def create_nat_policies(fmc, nat_list):
"""Create Nat Policies and their rules"""
for natp in nat_list:
policy = fmcapi.FTDNatPolicies(fmc=fmc, name=natp["name"])
policy.post()
# Build nat_rules associated with this nat policy.
if "rules" in natp:
if "auto" in natp["rules"]:
for this_rule in natp["rules"]["auto"]:
autonat = fmcapi.AutoNatRules(fmc=fmc)
if "nat_type" in this_rule:
autonat.natType = this_rule["nat_type"]
if "interface_in_translated_network" in this_rule:
autonat.interfaceInTranslatedNetwork = this_rule[
"interface_in_translated_network"
]
if "original_network" in this_rule:
autonat.original_network(this_rule["original_network"])
if "source_interface" in this_rule:
autonat.source_intf(name=this_rule["source_interface"])
if "destination_interface" in this_rule:
autonat.destination_intf(
name=this_rule["destination_interface"]
)
autonat.nat_policy(name=natp["name"])
autonat.post()
if "manual" in natp["rules"]:
for this_rule in natp["rules"]["manual"]:
manualnat = fmcapi.ManualNatRules(fmc=fmc)
if "nat_type" in this_rule:
manualnat.natType = this_rule["nat_type"]
if "original_source" in this_rule:
manualnat.original_source(this_rule["original_source"])
if "translated_source" in this_rule:
manualnat.translated_source(this_rule["translated_source"])
if "source_interface" in this_rule:
manualnat.source_intf(name=this_rule["source_interface"])
if "destination_interface" in this_rule:
manualnat.destination_intf(
name=this_rule["destination_interface"]
)
if "enabled" in this_rule:
manualnat.enabled = this_rule["enabled"]
manualnat.nat_policy(name=natp["name"])
manualnat.post()
def main():
"""
The hq-ftd device already has 10.0.0.254 on its manage interface and the command 'configure network manager
10.0.0.10 cisco123' has already been manually typed on the FTD's CLI.
"""
# ### Set these variables to match your environment. ### #
host = "10.0.0.10"
username = "******"
password = "******"
with fmcapi.FMC(
host=host,
username=username,
password=password,
autodeploy=True,
file_logging="hq-ftd.log",
) as fmc1:
# Create an ACP
acp = fmcapi.AccessPolicies(fmc=fmc1, name="ACP Policy")
acp.defaultAction = "BLOCK"
# I intentionally put a "space" in the ACP name to show that fmcapi will "fix" that for you.
acp.post()
# Create Security Zones
sz_inside = fmcapi.SecurityZones(fmc=fmc1,
name="inside",
interfaceMode="ROUTED")
sz_inside.post()
sz_outside = fmcapi.SecurityZones(fmc=fmc1,
name="outside",
interfaceMode="ROUTED")
sz_outside.post()
sz_dmz = fmcapi.SecurityZones(fmc=fmc1,
name="dmz",
interfaceMode="ROUTED")
sz_dmz.post()
# Create Network Objects
hq_dfgw_gateway = fmcapi.Hosts(fmc=fmc1,
name="hq-default-gateway",
value="100.64.0.1")
hq_dfgw_gateway.post()
hq_lan = fmcapi.Networks(fmc=fmc1, name="hq-lan", value="10.0.0.0/24")
hq_lan.post()
all_lans = fmcapi.Networks(fmc=fmc1,
name="all-lans",
value="10.0.0.0/8")
all_lans.post()
hq_fmc = fmcapi.Hosts(fmc=fmc1, name="hq_fmc", value="10.0.0.10")
hq_fmc.post()
fmc_public = fmcapi.Hosts(fmc=fmc1,
name="fmc_public_ip",
value="100.64.0.10")
fmc_public.post()
# Create ACP Rule to permit hq_lan traffic inside to outside.
hq_acprule = fmcapi.AccessRules(
fmc=fmc1,
acp_name=acp.name,
name="Permit HQ LAN",
action="ALLOW",
enabled=True,
)
hq_acprule.source_zone(action="add", name=sz_inside.name)
hq_acprule.destination_zone(action="add", name=sz_outside.name)
hq_acprule.source_network(action="add", name=hq_lan.name)
hq_acprule.destination_network(action="add", name="any-ipv4")
# hq_acprule.logBegin = True
# hq_acprule.logEnd = True
hq_acprule.post()
# Build NAT Policy
nat = fmcapi.FTDNatPolicies(fmc=fmc1, name="NAT Policy")
nat.post()
# Build NAT Rule to NAT all_lans to interface outside
autonat = fmcapi.AutoNatRules(fmc=fmc1)
autonat.natType = "DYNAMIC"
autonat.interfaceInTranslatedNetwork = True
autonat.original_network(all_lans.name)
autonat.source_intf(name=sz_inside.name)
autonat.destination_intf(name=sz_outside.name)
autonat.nat_policy(name=nat.name)
autonat.post()
