Esempio n. 1
0
def main():
    """
    The FTD device already has 100.127.100.15 on its management interface and the command 'configure network manager
    100.64.0.155 cisco123' has already been manually typed on the FTD's CLI.
    """
    with fmcapi.FMC(host='100.64.0.166',
                    username='******',
                    password='******',
                    autodeploy=True) as fmc1:
        # Create Security Zones
        sz1 = fmcapi.SecurityZones(fmc=fmc1)
        sz1.name = 'Restricted'
        sz1.post()

        sz2 = fmcapi.SecurityZones(fmc=fmc1)
        sz2.name = 'Outside'
        sz2.post()

        # Create Objects
        border1 = fmcapi.NetworkAddresses(fmc=fmc1,
                                          name='Border-1',
                                          value='100.126.1.13')
        border1.post()

        finance = fmcapi.NetworkAddresses(fmc=fmc1,
                                          name='finance.dcloud.cisco.com',
                                          value='100.64.0.134')
        finance.post()

        pci = fmcapi.NetworkAddresses(fmc=fmc1,
                                      name='pci.dcloud.cisco.com',
                                      value='100.64.0.133')
        pci.post()

        ftd_border1_net = fmcapi.Networks(fmc=fmc1,
                                          name='FTD-Border1-net',
                                          value='100.126.1.12/30')
        ftd_border1_net.post()

        restricted_vn_net = fmcapi.Networks(fmc=fmc1,
                                            name='Restricted-VN-net',
                                            value='100.110.0.0/16')
        restricted_vn_net.post()

        # Create ACPs
        acp1 = fmcapi.AccessPolicies(
            fmc=fmc1,
            name='Restricted-VN-Initial-Policy',
            defaultAction='NETWORK_DISCOVERY',
        )
        acp1.post()

        acp2 = fmcapi.AccessPolicies(
            fmc=fmc1,
            name='Restricted-VN-RTC-Policy',
            defaultAction='NETWORK_DISCOVERY',
        )
        acp2.post()

        # Create ACP Rules for the ACPs
        initial_rule1 = fmcapi.AccessRules(fmc=fmc1,
                                           acp_name=acp1.name,
                                           name='Permit-ANY')
        initial_rule1.logBegin = True
        initial_rule1.logEnd = True
        initial_rule1.action = 'ALLOW'
        initial_rule1.post()

        rapid_threat_rule1 = fmcapi.AccessRules(fmc=fmc1,
                                                acp_name=acp2.name,
                                                name='PCIUsers-to-sources')
        rapid_threat_rule1.source_network(action='add',
                                          name=restricted_vn_net.name)
        rapid_threat_rule1.destination_port(action='add', name='HTTP')
        # rapid_threat_rule1.isesgt(name='PCI_user')
        rapid_threat_rule1.logBegin = True
        rapid_threat_rule1.logEnd = True
        rapid_threat_rule1.intrusion_policy(action='add',
                                            name='Restricted-VN-IPS-Policy')
        rapid_threat_rule1.action = 'ALLOW'
        rapid_threat_rule1.enabled = True
        rapid_threat_rule1.post()

        rapid_threat_rule2 = fmcapi.AccessRules(
            fmc=fmc1, acp_name=acp2.name, name='FinanceUsers2PCIResource')
        rapid_threat_rule2.source_network(action='add',
                                          name=restricted_vn_net.name)
        rapid_threat_rule2.destination_network(action='add', name=finance.name)
        rapid_threat_rule2.destination_port(action='add', name='HTTP')
        # rapid_threat_rule2.isesgt(name='PCI_user')
        # rapid_threat_rule2.isesgt(name='finance_user')
        rapid_threat_rule2.logBegin = True
        rapid_threat_rule2.logEnd = True
        rapid_threat_rule2.intrusion_policy(action='add',
                                            name='Restricted-VN-IPS-Policy')
        rapid_threat_rule2.action = 'ALLOW'
        rapid_threat_rule2.enabled = True
        rapid_threat_rule2.post()

        rapid_threat_rule3 = fmcapi.AccessRules(
            fmc=fmc1, acp_name=acp2.name, name='DenyUnauthenticatedUsers')
        rapid_threat_rule3.source_network(action='add',
                                          name=restricted_vn_net.name)
        rapid_threat_rule3.destination_network(action='add', name=finance.name)
        rapid_threat_rule3.destination_network(action='add', name=pci.name)
        rapid_threat_rule3.destination_port(action='add', name='HTTP')
        rapid_threat_rule3.logBegin = True
        rapid_threat_rule3.action = 'BLOCK'
        rapid_threat_rule3.enabled = True
        rapid_threat_rule3.post()

