Connecting Postman to Firepower Management Center API

A few months back, I wrote an article about my Initial Observation on the Firepower FMC API. Today’s article takes this one step further with a step-to-step guide to connecting Postman to the FMC API. It is worth noting that this is not a directly useful process, but a process that should be expanded upon to achieve any objective that is better served by an API. Use cases might include bulk changes or integration with other security applications.

The Official REST API Guide can be found at the following URL.

Firepower REST API Quick Start Guide

It is also worth mentioning that the online API documentation can be found at https://<FMC-IP>/api-explorer on the FMC installation.

The general flow of the process we will be following is:

  • Connect to FMC using basic authentication
  • View the response to obtain the X-auth-access-token and DOMAIN-UUID
  • Leverage the X-auth-access-token and DOMAIN-UUID in a request for access control policies
  • Leverage the token, domain and policy ID to obtain a list of rules in that policy
  • Leverage the token, domain, policy ID and rule ID to obtain rule details

Throughout this process, we will not store any variables and the process will be completely manual for comprehensive understanding. We will leverage Postman as a REST client.

The first step is to connect Postman to FMC to obtain an auth token and domain uuid.

Postman FMC Connection

As shown above, I use Basic Auth, the POST method and set my credentials. Send executes the request. If the request was properly handled, we should see a status 204 No Content.  The information that we need for the rest of the post is in the response headers (middle of the screen by default). The two parameters that we need are as follows:

DOMAIN_UUID e276abec-e0f2-11e3-8169-6d9ed49b625f
X-auth-access-token a8a00dd0-3ca3-47dd-b3a8-f76fcf3d1c33

The domain uuid is used in formulating URLs and the access token needs to be included in the request headers.

The next step is to leverage these to values to obtain a list of access control policies. The URL format can always be found in the api-explorer and should be as shown below.

It is necessary to use the X-auth-access-token in the request header for the remainder of the examples below.FMC Request Header

Obtain a list of Access Control Policies

URL Format to obtain Access Control Policy
https://{{fmc_hostname}}/api/fmc_config/v1/domain/{{fmc_domain}}/policy/accesspolicies

For our example, I created a GET request as follows-
https://192.168.1.252/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/policy/accesspolicies

This produces a JSON representation of the Access Control Policies. In my example, I only have a single policy called MyACP with an ID of 000C29E3-FE5F-0ed3-0000-008589936146.

Access Control Policies in JSON Format

//Output
{
    "links": {
        "self": "https://192.168.1.252/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/policy/accesspolicies?offset=0&limit=1"
    },
    "items": [
        {
            "type": "AccessPolicy",
            "links": {
                "self": "https://192.168.1.252/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/policy/accesspolicies/000C29E3-FE5F-0ed3-0000-008589936146"
            },
            "name": "MyACP",
            "id": "000C29E3-FE5F-0ed3-0000-008589936146"
        }
    ],
    "paging": {
        "offset": 0,
        "limit": 1,
        "count": 1,
        "pages": 1
    }
}

The next step is to obtain a list of rules for MyACP (id 000C29E3-FE5F-0ed3-0000-008589936146). For this, I create another request with the same X-auth-access-token and leverage a URL similar to the following.

Obtain a list of rules in MyACP (an access control policy)

URL Format to obtain rules in a given Access Control Policy
https://{{fmc_hostname}}/api/fmc_config/v1/domain/{{fmc_domain}}/policy/accesspolicies/{{fmc_policy}}/accessrules

For our example, I created a GET request as follows-
https://192.168.1.252/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/policy/accesspolicies/000C29E3-FE5F-0ed3-0000-008589936146/accessrules

This produces a JSON representation of the rules contained in the access control policy with the ID specified in the URL.

