- Introduction and Ansible playbook download
- Script flow charts
- Introduction of REST API and Cisco FMC API Explorer
- Script prerequisites
- Request Access Token
- Get policy content, modify content and "PUT' in FMC - Part 1
- Get policy content, modify content and "PUT' in FMC - Part 2
- Get deployable devices and deploy policy
If you are not family with REST API, you can go through my post "REST API 101" and get a general idea about what REST API can do and what's the format of REST request and respond.
Cisco FirePower Management Center provides its own API Explorer. You will need a "admin" account to connect to the API interface. The REST API is enabled by default. If the REST API was disabled, you can login to the FMC console and go to "System -> Configuration -> REST API Preferences" and click the "Enable REST API":
Click to expand |
https://{{FMC IP}}/api/api-explorer/
Click to expand |
Click to expand |
As we know, in FMC, devices can be registered in the Global domain or other sub-domains. In our example, we want to check the devices which registered in the "Global/Sydney" domain. So we need to select the "Global/Sydney" domain as below:
Click to expand |
Once we select the domain, we can see the domain ID will appear in the URL link as below. In the later posts of this API series, we will use this domain ID quite often. So now we keep in mind how to get the domain ID here.
Click to expand |
Click to expand |
{"url":"/api/fmc_config/v1/domain/dd731f3e-8297-5b05-7ac3-000000000001/devices/devicerecords?expanded=true"}
|
In the "Response Text" field, we can see the response body which contain the existing device info of the FMC under the "Global/Sydney" domain. The devices are in in the array "items[]". In each device's JSON, we have the key values such as "id", "links", "name", "description", "model", "accessPolicy " etc. The follow is an example of the response text. The lines highlighted in orange is device "FTD-2". The lines highlighted in light blue is device "FTD-1".
{
"links": {
"self": "https://192.168.1.205/api/fmc_config/v1/domain/dd731f3e-8297-5b05-7ac3-000000000001/devices/devicerecords?offset=0&limit=2&expanded=true"
},
"items": [
{
"id": "11a13c5e-7b9d-11e8-8701-be7fcc61faec",
"type": "Device",
"links": {
"self": "https://192.168.1.205/api/fmc_config/v1/domain/dd731f3e-8297-5b05-7ac3-000000000001/devices/devicerecords/11a13c5e-7b9d-11e8-8701-be7fcc61faec"
},
"name": "FTD-2",
"description": "NOT SUPPORTED",
"model": "Cisco Firepower Threat Defense for VMWare",
"modelId": "A",
"modelNumber": "75",
"modelType": "Sensor",
"healthStatus": "green",
"sw_version": "6.2.3",
"healthPolicy": {
"id": "e13c7d40-7083-11e8-97ce-02c515297e64",
"type": "HealthPolicy",
"name": "Initial_Health_Policy 2018-06-15 10:07:15"
},
"accessPolicy": {
"name": "syd-test-access-policy",
"id": "000c2911-ed30-0ed3-0000-030064771115",
"type": "AccessPolicy"
},
"hostName": "192.168.1.207",
"license_caps": [
"THREAT",
"MALWARE",
"URLFilter"
],
"keepLocalEvents": false,
"prohibitPacketTransfer": false,
"metadata": {
"readOnly": {
"state": false
},
"domain": {
"name": "Sydney",
"id": "dd731f3e-8297-5b05-7ac3-000000000001",
"type": "domain"
}
}
},
{
"id": "1b8e0ef8-7081-11e8-ab14-9aaa7606d632",
"type": "Device",
"links": {
"self": "https://192.168.1.205/api/fmc_config/v1/domain/dd731f3e-8297-5b05-7ac3-000000000001/devices/devicerecords/1b8e0ef8-7081-11e8-ab14-9aaa7606d632"
},
"name": "FTD-1",
"description": "NOT SUPPORTED",
"model": "Cisco Firepower Threat Defense for VMWare",
"modelId": "A",
"modelNumber": "75",
"modelType": "Sensor",
"healthStatus": "red",
"sw_version": "6.2.3",
"healthPolicy": {
"id": "e13c7d40-7083-11e8-97ce-02c515297e64",
"type": "HealthPolicy",
"name": "Initial_Health_Policy 2018-06-15 10:07:15"
},
"accessPolicy": {
"name": "FTD-1-Access-Policy-SYD",
"id": "000c2911-ed30-0ed3-0000-008589936316",
"type": "AccessPolicy"
},
"hostName": "192.168.1.206",
"license_caps": [
"THREAT",
"MALWARE",
"URLFilter"
],
"keepLocalEvents": false,
"prohibitPacketTransfer": false,
"metadata": {
"readOnly": {
"state": false
},
"domain": {
"name": "Sydney",
"id": "dd731f3e-8297-5b05-7ac3-000000000001",
"type": "domain"
}
}
}
],
"paging": {
"offset": 0,
"limit": 2,
"count": 2,
"pages": 1
}
}
|
In FMC, every object has its own ID. So getting the correct item ID is very important in the REST API operations. In the above example, we can get the Domain ID, Device ID, Access Policy ID etc.
Although our goal is to use Ansible to interact with the FMC, it's very important to understand how to use the FMC API Explorer. As I mentioned before, different vendors have different API data structure. API Explorer is the guide line of Cisco FMC REST API. From the API explorer, we can learn about the API request/ response format and we can write our Ansible scripts based on these instructions.
In the following post, I will take about the prerequisites of this Ansible Playbook.
Reference:
No comments:
Post a Comment