def main(): """ The hq-ftd device already has 10.0.0.254 on its manage interface and the command 'configure network manager 10.0.0.10 cisco123' has already been manually typed on the FTD's CLI. """ with fmcapi.FMC(host=host, username=username, password=password, autodeploy=autodeploy) as fmc1: # Create an ACP acp = fmcapi.AccessControlPolicy(fmc=fmc1, name='ACP Policy') # I intentially put a "space" in the ACP name to show that fmcapi will "fix" that for you. acp.post() # Create Security Zones sz_inside = fmcapi.SecurityZone(fmc=fmc1, name='inside', interfaceMode='ROUTED') sz_inside.post() # sz_inside.get() sz_outside = fmcapi.SecurityZone(fmc=fmc1, name='outside', interfaceMode='ROUTED') sz_outside.post() # sz_outside.get() sz_dmz = fmcapi.SecurityZone(fmc=fmc1, name='dmz', interfaceMode='ROUTED') sz_dmz.post() # sz_dmz.get() # Create Network Objects hq_dfgw_gateway = fmcapi.IPHost(fmc=fmc1, name='hq-default-gateway', value='100.64.0.1') hq_dfgw_gateway.post() hq_lan = fmcapi.IPNetwork(fmc=fmc1, name='hq-lan', value='10.0.0.0/24') hq_lan.post() all_lans = fmcapi.IPNetwork(fmc=fmc1, name='all-lans', value='10.0.0.0/8') all_lans.post() hq_fmc = fmcapi.IPHost(fmc=fmc1, name='hq_fmc', value='10.0.0.10') hq_fmc.post() fmc_public = fmcapi.IPHost(fmc=fmc1, name='fmc_public_ip', value='100.64.0.10') fmc_public.post() # Create ACP Rule to permit hq_lan traffic inside to outside. hq_acprule = fmcapi.ACPRule( fmc=fmc1, acp_name=acp.name, name='Permit HQ LAN', action='ALLOW', enabled=True, ) hq_acprule.source_zone(action='add', name=sz_inside.name) hq_acprule.destination_zone(action='add', name=sz_outside.name) hq_acprule.source_network(action='add', name=hq_lan.name) hq_acprule.destination_network(action='add', name='any-ipv4') hq_acprule.post() # Build NAT Policy nat = fmcapi.FTDNatPolicy(fmc=fmc1, name='NAT Policy') nat.post() # Build NAT Rule to NAT all_lans to interface outside autonat = fmcapi.AutoNatRules(fmc=fmc1) autonat.natType = "DYNAMIC" autonat.interfaceInTranslatedNetwork = True autonat.original_network(all_lans.name) autonat.source_intf(name=sz_inside.name) autonat.destination_intf(name=sz_outside.name) autonat.nat_policy(name=nat.name) autonat.post() # Build NAT Rule to allow inbound traffic to FMC (Branches need to register to FMC.) fmc_nat = fmcapi.ManualNatRules(fmc=fmc1) fmc_nat.natType = "STATIC" fmc_nat.original_source(hq_fmc.name) fmc_nat.translated_source(fmc_public.name) fmc_nat.source_intf(name=sz_inside.name) fmc_nat.destination_intf(name=sz_outside.name) fmc_nat.nat_policy(name=nat.name) fmc_nat.post() # Add hq-ftd device to FMC hq_ftd = fmcapi.Device(fmc=fmc1) # Minimum things set. hq_ftd.hostName = '10.0.0.254' hq_ftd.regKey = DEVICE_REGISTRATION_PSK hq_ftd.acp(name=acp.name) # Other stuff I want set. hq_ftd.name = 'hq-ftd' hq_ftd.licensing(action='add', name='MALWARE') hq_ftd.licensing(action='add', name='VPN') hq_ftd.licensing(action='add', name='BASE') # Push to FMC to start device registration. hq_ftd.post(post_wait_time=300) # Once registration is complete configure the interfaces of hq-ftd. hq_ftd_g00 = fmcapi.PhysicalInterface(fmc=fmc1, device_name=hq_ftd.name) hq_ftd_g00.get(name="GigabitEthernet0/0") hq_ftd_g00.enabled = True # This doesn't work yet for some reason. hq_ftd_g00.ifname = "IN" hq_ftd_g00.static(ipv4addr="10.0.0.1", ipv4mask=24) hq_ftd_g00.sz(name="inside") hq_ftd_g00.put() hq_ftd_g01 = fmcapi.PhysicalInterface(fmc=fmc1, device_name=hq_ftd.name) hq_ftd_g01.get(name="GigabitEthernet0/1") hq_ftd_g01.enabled = False # This doesn't work yet for some reason. hq_ftd_g01.ifname = "OUT" hq_ftd_g01.static(ipv4addr="100.64.0.200", ipv4mask=24) hq_ftd_g01.sz(name="outside") hq_ftd_g01.put() # Build static default route for HQ FTD hq_default_route = fmcapi.IPv4StaticRoute(fmc=fmc1, name='hq_default_route') hq_default_route.device(device_name=hq_ftd.name) hq_default_route.networks(action='add', networks=['any-ipv4']) hq_default_route.gw(name=hq_dfgw_gateway.name) hq_default_route.interfaceName = hq_ftd_g01.ifname hq_default_route.metricValue = 1 hq_default_route.post() # Associate NAT policy with HQ FTD device. devices = [{'name': hq_ftd.name, 'type': 'device'}] assign_nat_policy = fmcapi.PolicyAssignments(fmc=fmc1) assign_nat_policy.ftd_natpolicy(name=nat.name, devices=devices) assign_nat_policy.post()
