Firepower FMC API – Initial Observations

As many of you know, I am not a developer but I do occasionally hack stuff together. This article is just some of the initial things I have learned working with the Firepower Management Console API.

A good place to start is the Firepower REST API Quick Start Guide. This can be found at the following URL.

Firepower REST API Quick Start Guide

One thing to note is that there is a recommendation to use a dedicated username for the API. I would go a step beyond that with a recommendation for testing and development. During development, I currently have a username for the FMC UI, a username for the API Explorer and a username for whatever tool I’m working with (Postman or a Python Scripts). The reason for the extra accounts is that logging in to any of the UI’s tends to generate a new token (and invalidate the old one). This causes a constant reauthentication to the Web Interfaces.

Here is a screenshot of Postman doing an initial authentication — Post to retrieve an access token.

Generate Token URL

https://<server-ip>/api/fmc_platform/v1/auth/generatetoken

Sending a post with basic authentication to the URL will produce an “x-auth-access-token”. This is good for 30 minutes and can be used for other operations.

This token is required for most other operations. These services are documented in the API Explorer.

https://<server-ip>/api/api-explorer/

A couple of things I have run into involve the self-signed certificate and Python scripts. A short example might be beneficial as a workaround to the issue.

import requests
from requests.auth import HTTPBasicAuth
import urllib3

###keep ssl warning out of sight (not recommended for production)
###also request(,,verify=False)
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

username = "apiuser"
password = "apiuser"

headers = {'Content-Type': 'application/json'}

server = '192.168.1.100'
auth_url = "https://" + server + "/api/fmc_platform/v1/auth/generatetoken"

resp=requests.post(auth_url, auth=HTTPBasicAuth(username, password), verify=False)

auth_headers = resp.headers
auth_token = auth_headers.get('X-auth-access-token', default=None)
auth_refresh = auth_headers.get('X-auth-refresh-token', default=None)
auth_uuid = auth_headers.get('domain_uuid', default=None)
resp.close()

###lets exit if it doesn't work as expected
if auth_token == None:
    print("auth_token not found. Exiting...")
    sys.exit()
if auth_refresh == None:
    print("refresh_token not found. Exiting...")
    sys.exit()
if auth_uuid == None:
    print("domain_uuid not found. Exiting...")
    sys.exit()


print("domain_uuid: " + auth_uuid)
print("X-auth-access-token: " + auth_token)
print("X-auth-refresh-token: " + auth_refresh)

####

I’m starting to work on some more advanced scripts to do things like importing and exporting full Access Control Policies. As I work through these examples, I will try to share them on this site.

Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. This may or may does not reflect the position of past, present or future employers.

 

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in How-To and tagged , . Bookmark the permalink.