def main():
"""
The FTD device already has 100.127.100.15 on its management interface and the command 'configure network manager
100.64.0.155 cisco123' has already been manually typed on the FTD's CLI.
"""
with fmcapi.FMC(host='100.64.0.166',
username='******',
password='******',
autodeploy=True) as fmc1:
# Create Security Zones
sz1 = fmcapi.SecurityZones(fmc=fmc1)
sz1.name = 'Restricted'
sz1.post()
sz2 = fmcapi.SecurityZones(fmc=fmc1)
sz2.name = 'Outside'
sz2.post()
# Create Objects
border1 = fmcapi.NetworkAddresses(fmc=fmc1,
name='Border-1',
value='100.126.1.13')
border1.post()
finance = fmcapi.NetworkAddresses(fmc=fmc1,
name='finance.dcloud.cisco.com',
value='100.64.0.134')
finance.post()
pci = fmcapi.NetworkAddresses(fmc=fmc1,
name='pci.dcloud.cisco.com',
value='100.64.0.133')
pci.post()
ftd_border1_net = fmcapi.Networks(fmc=fmc1,
name='FTD-Border1-net',
value='100.126.1.12/30')
ftd_border1_net.post()
restricted_vn_net = fmcapi.Networks(fmc=fmc1,
name='Restricted-VN-net',
value='100.110.0.0/16')
restricted_vn_net.post()
# Create ACPs
acp1 = fmcapi.AccessPolicies(
fmc=fmc1,
name='Restricted-VN-Initial-Policy',
defaultAction='NETWORK_DISCOVERY',
)
acp1.post()
acp2 = fmcapi.AccessPolicies(
fmc=fmc1,
name='Restricted-VN-RTC-Policy',
defaultAction='NETWORK_DISCOVERY',
)
acp2.post()
# Create ACP Rules for the ACPs
initial_rule1 = fmcapi.AccessRules(fmc=fmc1,
acp_name=acp1.name,
name='Permit-ANY')
initial_rule1.logBegin = True
initial_rule1.logEnd = True
initial_rule1.action = 'ALLOW'
initial_rule1.post()
rapid_threat_rule1 = fmcapi.AccessRules(fmc=fmc1,
acp_name=acp2.name,
name='PCIUsers-to-sources')
rapid_threat_rule1.source_network(action='add',
name=restricted_vn_net.name)
rapid_threat_rule1.destination_port(action='add', name='HTTP')
# rapid_threat_rule1.isesgt(name='PCI_user')
rapid_threat_rule1.logBegin = True
rapid_threat_rule1.logEnd = True
rapid_threat_rule1.intrusion_policy(action='add',
name='Restricted-VN-IPS-Policy')
rapid_threat_rule1.action = 'ALLOW'
rapid_threat_rule1.enabled = True
rapid_threat_rule1.post()
rapid_threat_rule2 = fmcapi.AccessRules(
fmc=fmc1, acp_name=acp2.name, name='FinanceUsers2PCIResource')
rapid_threat_rule2.source_network(action='add',
name=restricted_vn_net.name)
rapid_threat_rule2.destination_network(action='add', name=finance.name)
rapid_threat_rule2.destination_port(action='add', name='HTTP')
# rapid_threat_rule2.isesgt(name='PCI_user')
# rapid_threat_rule2.isesgt(name='finance_user')
rapid_threat_rule2.logBegin = True
rapid_threat_rule2.logEnd = True
rapid_threat_rule2.intrusion_policy(action='add',
name='Restricted-VN-IPS-Policy')
rapid_threat_rule2.action = 'ALLOW'
rapid_threat_rule2.enabled = True
rapid_threat_rule2.post()
rapid_threat_rule3 = fmcapi.AccessRules(
fmc=fmc1, acp_name=acp2.name, name='DenyUnauthenticatedUsers')
rapid_threat_rule3.source_network(action='add',
name=restricted_vn_net.name)
rapid_threat_rule3.destination_network(action='add', name=finance.name)
rapid_threat_rule3.destination_network(action='add', name=pci.name)
rapid_threat_rule3.destination_port(action='add', name='HTTP')
rapid_threat_rule3.logBegin = True
rapid_threat_rule3.action = 'BLOCK'
rapid_threat_rule3.enabled = True
rapid_threat_rule3.post()
rapid_threat_rule4 = fmcapi.AccessRules(fmc=fmc1,
acp_name=acp2.name,
name='Permit-ANY')
rapid_threat_rule4.source_network(action='add', name='ipv4-any')
rapid_threat_rule4.destination_network(action='add', name='ipv4-any')
rapid_threat_rule4.action = 'ALLOW'
rapid_threat_rule4.enabled = True
rapid_threat_rule4.post()
# Add FTD device to FMC
ftd1 = fmcapi.DeviceRecords(fmc=fmc1)
ftd1.hostName = '100.127.100.15'
ftd1.regKey = 'C1sco12345'
ftd1.acp(name='Restricted-VN-Initial-Policy')
ftd1.name = 'FTD'
ftd1.licensing(action='add', name='MALWARE')
ftd1.licensing(action='add', name='VPN')
ftd1.licensing(action='add', name='BASE')
ftd1.licensing(action='add', name='THREAT')
ftd1.licensing(action='add', name='URL')