def main(): """ The hq-ftd device already has 10.0.0.254 on its manage interface and the command 'configure network manager 10.0.0.10 cisco123' has already been manually typed on the FTD's CLI. """ # ### Set these variables to match your environment. ### # host = "10.0.0.10" username = "******" password = "******" with fmcapi.FMC( host=host, username=username, password=password, autodeploy=True, file_logging="hq-ftd.log", ) as fmc1: # Create an ACP acp = fmcapi.AccessPolicies(fmc=fmc1, name="ACP Policy") acp.defaultAction = "BLOCK" # I intentionally put a "space" in the ACP name to show that fmcapi will "fix" that for you. acp.post() # Create Security Zones sz_inside = fmcapi.SecurityZones(fmc=fmc1, name="inside", interfaceMode="ROUTED") sz_inside.post() sz_outside = fmcapi.SecurityZones(fmc=fmc1, name="outside", interfaceMode="ROUTED") sz_outside.post() sz_dmz = fmcapi.SecurityZones(fmc=fmc1, name="dmz", interfaceMode="ROUTED") sz_dmz.post() # Create Network Objects hq_dfgw_gateway = fmcapi.Hosts(fmc=fmc1, name="hq-default-gateway", value="100.64.0.1") hq_dfgw_gateway.post() hq_lan = fmcapi.Networks(fmc=fmc1, name="hq-lan", value="10.0.0.0/24") hq_lan.post() all_lans = fmcapi.Networks(fmc=fmc1, name="all-lans", value="10.0.0.0/8") all_lans.post() hq_fmc = fmcapi.Hosts(fmc=fmc1, name="hq_fmc", value="10.0.0.10") hq_fmc.post() fmc_public = fmcapi.Hosts(fmc=fmc1, name="fmc_public_ip", value="100.64.0.10") fmc_public.post() # Create ACP Rule to permit hq_lan traffic inside to outside. hq_acprule = fmcapi.AccessRules( fmc=fmc1, acp_name=acp.name, name="Permit HQ LAN", action="ALLOW", enabled=True, ) hq_acprule.source_zone(action="add", name=sz_inside.name) hq_acprule.destination_zone(action="add", name=sz_outside.name) hq_acprule.source_network(action="add", name=hq_lan.name) hq_acprule.destination_network(action="add", name="any-ipv4") # hq_acprule.logBegin = True # hq_acprule.logEnd = True hq_acprule.post() # Build NAT Policy nat = fmcapi.FTDNatPolicies(fmc=fmc1, name="NAT Policy") nat.post() # Build NAT Rule to NAT all_lans to interface outside autonat = fmcapi.AutoNatRules(fmc=fmc1) autonat.natType = "DYNAMIC" autonat.interfaceInTranslatedNetwork = True autonat.original_network(all_lans.name) autonat.source_intf(name=sz_inside.name) autonat.destination_intf(name=sz_outside.name) autonat.nat_policy(name=nat.name) autonat.post() # Build NAT Rule to allow inbound traffic to FMC (Branches need to register to FMC.) fmc_nat = fmcapi.ManualNatRules(fmc=fmc1) fmc_nat.natType = "STATIC" fmc_nat.original_source(hq_fmc.name) fmc_nat.translated_source(fmc_public.name) fmc_nat.source_intf(name=sz_inside.name) fmc_nat.destination_intf(name=sz_outside.name) fmc_nat.nat_policy(name=nat.name) fmc_nat.enabled = True fmc_nat.post() # Add hq-ftd device to FMC hq_ftd = fmcapi.DeviceRecords(fmc=fmc1) # Minimum things set. hq_ftd.hostName = "10.0.0.254" hq_ftd.regKey = "cisco123" hq_ftd.acp(name=acp.name) # Other stuff I want set. hq_ftd.name = "hq-ftd" hq_ftd.licensing(action="add", name="MALWARE") hq_ftd.licensing(action="add", name="VPN") hq_ftd.licensing(action="add", name="BASE") hq_ftd.licensing(action="add", name="THREAT") hq_ftd.licensing(action="add", name="URLFilter") # Push to FMC to start device