        rapid_threat_rule4 = fmcapi.AccessRules(fmc=fmc1,
                                                acp_name=acp2.name,
                                                name='Permit-ANY')
        rapid_threat_rule4.source_network(action='add', name='ipv4-any')
        rapid_threat_rule4.destination_network(action='add', name='ipv4-any')
        rapid_threat_rule4.action = 'ALLOW'
        rapid_threat_rule4.enabled = True
        rapid_threat_rule4.post()

        # Add FTD device to FMC
        ftd1 = fmcapi.DeviceRecords(fmc=fmc1)
        ftd1.hostName = '100.127.100.15'
        ftd1.regKey = 'C1sco12345'
        ftd1.acp(name='Restricted-VN-Initial-Policy')
        ftd1.name = 'FTD'
        ftd1.licensing(action='add', name='MALWARE')
        ftd1.licensing(action='add', name='VPN')
        ftd1.licensing(action='add', name='BASE')
        ftd1.licensing(action='add', name='THREAT')
        ftd1.licensing(action='add', name='URL')
        # Push to FMC to start device registration.
        ftd1.post(post_wait_time=300)

        # Once registration is complete configure the interfaces of ftd.
        int101 = fmcapi.PhysicalInterfaces(fmc=fmc1, device_name=ftd1.name)
        int101.get(name='GigabitEthernet0/0')
        int101.enabled = True
        int101.ifname = 'FTD-to-Fusion'
        int101.sz(name=sz2.name)
        int101.static(ipv4addr='100.127.101.254', ipv4mask=24)
        int101.put()

        int3004 = fmcapi.PhysicalInterfaces(fmc=fmc1, device_name=ftd1.name)
        int3004.get(name='GigabitEthernet0/1')
        int3004.enabled = True
        int3004.ifname = 'FTD-to-Border1'
        int3004.sz(name=sz1.name)
        int3004.static(ipv4addr='100.126.1.14', ipv4mask=30)
        int3004.put()
Esempio n. 2
0
def test__ftddevicehapairs(fmc):
    logging.info(
        'Test FTDDeviceHAPairs. After an HA Pair is created, all API calls to "devicerecords" objects should '
        "be directed at the currently active device not the ha pair"
    )
    failover1 = fmcapi.PhysicalInterfaces(fmc=fmc)
    failover1.get(device_name="PrimaryName", name="GigabitEthernet0/6")
    stateful1 = fmcapi.PhysicalInterfaces(fmc=fmc)
    stateful1.get(device_name="PrimaryName", name="GigabitEthernet0/7")
    obj0 = fmcapi.DeviceHAPairs(fmc=fmc)
    obj1 = fmcapi.FTDDeviceHAPairs(fmc=fmc)
    obj1.primary(name="PrimaryName")
    obj1.secondary(name="SecondaryName")
    obj1.name = "HaName"
    # failover interface subnetMask must be in x.x.x.x format"
    obj1.ftdHABootstrap = {
        "isEncryptionEnabled": "true",
        "encKeyGenerationScheme": "CUSTOM",
        "sharedKey": "cisco123",
        "useSameLinkForFailovers": False,
        "lanFailover": {
            "useIPv6Address": False,
            "subnetMask": "255.255.255.252",
            "interfaceObject": {
                "type": "PhysicalInterface",
                "name": failover1.name,
                "id": failover1.id,
            },
            "standbyIP": "192.168.1.2",
            "logicalName": "HA-FAILOVER",
            "activeIP": "192.168.1.1",
        },
        "statefulFailover": {
            "useIPv6Address": False,
            "subnetMask": "255.255.255.252",
            "interfaceObject": {
                "type": "PhysicalInterface",
                "name": stateful1.name,
                "id": stateful1.id,
            },
            "standbyIP": "192.168.1.6",
            "logicalName": "HA-STATEFUL",
            "activeIP": "192.168.1.5",
        },
    }
    # response = ha_pair.post()
    # wait_for_task(response["metadata"]["task"], 30)
    logging.info("Device HA-->")
    logging.info(obj1.format_data())
    logging.info("\n")
    obj1.post()
    time.sleep(300)
    del obj1