# Push to FMC to start device registration.
ftd1.post(post_wait_time=300)
# Once registration is complete configure the interfaces of ftd.
int101 = fmcapi.PhysicalInterfaces(fmc=fmc1, device_name=ftd1.name)
int101.get(name='GigabitEthernet0/0')
int101.enabled = True
int101.ifname = 'FTD-to-Fusion'
int101.sz(name=sz2.name)
int101.static(ipv4addr='100.127.101.254', ipv4mask=24)
int101.put()
int3004 = fmcapi.PhysicalInterfaces(fmc=fmc1, device_name=ftd1.name)
int3004.get(name='GigabitEthernet0/1')
int3004.enabled = True
int3004.ifname = 'FTD-to-Border1'
int3004.sz(name=sz1.name)
int3004.static(ipv4addr='100.126.1.14', ipv4mask=30)
int3004.put()
def test__ftddevicehapairs(fmc):
logging.info(
'Test FTDDeviceHAPairs. After an HA Pair is created, all API calls to "devicerecords" objects should '
"be directed at the currently active device not the ha pair"
)
failover1 = fmcapi.PhysicalInterfaces(fmc=fmc)
failover1.get(device_name="PrimaryName", name="GigabitEthernet0/6")
stateful1 = fmcapi.PhysicalInterfaces(fmc=fmc)
stateful1.get(device_name="PrimaryName", name="GigabitEthernet0/7")
obj0 = fmcapi.DeviceHAPairs(fmc=fmc)
obj1 = fmcapi.FTDDeviceHAPairs(fmc=fmc)
obj1.primary(name="PrimaryName")
obj1.secondary(name="SecondaryName")
obj1.name = "HaName"
# failover interface subnetMask must be in x.x.x.x format"
obj1.ftdHABootstrap = {
"isEncryptionEnabled": "true",
"encKeyGenerationScheme": "CUSTOM",
"sharedKey": "cisco123",
"useSameLinkForFailovers": False,
"lanFailover": {
"useIPv6Address": False,
"subnetMask": "255.255.255.252",
"interfaceObject": {
"type": "PhysicalInterface",
"name": failover1.name,
"id": failover1.id,
},
"standbyIP": "192.168.1.2",
"logicalName": "HA-FAILOVER",
"activeIP": "192.168.1.1",
},
"statefulFailover": {
"useIPv6Address": False,
"subnetMask": "255.255.255.252",
"interfaceObject": {
"type": "PhysicalInterface",
"name": stateful1.name,
"id": stateful1.id,
},
"standbyIP": "192.168.1.6",
"logicalName": "HA-STATEFUL",
"activeIP": "192.168.1.5",
},
}
# response = ha_pair.post()
# wait_for_task(response["metadata"]["task"], 30)
logging.info("Device HA-->")
logging.info(obj1.format_data())
logging.info("\n")
obj1.post()
time.sleep(300)
del obj1
obj1 = fmcapi.FTDDeviceHAPairs(fmc=fmc, name="HaName")
obj1.switch_ha()
logging.info("Device HA Switch-->")
logging.info(obj1.format_data())
logging.info("\n")
response = obj1.put()
logging.info(response)
time.sleep(20)
del obj1
obj1 = fmcapi.FTDDeviceHAPairs(fmc=fmc, name="HaName")
obj1.break_ha()
logging.info("Device HA Break-->")
logging.info(obj1.format_data())
logging.info("\n")
response = obj1.put()
logging.info(response)
time.sleep(300)
del obj1
obj1 = fmcapi.FTDDeviceHAPairs(fmc=fmc)
obj1.get(name="FTDv-HA2")
# Deleting the HAPair object will delete the HA configuration AND remove the devices from the FMC
obj1.delete()
def create_device_records(fmc, device_list):
"""DeviceRecords (Registration and Interfaces)"""
for dr in device_list:
# Register this device with the FMC. Assume the device is pre-programmed to listen for the FTD registration.
ftd = fmcapi.DeviceRecords(fmc=fmc)
if "hostname" in dr:
ftd.hostName = dr["hostname"]
if "registration_key" in dr:
ftd.regKey = dr["registration_key"]
if "access_policy" in dr:
ftd.acp(name=dr["access_policy"])
if "name" in dr:
ftd.name = dr["name"]
if "licenses" in dr:
for lice in dr["licenses"]:
ftd.licensing(action="add", name=lice["name"])
# Push to FMC to start device registration.
ftd.post(post_wait_time=dr["wait_for_post"])
# Time to configure interfaces.
if "interfaces" in dr:
if "physical" in dr["interfaces"]:
for interface in dr["interfaces"]["physical"]:
int1 = fmcapi.PhysicalInterfaces(fmc=fmc,
device_name=dr["name"])
if "name" in interface:
int1.get(name=interface["name"])
if "enabled" in interface:
int1.enabled = interface["enabled"]
if "interface_name" in interface:
int1.ifname = interface["interface_name"]
if "security_zone" in interface:
int1.sz(name=interface["security_zone"])
if "addresses" in interface:
if "ipv4" in interface["addresses"]:
if "static" in interface["addresses"]["ipv4"]:
int1.static(
ipv4addr=interface["addresses"]["ipv4"]
["static"]["ip"],
ipv4mask=interface["addresses"]["ipv4"]
["static"]["bitmask"],
)
elif "dhcp" in interface["addresses"]["ipv4"]:
int1.dhcp(
enableDefault=interface["addresses"]
["ipv4"]["dhcp"]["enable_default"],
routeMetric=interface["addresses"]["ipv4"]
["dhcp"]["route_metric"],
)
if "ipv6" in interface["addresses"]:
pass
int1.put()
# Any routing related to this device.
if "routing" in dr:
if "static" in dr["routing"]:
if "ipv4" in dr["routing"]["static"]:
for route in dr["routing"]["static"]["ipv4"]:
rt = fmcapi.IPv4StaticRoutes(fmc=fmc,
device_name=dr["name"])
if "name" in route:
rt.name = route["name"]
if "networks" in route:
for network in route["networks"]:
if "name" in network:
rt.networks(action="add",
networks=[network["name"]])
if "gateway" in route:
rt.gw(name=route["gateway"])
if "interface_name" in route:
rt.interfaceName = route["interface_name"]
if "metric" in route:
rt.metricValue = route["metric"]
rt.post()
if "ipv6" in dr["routing"]["static"]:
pass
# Any NAT Policy assigned to this device.
if "nat_policy" in dr:
natp = fmcapi.PolicyAssignments(fmc=fmc)
natp.ftd_natpolicy(
name=dr["nat_policy"],
devices=[{
"name": dr["name"],
"type": dr["type"]
}],
)
natp.post()
def main():
"""
The hq-ftd device already has 10.0.0.254 on its manage interface and the command 'configure network manager
10.0.0.10 cisco123' has already been manually typed on the FTD's CLI.