registration. hq_ftd.post(post_wait_time=300) # Once registration is complete configure the interfaces of hq-ftd. hq_ftd_g00 = fmcapi.PhysicalInterfaces(fmc=fmc1, device_name=hq_ftd.name) hq_ftd_g00.get(name="GigabitEthernet0/0") hq_ftd_g00.enabled = True hq_ftd_g00.ifname = "IN" hq_ftd_g00.static(ipv4addr="10.0.0.1", ipv4mask=24) hq_ftd_g00.sz(name="inside") hq_ftd_g00.put() hq_ftd_g01 = fmcapi.PhysicalInterfaces(fmc=fmc1, device_name=hq_ftd.name) hq_ftd_g01.get(name="GigabitEthernet0/1") hq_ftd_g01.enabled = True hq_ftd_g01.ifname = "OUT" hq_ftd_g01.static(ipv4addr="100.64.0.200", ipv4mask=24) hq_ftd_g01.sz(name="outside") hq_ftd_g01.put() # Build static default route for HQ FTD hq_default_route = fmcapi.IPv4StaticRoutes(fmc=fmc1, name="hq_default_route") hq_default_route.device(device_name=hq_ftd.name) hq_default_route.networks(action="add", networks=["any-ipv4"]) hq_default_route.gw(name=hq_dfgw_gateway.name) hq_default_route.interfaceName = hq_ftd_g01.ifname hq_default_route.metricValue = 1 hq_default_route.post() # Associate NAT policy with HQ FTD device. devices = [{"name": hq_ftd.name, "type": "device"}] assign_nat_policy = fmcapi.PolicyAssignments(fmc=fmc1) assign_nat_policy.ftd_natpolicy(name=nat.name, devices=devices) assign_nat_policy.post()
def create_device_records(fmc, device_list): """DeviceRecords (Registration and Interfaces)""" for dr in device_list: # Register this device with the FMC. Assume the device is pre-programmed to listen for the FTD registration. ftd = fmcapi.DeviceRecords(fmc=fmc) if "hostname" in dr: ftd.hostName = dr["hostname"] if "registration_key" in dr: ftd.regKey = dr["registration_key"] if "access_policy" in dr: ftd.acp(name=dr["access_policy"]) if "name" in dr: ftd.name = dr["name"] if "licenses" in dr: for lice in dr["licenses"]: ftd.licensing(action="add", name=lice["name"]) # Push to FMC to start device registration. ftd.post(post_wait_time=dr["wait_for_post"]) # Time to configure interfaces. if "interfaces" in dr: if "physical" in dr["interfaces"]: for interface in dr["interfaces"]["physical"]: int1 = fmcapi.PhysicalInterfaces(fmc=fmc, device_name=dr["name"]) if "name" in interface: int1.get(name=interface["name"]) if "enabled" in interface: int1.enabled = interface["enabled"] if "interface_name" in interface: int1.ifname = interface["interface_name"] if "security_zone" in interface: int1.sz(name=interface["security_zone"]) if "addresses" in interface: if "ipv4" in interface["addresses"]: if "static" in interface["addresses"]["ipv4"]: int1.static( ipv4addr=interface["addresses"]["ipv4"] ["static"]["ip"], ipv4mask=interface["addresses"]["ipv4"] ["static"]["bitmask"], ) elif "dhcp" in interface["addresses"]["ipv4"]: int1.dhcp( enableDefault=interface["addresses"] ["ipv4"]["dhcp"]["enable_default"], routeMetric=interface["addresses"]["ipv4"] ["dhcp"]["route_metric"], ) if "ipv6" in interface["addresses"]: pass int1.put() # Any routing related to this device. if "routing" in dr: if "static" in dr["routing"]: if "ipv4" in dr["routing"]["static"]: for route in dr["routing"]["static"]["ipv4"]: rt = fmcapi.IPv4StaticRoutes(fmc=fmc, device_name=dr["name"]) if "name" in route: rt.name = route["name"] if "networks" in route: for network in route["networks"]: if "name" in network: rt.networks(action="add", networks=[network["name"]]) if "gateway" in route: rt.gw(name=route["gateway"]) if "interface_name" in route: rt.interfaceName = route["interface_name"] if "metric" in route: rt.metricValue = route["metric"] rt.post() if "ipv6" in dr["routing"]["static"]: pass # Any NAT Policy assigned to this device. if "nat_policy" in dr: natp = fmcapi.PolicyAssignments(fmc=fmc) natp.ftd_natpolicy( name=dr["nat_policy"], devices=[{ "name": dr["name"], "type": dr["type"] }], ) natp.post()