    obj1 = fmcapi.FTDDeviceHAPairs(fmc=fmc, name="HaName")
    obj1.switch_ha()
    logging.info("Device HA Switch-->")
    logging.info(obj1.format_data())
    logging.info("\n")
    response = obj1.put()
    logging.info(response)
    time.sleep(20)
    del obj1

    obj1 = fmcapi.FTDDeviceHAPairs(fmc=fmc, name="HaName")
    obj1.break_ha()
    logging.info("Device HA Break-->")
    logging.info(obj1.format_data())
    logging.info("\n")
    response = obj1.put()
    logging.info(response)

    time.sleep(300)
    del obj1
    obj1 = fmcapi.FTDDeviceHAPairs(fmc=fmc)
    obj1.get(name="FTDv-HA2")

    #  Deleting the HAPair object will delete the HA configuration AND remove the devices from the FMC
    obj1.delete()
Esempio n. 3
0
def create_device_records(fmc, device_list):
    """DeviceRecords (Registration and Interfaces)"""
    for dr in device_list:
        # Register this device with the FMC.  Assume the device is pre-programmed to listen for the FTD registration.
        ftd = fmcapi.DeviceRecords(fmc=fmc)
        if "hostname" in dr:
            ftd.hostName = dr["hostname"]
        if "registration_key" in dr:
            ftd.regKey = dr["registration_key"]
        if "access_policy" in dr:
            ftd.acp(name=dr["access_policy"])
        if "name" in dr:
            ftd.name = dr["name"]
        if "licenses" in dr:
            for lice in dr["licenses"]:
                ftd.licensing(action="add", name=lice["name"])
        # Push to FMC to start device registration.
        ftd.post(post_wait_time=dr["wait_for_post"])

        # Time to configure interfaces.
        if "interfaces" in dr:
            if "physical" in dr["interfaces"]:
                for interface in dr["interfaces"]["physical"]:
                    int1 = fmcapi.PhysicalInterfaces(fmc=fmc,
                                                     device_name=dr["name"])
                    if "name" in interface:
                        int1.get(name=interface["name"])
                    if "enabled" in interface:
                        int1.enabled = interface["enabled"]
                    if "interface_name" in interface:
                        int1.ifname = interface["interface_name"]
                    if "security_zone" in interface:
                        int1.sz(name=interface["security_zone"])
                    if "addresses" in interface:
                        if "ipv4" in interface["addresses"]:
                            if "static" in interface["addresses"]["ipv4"]:
                                int1.static(
                                    ipv4addr=interface["addresses"]["ipv4"]
                                    ["static"]["ip"],
                                    ipv4mask=interface["addresses"]["ipv4"]
                                    ["static"]["bitmask"],
                                )
                            elif "dhcp" in interface["addresses"]["ipv4"]:
                                int1.dhcp(
                                    enableDefault=interface["addresses"]
                                    ["ipv4"]["dhcp"]["enable_default"],
                                    routeMetric=interface["addresses"]["ipv4"]
                                    ["dhcp"]["route_metric"],
                                )
                        if "ipv6" in interface["addresses"]:
                            pass
                    int1.put()

        # Any routing related to this device.
        if "routing" in dr:
            if "static" in dr["routing"]:
                if "ipv4" in dr["routing"]["static"]:
                    for route in dr["routing"]["static"]["ipv4"]:
                        rt = fmcapi.IPv4StaticRoutes(fmc=fmc,
                                                     device_name=dr["name"])
                        if "name" in route:
                            rt.name = route["name"]
                        if "networks" in route:
                            for network in route["networks"]:
                                if "name" in network:
                                    rt.networks(action="add",
                                                networks=[network["name"]])
                        if "gateway" in route:
                            rt.gw(name=route["gateway"])
                        if "interface_name" in route:
                            rt.interfaceName = route["interface_name"]
                        if "metric" in route:
                            rt.metricValue = route["metric"]
                        rt.post()
                if "ipv6" in dr["routing"]["static"]:
                    pass

        # Any NAT Policy assigned to this device.
        if "nat_policy" in dr:
            natp = fmcapi.PolicyAssignments(fmc=fmc)
            natp.ftd_natpolicy(
                name=dr["nat_policy"],
                devices=[{
                    "name": dr["name"],
                    "type": dr["type"]
                }],
            )
            natp.post()
Esempio n. 4
0
def main():
    """
    The hq-ftd device already has 10.0.0.254 on its manage interface and the command 'configure network manager
    10.0.0.10 cisco123' has already been manually typed on the FTD's CLI.
    """
    # ### Set these variables to match your environment. ### #
    host = "10.0.0.10"
    username = "******"
    password = "******"

    with fmcapi.FMC(
            host=host,
            username=username,
            password=password,
            autodeploy=True,
            file_logging="hq-ftd.log",
    ) as fmc1:

        # Create an ACP
        acp = fmcapi.AccessPolicies(fmc=fmc1, name="ACP Policy")
        acp.defaultAction = "BLOCK"
        # I intentionally put a "space" in the ACP name to show that fmcapi will "fix" that for you.
        acp.post()

        # Create Security Zones
        sz_inside = fmcapi.SecurityZones(fmc=fmc1,
                                         name="inside",
                                         interfaceMode="ROUTED")
        sz_inside.post()
        sz_outside = fmcapi.SecurityZones(fmc=fmc1,
                                          name="outside",
                                          interfaceMode="ROUTED")
        sz_outside.post()
        sz_dmz = fmcapi.SecurityZones(fmc=fmc1,
                                      name="dmz",
                                      interfaceMode="ROUTED")
        sz_dmz.post()

        # Create Network Objects
        hq_dfgw_gateway = fmcapi.Hosts(fmc=fmc1,
                                       name="hq-default-gateway",
                                       value="100.64.0.1")
        hq_dfgw_gateway.post()
        hq_lan = fmcapi.Networks(fmc=fmc1, name="hq-lan", value="10.0.0.0/24")
        hq_lan.post()
        all_lans = fmcapi.Networks(fmc=fmc1,
                                   name="all-lans",
                                   value="10.0.0.0/8")
        all_lans.post()
        hq_fmc = fmcapi.Hosts(fmc=fmc1, name="hq_fmc", value="10.0.0.10")
        hq_fmc.post()
        fmc_public = fmcapi.Hosts(fmc=fmc1,
                                  name="fmc_public_ip",
                                  value="100.64.0.10")
        fmc_public.post()

        # Create ACP Rule to permit hq_lan traffic inside to outside.
        hq_acprule = fmcapi.AccessRules(
            fmc=fmc1,
            acp_name=acp.name,
            name="Permit HQ LAN",
            action="ALLOW",
            enabled=True,
        )
        hq_acprule.source_zone(action="add", name=sz_inside.name)
        hq_acprule.destination_zone(action="add", name=sz_outside.name)
        hq_acprule.source_network(action="add", name=hq_lan.name)
        hq_acprule.destination_network(action="add", name="any-ipv4")
        # hq_acprule.logBegin = True
        # hq_acprule.logEnd = True
        hq_acprule.post()

        # Build NAT Policy
        nat = fmcapi.FTDNatPolicies(fmc=fmc1, name="NAT Policy")
        nat.post()

        # Build NAT Rule to NAT all_lans to interface outside
        autonat = fmcapi.AutoNatRules(fmc=fmc1)
        autonat.natType = "DYNAMIC"
        autonat.interfaceInTranslatedNetwork = True
        autonat.original_network(all_lans.name)
        autonat.source_intf(name=sz_inside.name)
        autonat.destination_intf(name=sz_outside.name)
        autonat.nat_policy(name=nat.name)
        autonat.post()

        # Build NAT Rule to allow inbound traffic to FMC (Branches need to register to FMC.)
        fmc_nat = fmcapi.ManualNatRules(fmc=fmc1)
        fmc_nat.natType = "STATIC"
        fmc_nat.original_source(hq_fmc.name)
        fmc_nat.translated_source(fmc_public.name)
        fmc_nat.source_intf(name=sz_inside.name)
        fmc_nat.destination_intf(name=sz_outside.name)
        fmc_nat.nat_policy(name=nat.name)
        fmc_nat.enabled = True
        fmc_nat.post()

        # Add hq-ftd device to FMC
        hq_ftd = fmcapi.DeviceRecords(fmc=fmc1)
        # Minimum things set.
        hq_ftd.hostName = "10.0.0.254"
        hq_ftd.regKey = "cisco123"
        hq_ftd.acp(name=acp.name)
        # Other stuff I want set.
        hq_ftd.name = "hq-ftd"
        hq_ftd.licensing(action="add", name="MALWARE")
        hq_ftd.licensing(action="add", name="VPN")
        hq_ftd.licensing(action="add", name="BASE")
        hq_ftd.licensing(action="add", name="THREAT")
        hq_ftd.licensing(action="add", name="URLFilter")
        # Push to FMC to start device registration.
        hq_ftd.post(post_wait_time=300)