"""
# ### Set these variables to match your environment. ### #
host = "10.0.0.10"
username = "******"
password = "******"
with fmcapi.FMC(
host=host,
username=username,
password=password,
autodeploy=True,
file_logging="hq-ftd.log",
) as fmc1:
# Create an ACP
acp = fmcapi.AccessPolicies(fmc=fmc1, name="ACP Policy")
acp.defaultAction = "BLOCK"
# I intentionally put a "space" in the ACP name to show that fmcapi will "fix" that for you.
acp.post()
# Create Security Zones
sz_inside = fmcapi.SecurityZones(fmc=fmc1,
name="inside",
interfaceMode="ROUTED")
sz_inside.post()
sz_outside = fmcapi.SecurityZones(fmc=fmc1,
name="outside",
interfaceMode="ROUTED")
sz_outside.post()
sz_dmz = fmcapi.SecurityZones(fmc=fmc1,
name="dmz",
interfaceMode="ROUTED")
sz_dmz.post()
# Create Network Objects
hq_dfgw_gateway = fmcapi.Hosts(fmc=fmc1,
name="hq-default-gateway",
value="100.64.0.1")
hq_dfgw_gateway.post()
hq_lan = fmcapi.Networks(fmc=fmc1, name="hq-lan", value="10.0.0.0/24")
hq_lan.post()
all_lans = fmcapi.Networks(fmc=fmc1,
name="all-lans",
value="10.0.0.0/8")
all_lans.post()
hq_fmc = fmcapi.Hosts(fmc=fmc1, name="hq_fmc", value="10.0.0.10")
hq_fmc.post()
fmc_public = fmcapi.Hosts(fmc=fmc1,
name="fmc_public_ip",
value="100.64.0.10")
fmc_public.post()
# Create ACP Rule to permit hq_lan traffic inside to outside.
hq_acprule = fmcapi.AccessRules(
fmc=fmc1,
acp_name=acp.name,
name="Permit HQ LAN",
action="ALLOW",
enabled=True,
)
hq_acprule.source_zone(action="add", name=sz_inside.name)
hq_acprule.destination_zone(action="add", name=sz_outside.name)
hq_acprule.source_network(action="add", name=hq_lan.name)
hq_acprule.destination_network(action="add", name="any-ipv4")
# hq_acprule.logBegin = True
# hq_acprule.logEnd = True
hq_acprule.post()
# Build NAT Policy
nat = fmcapi.FTDNatPolicies(fmc=fmc1, name="NAT Policy")
nat.post()
# Build NAT Rule to NAT all_lans to interface outside
autonat = fmcapi.AutoNatRules(fmc=fmc1)
autonat.natType = "DYNAMIC"
autonat.interfaceInTranslatedNetwork = True
autonat.original_network(all_lans.name)
autonat.source_intf(name=sz_inside.name)
autonat.destination_intf(name=sz_outside.name)
autonat.nat_policy(name=nat.name)
autonat.post()
# Build NAT Rule to allow inbound traffic to FMC (Branches need to register to FMC.)
fmc_nat = fmcapi.ManualNatRules(fmc=fmc1)
fmc_nat.natType = "STATIC"
fmc_nat.original_source(hq_fmc.name)
fmc_nat.translated_source(fmc_public.name)
fmc_nat.source_intf(name=sz_inside.name)
fmc_nat.destination_intf(name=sz_outside.name)
fmc_nat.nat_policy(name=nat.name)
fmc_nat.enabled = True
fmc_nat.post()
# Add hq-ftd device to FMC
hq_ftd = fmcapi.DeviceRecords(fmc=fmc1)
# Minimum things set.
hq_ftd.hostName = "10.0.0.254"
hq_ftd.regKey = "cisco123"
hq_ftd.acp(name=acp.name)
# Other stuff I want set.
hq_ftd.name = "hq-ftd"
hq_ftd.licensing(action="add", name="MALWARE")
hq_ftd.licensing(action="add", name="VPN")
hq_ftd.licensing(action="add", name="BASE")
hq_ftd.licensing(action="add", name="THREAT")
hq_ftd.licensing(action="add", name="URLFilter")
