FMC API and TextFSM

Lerveraging FMC API and TextFSM to import objects from ASA.

Automation and programmability is not a new topic for me. Having studied Information Technology in High School I’ve always coded somehow, never making it my primary focus but always using it as a tool to make my life easier.

I remember a script I did in Pascal to create a menu to load custom maps for Doom II instead of using the CLI. It would be great to find it again but it’s very unlikely because I trashed so many PCs and hard drives since, well, at least I hadn’t bitcoins stored there !

Digressions apart, what I’ll discuss here is a script I made to convert objects from Cisco ASA to Cisco Firepower NGFW using FCM API and is now shared on my GITHUB repository .

Part of the code is inspired by the labs I saw at Cisco EMEAR PVT SECURITY in Lisbon last December.

API documentation

The whole project actually started as a personal exercise to read and understand API documentation.

API documentation is on the FirePower Management Center itself, open yours with url

https://FMC-IP/api/api-explorer/

The output will be like this, showing information objects and actions available via API

Consume API

What I actually did was reading through API documentation and pick and choose what I found more useful at the moment.

The low hanging fruit are functions to read/find/create/delete (a.k.a. CRUD ) an object, where an object can be an host, a network or a service on FMC.

GITHUB repository with code and docs available here

Import objects from ASA

Once the code to use the API was ready the next challenge was to read a full Cisco ASA configuration and retrieve the objects from there.

This is where TextFSM helps

TextFSM is a Python module which implements a template based state machine for parsing semi-formatted text. Originally developed to allow programmatic access to information returned from the command line interface (CLI) of networking devices.

This post from Jason Edelman and this from Henry help to clarify how to use TextFSM.

After some tinkering and trial&error I got this

Value type (\w+)
Value name (.*$)
Value host (.*$)
Value subnet (.*$)
Value service (.*$)
Value description (.*$)

Start
  ^object\s${type}\s${name} 
  ^\sdescription ${description}
  ^\shost ${host} -> Record
  ^\ssubnet ${subnet} -> Record
  ^\sservice ${service} -> Record

The output format is

['type', 'name', 'host', 'subnet', 'service', 'description']

TextFSM is an executable module so it’s possible to test it against an actual ASA configuration, just launch

textfsm.py asa_object_textfsm_template sh_run_object.txt

where asa_object_textfsm_template is the template shown above and sh_run_object.txt is the output of ASA command

show run object

The output is a list usable by a Python script

['network', 'NET_OFFICE', '', '192.168.0.0 255.255.255.0', '', '']
['network', 'NET_TVCC', '', '192.168.10.0 255.255.255.0', '', '']
['service', 'tcp_3000', '', '', 'tcp destination eq 3000 ', '']
['service', 'tcp_9999', '', '', 'tcp destination eq 9999 ', '']
['network', 'SRV_TVCC', '192.168.10.150', '', '', '']
['network', 'SRV_OFFICE', '192.168.0.150', '', '', '']
['service', 'RDP_33396', '', '', 'tcp source eq 3389 destination eq 33396 ', '']

The import script

The actual import script runs the TextFSM template to list all the objects present in ASA config and uses these information to create objects on FMC using API.

It is an exercise left to the reader to customize the import script to read configuration from other vendors ;-)

Import script can be found in the same GITHUB repository

Wrap up

I remember doing something similar few years ago to import thousands of lines of objects and security policies from an IPCOP firewall to a Fortigate. I wasn’t familiar with Python at the time and I used sed, awk, cut and other powerful tools provided by GNU/Linux. Python and TextFSM make it easier and the code is reusable.

Feel free to read, comment and fix my code on GITHUB , use it and share with CC BY-SA 4.0 license .