# Build NAT Rule to allow inbound traffic to FMC (Branches need to register to FMC.)
fmc_nat = fmcapi.ManualNatRules(fmc=fmc1)
fmc_nat.natType = "STATIC"
fmc_nat.original_source(hq_fmc.name)
fmc_nat.translated_source(fmc_public.name)
fmc_nat.source_intf(name=sz_inside.name)
fmc_nat.destination_intf(name=sz_outside.name)
fmc_nat.nat_policy(name=nat.name)
fmc_nat.enabled = True
fmc_nat.post()
# Add hq-ftd device to FMC
hq_ftd = fmcapi.DeviceRecords(fmc=fmc1)
# Minimum things set.
hq_ftd.hostName = "10.0.0.254"
hq_ftd.regKey = "cisco123"
hq_ftd.acp(name=acp.name)
# Other stuff I want set.
hq_ftd.name = "hq-ftd"
hq_ftd.licensing(action="add", name="MALWARE")
hq_ftd.licensing(action="add", name="VPN")
hq_ftd.licensing(action="add", name="BASE")
hq_ftd.licensing(action="add", name="THREAT")
hq_ftd.licensing(action="add", name="URLFilter")
# Push to FMC to start device registration.
hq_ftd.post(post_wait_time=300)
# Once registration is complete configure the interfaces of hq-ftd.
hq_ftd_g00 = fmcapi.PhysicalInterfaces(fmc=fmc1,
device_name=hq_ftd.name)
hq_ftd_g00.get(name="GigabitEthernet0/0")
hq_ftd_g00.enabled = True
hq_ftd_g00.ifname = "IN"
hq_ftd_g00.static(ipv4addr="10.0.0.1", ipv4mask=24)
hq_ftd_g00.sz(name="inside")
hq_ftd_g00.put()
hq_ftd_g01 = fmcapi.PhysicalInterfaces(fmc=fmc1,
device_name=hq_ftd.name)
hq_ftd_g01.get(name="GigabitEthernet0/1")
hq_ftd_g01.enabled = True
hq_ftd_g01.ifname = "OUT"
hq_ftd_g01.static(ipv4addr="100.64.0.200", ipv4mask=24)
hq_ftd_g01.sz(name="outside")
hq_ftd_g01.put()
# Build static default route for HQ FTD
hq_default_route = fmcapi.IPv4StaticRoutes(fmc=fmc1,
name="hq_default_route")
hq_default_route.device(device_name=hq_ftd.name)
hq_default_route.networks(action="add", networks=["any-ipv4"])
hq_default_route.gw(name=hq_dfgw_gateway.name)
hq_default_route.interfaceName = hq_ftd_g01.ifname
hq_default_route.metricValue = 1
hq_default_route.post()
# Associate NAT policy with HQ FTD device.
devices = [{"name": hq_ftd.name, "type": "device"}]
assign_nat_policy = fmcapi.PolicyAssignments(fmc=fmc1)
assign_nat_policy.ftd_natpolicy(name=nat.name, devices=devices)
assign_nat_policy.post()
def main():
"""
The hq-ftd device already has 10.0.0.254 on its manage interface and the command 'configure network manager
10.0.0.10 cisco123' has already been manually typed on the FTD's CLI.
"""
with fmcapi.FMC(host=host,
username=username,
password=password,
autodeploy=autodeploy) as fmc1:
# Create an ACP
acp = fmcapi.AccessControlPolicy(fmc=fmc1, name='ACP Policy')
