Sunday, July 15, 2018

Ansible REST API - Interacting with Cisco FirePower Management Center (FMC) - 04 - Script prerequisites

This post belongs to my "Ansible REST API - Interacting with Cisco FMC" series. The following is the table of content of this series:
  1. Introduction and Ansible playbook download
  2. Script flow charts
  3. Introduction of REST API and Cisco FMC API Explorer
  4. Script prerequisites
  5. Request Access Token
  6. Get policy content, modify content and "PUT' in FMC - Part 1
  7. Get policy content, modify content and "PUT' in FMC - Part 2 
  8. Get deployable devices and deploy policy

Before writing the main task script, we have to prepare couple of things:

1. Define the Ansible hosts file

We know that the Hosts file is the inventory file of Ansible. Here we define the Cisco FMC IP and it's hostname "Cisco_FMC".

location: /etc/ansible/hosts

Cisco_FMC ansible_host=

2. Build the login detail files

In order to login to the FMC, we need to give the login details to the system. This is sensitive information. So we need to encrypted by the Ansible Vault.

First, we build the vault file under "/etc/ansible/group_vars/all/" by issue command "ansible-vault create vault" and the following is the file content:

location: /etc/ansible/group_vars/all/vault

  FMC_username: admin
  FMC_pass: cisco123

Please be noted that the above "vault" file is NOT only for this FMC script. It will be used for all of your Ansible scripts in this Linux host. In the next step, we will write a login detail file dedicated for our FMC playbook and reference the details from the "vault" file:

location: /etc/ansible/group_vars/FMC

  username: "{{FMC_username}}"
  password: "{{FMC_pass}}"

The file name "FMC" will be matching the "FMC" group in the hosts file. The values of {{FMC_username}} & {{FMC_pass}} will be obtained from the "vault" file. 

3. Build site yaml file

Here is the site YML file. It links the hosts "FMC" and the ansible role "FMC-enable-policyrule" together. 

location: /etc/ansible/FMC-enable-policyrule.yml

  - hosts: FMC
    gather_facts: no
    connection: local
      - FMC-enable-policyrule

4. Initial the ansible role

Issue the command "ansible-galaxy init FMC-enable-policyrule" under "/etc/ansible/role" folder.

5. build the var file

location: /etc/ansible/roles/FMC-enable-policyrule/vars/main.yml

  FMC_IP: ""  # define the FMC IP address

# here is the domain ID obtained from FMC's api explorer
  domain: "dd731f3e-8297-5b05-7ac3-000000000001"  

# here is the access policy name
  policy_name: "FTD-1-Access-Policy-SYD"

# here is the access policy rule name which needs to be enabled. 
  policy_rule_name: "URL Filter"

# here we define a variable which indicates whether the config has been modified
  config_has_been_changed: false

After finishing all the above steps, we are ready to start writing our main task playbook. In the next post, I will introduce the way to obtain the access token from FMC.

No comments:

Post a Comment

NSX Load Balancer "Application Rules" Examples:

Load Balancing is one of the features provided by the NSX Edge Services Gateway (ESG). It can provide L7 Load Balancing by utilizing the HA...