNAMIC"
manualnat4.unidirectional = True
manualnat4.source_intf(name="IG-INSIDE")
manualnat4.destination_intf(name="SZ-OUTSIDE1")
manualnat4.nat_policy(name=namer)
manualnat4.enabled = True
manualnat4.interfaceInTranslatedSource = True
# Manualnat divert
manualnat5 = fmcapi.ManualNatRules(fmc=fmc)
manualnat5.identity_nat(name="_net_source_divert")
manualnat5.original_destination(name="_net_destination_divert")
manualnat5.source_intf(name="IG-INSIDE")
manualnat5.destination_intf(name="SZ-OUTSIDE1")
manualnat5.enabled = True
manualnat5.nat_policy(name=namer)
# Manualnat port-based
manualnat6 = fmcapi.ManualNatRules(fmc=fmc)
manualnat6.original_source(name="_net_source_portbased")
manualnat6.original_source_port(name="_port_original")
manualnat6.translated_source(name="_net_xlate_portbased")
manualnat6.translated_source_port(name="_port_xlate")
manualnat6.natType = "STATIC"
manualnat6.source_intf(name="IG-INSIDE")
manualnat6.destination_intf(name="SZ-OUTSIDE1")
manualnat6.enabled = True
manualnat6.nat_policy(name=namer)
manualnat1.post()
manualnat2.post()
manualnat3.post()
manualnat4.post()
manualnat5.post()
manualnat6.post()
"""
# Associate a nat policy to a device
# Do not uncomment if you do not have a device registered to FPMC
# Use name of device or deviceHAPair as applicable
pol_devices = [{"name": "ftdv-HA", "type": "deviceHAPair"}]
assign1 = PolicyAssignments(fmc=fmc)
assign1.ftd_natpolicy(name=namer, devices=pol_devices)
assign1.post()
assign1.ftd_natpolicy(name=namer, devices=[])
assign1.put()
"""
logging.info("Cleanup of testing ManualNatRule methods.")
natpol1.delete()
obj1.delete()
obj2.delete()
obj3.delete()
obj4.delete()
obj5.delete()
obj6.delete()
obj7.delete()
obj8.delete()
obj9.delete()
obj10.delete()
obj11.delete()
obj12.delete()
sz1.delete()
sz2.delete()