# I intentially put a "space" in the ACP name to show that fmcapi will "fix" that for you.
acp.post()
# Create Security Zones
sz_inside = fmcapi.SecurityZone(fmc=fmc1,
name='inside',
interfaceMode='ROUTED')
sz_inside.post()
# sz_inside.get()
sz_outside = fmcapi.SecurityZone(fmc=fmc1,
name='outside',
interfaceMode='ROUTED')
sz_outside.post()
# sz_outside.get()
sz_dmz = fmcapi.SecurityZone(fmc=fmc1,
name='dmz',
interfaceMode='ROUTED')
sz_dmz.post()
# sz_dmz.get()
# Create Network Objects
hq_dfgw_gateway = fmcapi.IPHost(fmc=fmc1,
name='hq-default-gateway',
value='100.64.0.1')
hq_dfgw_gateway.post()
hq_lan = fmcapi.IPNetwork(fmc=fmc1, name='hq-lan', value='10.0.0.0/24')
hq_lan.post()
all_lans = fmcapi.IPNetwork(fmc=fmc1,
name='all-lans',
value='10.0.0.0/8')
all_lans.post()
hq_fmc = fmcapi.IPHost(fmc=fmc1, name='hq_fmc', value='10.0.0.10')
hq_fmc.post()
fmc_public = fmcapi.IPHost(fmc=fmc1,
name='fmc_public_ip',
value='100.64.0.10')
fmc_public.post()
# Create ACP Rule to permit hq_lan traffic inside to outside.
hq_acprule = fmcapi.ACPRule(
fmc=fmc1,
acp_name=acp.name,
name='Permit HQ LAN',
action='ALLOW',
enabled=True,
)
hq_acprule.source_zone(action='add', name=sz_inside.name)
hq_acprule.destination_zone(action='add', name=sz_outside.name)
hq_acprule.source_network(action='add', name=hq_lan.name)
hq_acprule.destination_network(action='add', name='any-ipv4')
hq_acprule.post()
# Build NAT Policy
nat = fmcapi.FTDNatPolicy(fmc=fmc1, name='NAT Policy')
nat.post()
# Build NAT Rule to NAT all_lans to interface outside
autonat = fmcapi.AutoNatRules(fmc=fmc1)
autonat.natType = "DYNAMIC"
autonat.interfaceInTranslatedNetwork = True
autonat.original_network(all_lans.name)
autonat.source_intf(name=sz_inside.name)
autonat.destination_intf(name=sz_outside.name)
autonat.nat_policy(name=nat.name)
autonat.post()
# Build NAT Rule to allow inbound traffic to FMC (Branches need to register to FMC.)
fmc_nat = fmcapi.ManualNatRules(fmc=fmc1)
fmc_nat.natType = "STATIC"
fmc_nat.original_source(hq_fmc.name)
fmc_nat.translated_source(fmc_public.name)
fmc_nat.source_intf(name=sz_inside.name)
fmc_nat.destination_intf(name=sz_outside.name)
fmc_nat.nat_policy(name=nat.name)
fmc_nat.post()
# Add hq-ftd device to FMC
hq_ftd = fmcapi.Device(fmc=fmc1)
# Minimum things set.
hq_ftd.hostName = '10.0.0.254'
hq_ftd.regKey = DEVICE_REGISTRATION_PSK
hq_ftd.acp(name=acp.name)
# Other stuff I want set.
hq_ftd.name = 'hq-ftd'
hq_ftd.licensing(action='add', name='MALWARE')
hq_ftd.licensing(action='add', name='VPN')
hq_ftd.licensing(action='add', name='BASE')
# Push to FMC to start device registration.
hq_ftd.post(post_wait_time=300)
# Once registration is complete configure the interfaces of hq-ftd.
hq_ftd_g00 = fmcapi.PhysicalInterface(fmc=fmc1,
device_name=hq_ftd.name)
hq_ftd_g00.get(name="GigabitEthernet0/0")
hq_ftd_g00.enabled = True # This doesn't work yet for some reason.
hq_ftd_g00.ifname = "IN"
hq_ftd_g00.static(ipv4addr="10.0.0.1", ipv4mask=24)
hq_ftd_g00.sz(name="inside")
hq_ftd_g00.put()
hq_ftd_g01 = fmcapi.PhysicalInterface(fmc=fmc1,
device_name=hq_ftd.name)
hq_ftd_g01.get(name="GigabitEthernet0/1")
hq_ftd_g01.enabled = False # This doesn't work yet for some reason.
hq_ftd_g01.ifname = "OUT"
hq_ftd_g01.static(ipv4addr="100.64.0.200", ipv4mask=24)
hq_ftd_g01.sz(name="outside")
hq_ftd_g01.put()
# Build static default route for HQ FTD
hq_default_route = fmcapi.IPv4StaticRoute(fmc=fmc1,
name='hq_default_route')
hq_default_route.device(device_name=hq_ftd.name)
hq_default_route.networks(action='add', networks=['any-ipv4'])
hq_default_route.gw(name=hq_dfgw_gateway.name)
hq_default_route.interfaceName = hq_ftd_g01.ifname
hq_default_route.metricValue = 1
hq_default_route.post()
# Associate NAT policy with HQ FTD device.
devices = [{'name': hq_ftd.name, 'type': 'device'}]
assign_nat_policy = fmcapi.PolicyAssignments(fmc=fmc1)
assign_nat_policy.ftd_natpolicy(name=nat.name, devices=devices)
assign_nat_policy.post()
def test__autonat(fmc):
logging.info('Testing AutoNatPolicy class.')
