Benjamin Hays

/home

/about

/posts

/til

/certs

Home > Posts > CCNP Security: Using the FMC REST API for situational awareness

CCNP Security: Using the FMC REST API for situational awareness

  ·   4 min read

#Network Automation #Python #Cisco #DevOps #Security

Introduction

Cisco’s FirePower line of NGFWs and DPI-equipped firewalls can be easily integrated with a centralized system for monitoring and policy deployment known as SFMC (Secure Firewall Management Center). This appliance is similar in nature to ISE or Catalyst Center, in that it serves primarily as a single access point for managing FTD/FTDv and NGIPS/NGIPSv devices. Much like the other appliances, a convenient REST API is provided for administrators to automate common tasks and integrate with other systems. This is most commonly used to automate the deployment of intrusion policies, tunnels, and other implementation steps. However, the nature of the system and API make it very helpful for enumerating details about the network environment.

The API in particular provides two tangible benefits for me:

  1. As a network engineer, I can easily find detailed information about the FirePower devices in my network and their associated policies in order to better secure them
  2. As a pentester or a hypothetical threat actor, I can enumerate and figure out a lot about the devices and security features in the network in order to evade them

Firewall Management Center stores just about every relevant detail about the FMC devices connected to them. Things like license information, networks/tunnels, network security policies, and even device configs (containing passwords and PSKs!). As an added bonus, most users connecting to these management devices will have the capability to list all the information previously listed.

My script

To better understand the workings of the SFMC REST API, I wrote a very short Python script which enumerates and outputs some summary information about the devices and networks that the SFMC appliance is connected to. It can also export full device configs. You can always take a finer view of things by looking at the source (the WebUI is actually quite powerful), however this script mainly serves to provide a short summary of an SFMC device’s catalog of information.

Usage

usage: sfmc_cli.py [-h] [-d] -u URL --username USERNAME --password PASSWORD [-e ENUMERATE]

Cisco Secure Firepower Management Center Multi-tool

options:
  -h, --help            show this help message and exit
  -d, --debug
  -u, --url URL
  --username USERNAME
  --password PASSWORD
  -e, --enumerate ENUMERATE
                        Available options: license, devices, network, policy, config

The modular enumeration system (the -e flag) means you can focus on specific aspects of the system without unnecessary API calls. This can be useful when you’re working with slow lab environments or when you only need specific information.

Examples:

One of the most useful features is the ability to quickly inventory all managed devices and their interface status:

$ ./sfmc_cli.py -e devices --username benhays --password REDACTED -u https://fmcrestapisandbox.cisco.com 
[+] Successful login: fmcrestao (https://fmcrestapisandbox.cisco.com) v7.2.5 (build 208)
[+] Device list:
[+]	usdc4-a0r-vpnnomad-1 (10.10.20.80): Cisco Firepower Threat Defense for VMware v7.0.6 in ROUTED mode
[+]		GigabitEthernet0/0: enabled
[+]		GigabitEthernet0/1: enabled
[+]		GigabitEthernet0/2: enabled
[+]		GigabitEthernet0/3: disabled
[+]		GigabitEthernet0/4: disabled
[+]		GigabitEthernet0/5: disabled
[+]		GigabitEthernet0/6: disabled
[+]		GigabitEthernet0/7: disabled
[+]		Diagnostic0/0: enabled
[+] Script finished, have a nice day!

Next, we can export each devices config to a file:

$ ./sfmc_cli.py -e config --username benhays --password REDACTED -u https://fmcrestapisandbox.cisco.com
[+] Successful login: fmcrestao (https://fmcrestapisandbox.cisco.com) v7.2.5 (build 208)
[+] Device list:
[+]	usdc4-a0r-vpnnomad-1 (10.10.20.80): Cisco Firepower Threat Defense for VMware v7.0.6 in ROUTED mode
[+]		GigabitEthernet0/0: enabled
[+]		GigabitEthernet0/1: enabled
[+]		GigabitEthernet0/2: enabled
[+]		GigabitEthernet0/3: disabled
[+]		GigabitEthernet0/4: disabled
[+]		GigabitEthernet0/5: disabled
[+]		GigabitEthernet0/6: disabled
[+]		GigabitEthernet0/7: disabled
[+]		Diagnostic0/0: enabled
[+] Exported configs:
[+] Successfully exported device config to usdc4-a0r-vpnnomad-1_config.txt
[+] Script finished, have a nice day!

usdc4-a0r-vpnnomad-1_config.txt:

: Serial Number: 9A1L3SL2JXD
: Hardware:   NGFWv, 8192 MB RAM, CPU Xeon E5 series 2200 MHz, 1 CPU (4 cores)
:
NGFW Version 7.0.6
!
command-alias exec h help
command-alias exec lo logout
command-alias exec p ping
command-alias exec s show
terminal width 80
hostname ftd01
enable password ***** encrypted
no asp load-balance per-packet
no asp rule-engine transactional-commit access-group
no asp rule-engine transactional-commit nat
no asp inspect-dp snapshot enable
asp inspect-dp snapshot max 1
asp inspect-dp snapshot interval 5
asp inspect-dp egress-optimization
asp inspect-dp ack-passthrough
asp packet-profile
asp cksum-offload tx
asp noproxy-inline-optimize
no fips enable
[REDACTED FOR BREVITY]

Looking Forward

There’s definitely room for improvement in the script. Error handling is mostly ignored and the script is sparsely documented. I’d like to support write/update operations in the future (the API easily accommodates this), but I didn’t have any immediate use for developing such options.

Conclusion

The full code is currently available on my Gitea server, along with other CCNP-related materials.

Thanks for reading as always!

CCNP Security: Using the Cisco Modeling Labs API with Python
CCNP Security: Converting OpenAPI Specs to Anki Decks
back to top