If you have been following industry news or this blog, you will have heard and read about application programming interfaces (APIs) repeatedly. I am not going to talk about what APIs are in this post, but if you want to learn more a good place to start is always Wikipedia and Cisco’s own DevNet. What I do want to cover is the recent addition of the REST API to Cisco’s Firepower manager and its importance when migrating to Cisco’s Firepower Threat Defense (FTD) platforms.

Starting in Firepower version 6.1, Cisco introduced the ability to create and manage many of the objects and policies on the Firepower Manager Center (FMC) through REST API calls. These APIs will play an important role moving forward when it comes to monitoring, managing and automating configurations on your firewalls, especially on the FTD platforms. The reason being, FTD appliances do not have command line configuration options available or ways to make bulk changes outside of the REST API. This is going to be a big change for the typical ASA CLI junky, as well as most management tools.

I encourage you to read through the Cisco Firepower API documentation to get started.  But as soon as you begin to apply the knowledge, I think you will find it lacking in how to create and update objects. So I want to walk through an example of how to add a network object through the API calls.

Note: The below example assumes you have enabled REST API access on the FMC and knowledge of POSTMAN REST Client. If you are not familiar with it and you have a Cisco Connection Online (CCO) ID, check out Cisco’s learning labs. — I suggest Coding 101: REST API Basics to get started.

Authentication and Access Token Creation

Step 1. Set the client to make a POST

Step 2. Use the URL of https://<FMC_IP_or_name>/api/fmc_platform/v1/auth/generatetoken

Note: Depending on your FMC certificate, you may have to accept the certificate in your browser or you will receive and error when you send the command.

Steps 3-5. Include the username and password as a basic authentication header. The body section should be left blank.

Note: The user and assigned access-token share the same permissions on the FMC.

Step 6. Update the request to save changes

Step 7. Send the API call to the FMC

picture1

Step 8. Capture the authentication token and Domain_UUID from the headers section in the response to use in further API calls.

picture2

Querying Network Objects

Steps 1-3. Open a new tab on the POSTMAN client and enter the following URL with a GET request utilizing the DOMAIN_UUID in the {domain_UUID} section:

https:///api/fmc_config/v1/domain/{domain_UUID}/object/networks/

Step 3-6. In the headers section of the request, add the key of X-auth-access-token with the generated token as the value

Step 7. Select send to push the API call to the FMC.

picture3

You should now have the output of the Network Objects in the body field.

picture4

To get more detailed on each object, add the object ID to your get request as documented in the API object guide here.

Creating a Network Object

Steps 1-3. Open a new tab on the POSTMAN client and enter the following URL with a POST request utilizing the DOMAIN_UUID in the {domain_UUID} section:

https:///api/fmc_config/v1/domain/{domain_UUID}/object/networks

Step 4. In the headers section of the request, add the key of X-auth-access-token with the generated token as the value.

Step 5-7. In the body section, change the type to raw and text type to JSON (application/json).

Step 8. Add the network information for the object you wish to create in the following plain text format:

{

“name”:”<Object-Name>”,

“type”:”Network”,

“description”: “<Network-Description>”,

“value”: ” Valid IPv4 or IPv6 network value in CIDR format”

}

 Step 9. Select Send.

picture5

The output should be similar to the following screen shot. If so, congratulations, you have just created a network object utilizing the Firepower REST API.

picture6

This is just touching the surface of what you can do with REST APIs. Utilizing Python, you could automate this and create more of a programmable solution to fit your needs.

Bonus Insight

Here is some missing information from the Cisco REST API Quick Start Guide for ver. 6.1.

Adding ?expanded=true to the end of your top level query provides full detail without going into each object or policy.

Object creation and updates are similar to the GET object output format. The main difference is that you exclude the “links” and “metadata” sections for updates and “ID” for creation.

Here’s an example:

GET request for existing network object details

GET https://fmc/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/object/networks/005056A7-B86C-0ed3-0000-141733921066

7

POST body fields needed for new object.

8

PUT body needed for update.

9

I hope you find these tips for using REST API with Cisco FirePower helpful. Feel free to share any additional insights or questions in the comment box below.

Read Ziyad Roumaya’s recent blog post on updating firewalls with Cisco Defense Orchestrator.

2 thoughts on “Programming Cisco’s Firepower 6.1 with the REST API

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.