        # Once registration is complete configure the interfaces of hq-ftd.
        hq_ftd_g00 = fmcapi.PhysicalInterfaces(fmc=fmc1,
                                               device_name=hq_ftd.name)
        hq_ftd_g00.get(name="GigabitEthernet0/0")
        hq_ftd_g00.enabled = True
        hq_ftd_g00.ifname = "IN"
        hq_ftd_g00.static(ipv4addr="10.0.0.1", ipv4mask=24)
        hq_ftd_g00.sz(name="inside")
        hq_ftd_g00.put()

        hq_ftd_g01 = fmcapi.PhysicalInterfaces(fmc=fmc1,
                                               device_name=hq_ftd.name)
        hq_ftd_g01.get(name="GigabitEthernet0/1")
        hq_ftd_g01.enabled = True
        hq_ftd_g01.ifname = "OUT"
        hq_ftd_g01.static(ipv4addr="100.64.0.200", ipv4mask=24)
        hq_ftd_g01.sz(name="outside")
        hq_ftd_g01.put()

        # Build static default route for HQ FTD
        hq_default_route = fmcapi.IPv4StaticRoutes(fmc=fmc1,
                                                   name="hq_default_route")
        hq_default_route.device(device_name=hq_ftd.name)
        hq_default_route.networks(action="add", networks=["any-ipv4"])
        hq_default_route.gw(name=hq_dfgw_gateway.name)
        hq_default_route.interfaceName = hq_ftd_g01.ifname
        hq_default_route.metricValue = 1
        hq_default_route.post()

        # Associate NAT policy with HQ FTD device.
        devices = [{"name": hq_ftd.name, "type": "device"}]
        assign_nat_policy = fmcapi.PolicyAssignments(fmc=fmc1)
        assign_nat_policy.ftd_natpolicy(name=nat.name, devices=devices)
        assign_nat_policy.post()
Esempio n. 5
0
def test__phys_interfaces(fmc):
    logging.info(
        "Test PhysicalInterface.  get, put PhysicalInterface Objects. Requires registered device"
    )

    sz1 = fmcapi.SecurityZones(fmc=fmc)
    sz1.name = "SZ-OUTSIDE1"
    sz1.post()
    time.sleep(1)
    sz2 = fmcapi.SecurityZones(fmc=fmc)
    sz2.name = "SZ-OUTSIDE2"
    sz2.post()
    time.sleep(1)

    intf1 = fmcapi.PhysicalInterfaces(fmc=fmc, device_name="device_name")
    intf1.get(name="GigabitEthernet0/0")
    intf1.enabled = True
    intf1.ifname = "OUTSIDE1"
    intf1.activeMACAddress = "0050.5686.718f"
    intf1.standbyMACAddress = "0050.5686.0c2e"
    intf1.static(ipv4addr="10.254.0.3", ipv4mask=24)
    intf1.sz(name=sz1.name)
    intf2 = fmcapi.PhysicalInterfaces(fmc=fmc, device_name="device_name")
    intf2.get(name="GigabitEthernet0/1")
    intf2.enabled = True
    intf2.ifname = "OUTSIDE2"
    intf2.activeMACAddress = "0050.5686.821d"
    intf2.standbyMACAddress = "0050.5686.11cb"
    intf2.dhcp()
    intf2.sz(name=sz2.name)
    intf1.put()
    time.sleep(1)
    intf2.put()
    time.sleep(1)
    intf1.get()
    intf2.get()

    intf1.enabled = False
    intf1.activeMACAddress = ""
    intf1.standbyMACAddress = ""
    intf1.static(ipv4addr="", ipv4mask="")
    intf1.securityZone = {}
    intf1.activeMACAddress = ""
    intf1.standbyMACAddress = ""
    intf2.enabled = False
    intf2.activeMACAddress = ""
    intf2.standbyMACAddress = ""
    intf2.static(ipv4addr="", ipv4mask="")
    intf2.securityZone = {}
    intf2.activeMACAddress = ""
    intf2.standbyMACAddress = ""
    intf1.put()
    time.sleep(1)
    intf2.put()
    time.sleep(1)
    intf1.get()
    intf2.get()
    intf1.ifname = ""
    intf2.ifname = ""
    intf1.put()
    sz1.delete()
    intf2.put()
    sz2.delete()