List of ACP Rules in JSON Format

{
    "links": {
        "self": "https://192.168.1.252/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/policy/accesspolicies/000C29E3-FE5F-0ed3-0000-008589936146/accessrules?offset=0&limit=15"
    },
    "items": [
        {
            "links": {
                "self": "https://192.168.1.252/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/policy/accesspolicies/000C29E3-FE5F-0ed3-0000-008589936146/accessrules/000C29E3-FE5F-0ed3-0000-000268434434"
            },
            "name": "Monitor",
            "type": "AccessRule",
            "id": "000C29E3-FE5F-0ed3-0000-000268434434"
        },
        {
            "links": {
                "self": "https://192.168.1.252/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/policy/accesspolicies/000C29E3-FE5F-0ed3-0000-008589936146/accessrules/000C29E3-FE5F-0ed3-0000-000268434435"
            },
            "name": "Permit",
            "type": "AccessRule",
            "id": "000C29E3-FE5F-0ed3-0000-000268434435"
        },
        {
            "links": {
                "self": "https://192.168.1.252/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/policy/accesspolicies/000C29E3-FE5F-0ed3-0000-008589936146/accessrules/000C29E3-FE5F-0ed3-0000-000268435466"
            },
            "name": "Paul7",
            "type": "AccessRule",
            "id": "000C29E3-FE5F-0ed3-0000-000268435466"
        },
        {
            "links": {
                "self": "https://192.168.1.252/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/policy/accesspolicies/000C29E3-FE5F-0ed3-0000-008589936146/accessrules/000C29E3-FE5F-0ed3-0000-000268435467"
            },
            "name": "Paul8",
            "type": "AccessRule",
            "id": "000C29E3-FE5F-0ed3-0000-000268435467"
        },
        {
            "links": {
                "self": "https://192.168.1.252/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/policy/accesspolicies/000C29E3-FE5F-0ed3-0000-008589936146/accessrules/000C29E3-FE5F-0ed3-0000-000268435468"
            },
            "name": "Paul9",
            "type": "AccessRule",
            "id": "000C29E3-FE5F-0ed3-0000-000268435468"
        }
    ],
    "paging": {
        "offset": 0,
        "limit": 15,
        "count": 15,
        "pages": 1
    }
}

The final step is to get additional information for one of the rules. In this case, I will select the last one and construct a URL for that.

Obtain the rule detail of Paul9 (an access control policy rule)

URL Format to obtain details about a specific rule
https://{{fmc_hostname}}/api/fmc_config/v1/domain/{{fmc_domain}}/policy/accesspolicies/{{fmc_policy}}/accessrules/{{fmc_rule}}

For our example, I created a GET request as follows-
https://192.168.1.252/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/policy/accesspolicies/000C29E3-FE5F-0ed3-0000-008589936146/accessrules/000C29E3-FE5F-0ed3-0000-000268435468

This produces all of the detail about the “Paul9” rule.

ACP Rule “Paul9” in JSON format

{
    "metadata": {
        "section": "Mandatory",
        "category": "--Undefined--",
        "accessPolicy": {
            "type": "AccessPolicy",
            "name": "MyACP",
            "id": "000C29E3-FE5F-0ed3-0000-008589936146"
        },
        "timestamp": 1530759245976,
        "domain": {
            "name": "Global",
            "id": "e276abec-e0f2-11e3-8169-6d9ed49b625f",
            "type": "Domain"
        }
    },
    "links": {
        "self": "https://192.168.1.252/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/policy/accesspolicies/000C29E3-FE5F-0ed3-0000-008589936146/accessrules/000C29E3-FE5F-0ed3-0000-000268435468"
    },
    "enabled": true,
    "action": "ALLOW",
    "name": "Paul9",
    "type": "AccessRule",
    "id": "000C29E3-FE5F-0ed3-0000-000268435468",
    "vlanTags": {},
    "sourceNetworks": {
        "literals": [
            {
                "type": "Network",
                "value": "192.168.1.0/24"
            }
        ]
    },
    "destinationNetworks": {
        "literals": [
            {
                "type": "Network",
                "value": "1.1.1.0/24"
            }
        ]
    },
    "logBegin": false,
    "logEnd": false,
    "logFiles": false,
    "sendEventsToFMC": false
}

At this point, we have fulfilled the process of connecting to FMC and drilling into the detail of a single rule.

Conclusion

This is a process that has limited usefulness without a process or ecosystem. This method can and should be built upon when API usage might be beneficial. In an upcoming article, we will share additional detail about streamlining this process and leveraging the Postman environment to store variables. I can envision many use cases for API interaction with the Firepower Management Console. One example of a use case would be leveraging these processes for bulk import of Access Control Policy rules.

Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. This may or may does not reflect the position of past, present or future employers.

 

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in How-To and tagged , . Bookmark the permalink.