starttime = str(int(time.time()))
namer = f'_fmcapi_test_{starttime}'
# Create a container policy for FTD NAT rules
natpol1 = fmcapi.FTDNatPolicy(fmc=fmc, name=namer)
natpol1.post()
natpol1.get()
# Create original and translate objects
obj1 = fmcapi.IPNetwork(fmc=fmc)
obj1.name = '_net_original'
obj1.value = '10.0.0.0/8'
obj1.post()
time.sleep(1)
obj2 = fmcapi.IPHost(fmc=fmc)
obj2.name = '_net_xlate'
obj2.value = '192.0.2.1'
obj2.post()
time.sleep(1)
# Create identity nat object
obj3 = fmcapi.IPNetwork(fmc=fmc)
obj3.name = '_net_identity'
obj3.value = '192.168.0.0/24'
obj3.post()
time.sleep(1)
# Create nat pool objects
obj4 = fmcapi.IPNetwork(fmc=fmc)
obj4.name = '_net_original_pool'
obj4.value = '172.16.0.0/24'
obj4.post()
time.sleep(1)
# PAT Pool must be a range, not a subnet
obj5 = fmcapi.IPRange(fmc=fmc)
obj5.name = '_net_xlate_pool'
obj5.value = '192.0.2.128-192.0.2.254'
obj5.post()
time.sleep(1)
# Create interface PAT object
obj6 = fmcapi.IPNetwork(fmc=fmc)
obj6.name = '_net_original_intf'
obj6.value = '192.168.1.0/24'
obj6.post()
time.sleep(1)
# Create Security Zones
sz1 = fmcapi.SecurityZone(fmc=fmc, name='IG-INSIDE')
sz1.post()
sz2 = fmcapi.SecurityZone(fmc=fmc, name='SZ-OUTSIDE1')
sz2.post()
# Autonat a network object to a host
autonat1 = fmcapi.AutoNatRules(fmc=fmc)
autonat1.original_network(name="_net_original")
autonat1.translated_network(name="_net_xlate")
autonat1.natType = "STATIC"
# Source and destination interface can be either an interface group or security zone
autonat1.source_intf(name="IG-INSIDE")
autonat1.destination_intf(name="SZ-OUTSIDE1")
autonat1.nat_policy(name=namer)
# Autonat identity nat
autonat2 = fmcapi.AutoNatRules(fmc=fmc)
autonat2.identity_nat(name="_net_identity")
autonat2.source_intf(name="IG-INSIDE")
autonat2.destination_intf(name="SZ-OUTSIDE1")
autonat2.nat_policy(name=namer)
# Autonat nat pool
autonat3 = fmcapi.AutoNatRules(fmc=fmc)
autonat3.original_network(name="_net_original_pool")
autonat3.patPool(name="_net_xlate_pool")
autonat3.source_intf(name="IG-INSIDE")
autonat3.destination_intf(name="SZ-OUTSIDE1")
autonat3.nat_policy(name=namer)
# Autonat interface PAT
autonat4 = fmcapi.AutoNatRules(fmc=fmc)
autonat4.original_network(name="_net_original_intf")
autonat4.natType = "DYNAMIC"
autonat4.source_intf(name="IG-INSIDE")
autonat4.destination_intf(name="SZ-OUTSIDE1")
autonat4.nat_policy(name=namer)
autonat4.interfaceInTranslatedNetwork = True
autonat1.post()
autonat2.post()
autonat3.post()
autonat4.post()
'''
# Associate a nat policy to a device
# Do not uncomment if you do not have a device registered to FMC
# Use name of device or deviceHAPair as applicable
pol_devices = [{"name": "deviceHAName", "type": "deviceHAPair"}]
assign1 = fmcapi.PolicyAssignments(fmc=fmc)
assign1.ftd_natpolicy(name=namer, devices=pol_devices)
assign1.post()
assign1.ftd_natpolicy(name=namer, devices=[])
assign1.put()
'''
natpol1.delete()
obj1.delete()
obj2.delete()
obj3.delete()
obj4.delete()
obj5.delete()
obj6.delete()
sz1.delete()
sz2.delete()