# Push to FMC to start device registration.
hq_ftd.post(post_wait_time=300)
# Once registration is complete configure the interfaces of hq-ftd.
hq_ftd_g00 = fmcapi.PhysicalInterfaces(fmc=fmc1,
device_name=hq_ftd.name)
hq_ftd_g00.get(name="GigabitEthernet0/0")
hq_ftd_g00.enabled = True
hq_ftd_g00.ifname = "IN"
hq_ftd_g00.static(ipv4addr="10.0.0.1", ipv4mask=24)
hq_ftd_g00.sz(name="inside")
hq_ftd_g00.put()
hq_ftd_g01 = fmcapi.PhysicalInterfaces(fmc=fmc1,
device_name=hq_ftd.name)
hq_ftd_g01.get(name="GigabitEthernet0/1")
hq_ftd_g01.enabled = True
hq_ftd_g01.ifname = "OUT"
hq_ftd_g01.static(ipv4addr="100.64.0.200", ipv4mask=24)
hq_ftd_g01.sz(name="outside")
hq_ftd_g01.put()
# Build static default route for HQ FTD
hq_default_route = fmcapi.IPv4StaticRoutes(fmc=fmc1,
name="hq_default_route")
hq_default_route.device(device_name=hq_ftd.name)
hq_default_route.networks(action="add", networks=["any-ipv4"])
hq_default_route.gw(name=hq_dfgw_gateway.name)
hq_default_route.interfaceName = hq_ftd_g01.ifname
hq_default_route.metricValue = 1
hq_default_route.post()
# Associate NAT policy with HQ FTD device.
devices = [{"name": hq_ftd.name, "type": "device"}]
assign_nat_policy = fmcapi.PolicyAssignments(fmc=fmc1)
assign_nat_policy.ftd_natpolicy(name=nat.name, devices=devices)
assign_nat_policy.post()
def test__phys_interfaces(fmc):
logging.info(
"Test PhysicalInterface. get, put PhysicalInterface Objects. Requires registered device"
)
sz1 = fmcapi.SecurityZones(fmc=fmc)
sz1.name = "SZ-OUTSIDE1"
sz1.post()
time.sleep(1)
sz2 = fmcapi.SecurityZones(fmc=fmc)
sz2.name = "SZ-OUTSIDE2"
sz2.post()
time.sleep(1)
intf1 = fmcapi.PhysicalInterfaces(fmc=fmc, device_name="device_name")
intf1.get(name="GigabitEthernet0/0")
intf1.enabled = True
intf1.ifname = "OUTSIDE1"
intf1.activeMACAddress = "0050.5686.718f"
intf1.standbyMACAddress = "0050.5686.0c2e"
intf1.static(ipv4addr="10.254.0.3", ipv4mask=24)
intf1.sz(name=sz1.name)
intf2 = fmcapi.PhysicalInterfaces(fmc=fmc, device_name="device_name")
intf2.get(name="GigabitEthernet0/1")
intf2.enabled = True
intf2.ifname = "OUTSIDE2"
intf2.activeMACAddress = "0050.5686.821d"
intf2.standbyMACAddress = "0050.5686.11cb"
intf2.dhcp()
intf2.sz(name=sz2.name)
intf1.put()
time.sleep(1)
intf2.put()
time.sleep(1)
intf1.get()
intf2.get()
intf1.enabled = False
intf1.activeMACAddress = ""
intf1.standbyMACAddress = ""
intf1.static(ipv4addr="", ipv4mask="")
intf1.securityZone = {}
intf1.activeMACAddress = ""
intf1.standbyMACAddress = ""
intf2.enabled = False
intf2.activeMACAddress = ""
intf2.standbyMACAddress = ""
intf2.static(ipv4addr="", ipv4mask="")
intf2.securityZone = {}
intf2.activeMACAddress = ""
intf2.standbyMACAddress = ""
intf1.put()
time.sleep(1)
intf2.put()
time.sleep(1)
intf1.get()
intf2.get()
intf1.ifname = ""
intf2.ifname = ""
intf1.put()
sz1.delete()
intf2.put()
sz2.delete()