Manage your Cisco FTDs using REST API
Madhuri D.
Security Automation Consultant @ Fortinet | Ex-Cisco | CKA, Azure | DevNet P | CCNP(S) | NSE-1,2,3,4
With Firewall moving to next generation capabilities, new normals are coming to manage these Firewalls using Automation capabilities offered by these device. Most of the Cisco Security Products now give option to interact with them using REST APIs.
Here is simple script which I had used to manage 1000+ ACLs with the given ACPs.
Lets jump in to see how Automation can make our make our life easier:
Problem Statement:
Customer has created a new IPS Policy which now needs to be applied to all the rules of given ACP in Cisco FTD. Pain point here is given ACP has 1000+ rules where this update needs to be performed.
Solution:
Cisco FTD offers REST APIs which can be leveraged for above mentioned usecases. Consider the scenario where an engineers is dedicated to just update the ACLs, rather REST API capability can be leveraged to automate such task and Engineer can then focus on other useful tasks.
Pre-Requisites for hands-on:
Engineer who is writing the script should have basic understanding of:
- Automation workflow
- Requests, JSON, CSV Library and Python
- Cisco FTDs Workflow
Workflow for Automation:
Stage 1:
Get Details from Customer:
Get Access Token to Interact with API:
Perform GET Operation on the FMC for given ACP UUID:
Note: You need to consider Pagination as well. To get all the rules with a given ACP.
Stage 2 :
Data Manipulation to Filter the JSON obtained from the GET Response. This Section is very critically, you need to understand which section of JSON you need to retain and which one to delete.
Stage 3:
After the required Data Manipulation is complete . Perform a PUT Operation to update the existing ACLs with new IPS Policy appended.
With the completion of Stage 3, we have successfully completed the Task.
In this article we have not covered the Bulk PUSH Option which is supported by Cisco FTD. That is another area to look for when we have time constraints and requirement is to get the task completed with limited time Period.
We will explore that next article!!!
The detailed code is available at:
https://github.com/Madhuri150791/Cisco_Security_API_Capabilities/tree/master/ManageFTDRules