A Python package designed to help users of Cisco's FMC interface with its API.

Overview

FMCAPI was originally developed by Dax Mickelson ([email protected]). Dax has moved on to other projects but has kindly transferred the ownership of this repo so that we can keep it current!

fmcapi

Provide an "easier to use" way of interacting with the Cisco FMC's API. There is a LOT that has yet to be done in order to make this project have "feature parity" with all that can be done with the FMC's API. That said, what is here works!

The fmcapi is published to PyPI. This means you can install it via pip (pip3 install fmcapi)

Features

  • Creation and maintenance of the connection with the FMC. This basically is care and feeding of the token.
  • Register devices with FMC.
  • Deploy changes to FMC managed devices.
  • Can access API REST methods for:
    • Host Objects
    • Network Objects
    • Range Objects
    • Port Objects
    • ICMPv4/ICMPv6 Objects
    • Security Zones Objects
    • Interface Group Objects
    • URL Objects
    • FQDNS Objects
    • IKEv1/IKEv1 IPsec Proposal and Policy Objects
    • DNS Server Groups
    • Access Control Policy (ACP)
    • ACP Rules
    • VLAN Tags
    • Devices/Device Groups/Device HA
    • FTD Device Interfaces
    • IPv4/IPv6 Static Routes
    • NAT Policy
    • and many more! (74 total by my last count.)
  • There is a "dry_run" feature where you can issue a get(), put(), post(), or delete() method call and, where supported you'll get output of what "would" have been sent to the FMC instead of actually issuing that method call. This is good for troubleshooting your scripts.
  • There is a 'show_json' method available to all fmcapi Classes that will just output the formatted data that is know in that instantiated class.

This is now an installable Python package via pip! I'm heavily developing this code so you might want to issue the command pip3 install -U fmcapi to update your installed version.

Quickstart on how to use this package

First install it with: pip3 install fmcapi Then to use the code best start a "with" statement that creates an instance of the FMC class like this: with fmcapi.FMC(host='192.168.11.15', username='admin', password='Admin123', autodeploy=False) as fmc:
Then either code away referencing the fmc variable to get to the internal methods of the FMC class or utilize the various class objects to ease your coding needs.

Building out an example network is in the "example" directory. This isn't fully completed but it should help you get an idea of what is possible.

I recorded a quick "howto" video which can be accessed via: (This is outdated and I need to make new videos.) https://www.youtube.com/watch?v=4NIe3T-HjDw

Using in the Docker container

There is a Docker image stored on DockerHub (dmickels/fmcapi) you can use to create Docker containers with. The syntax is as follows: docker run -i --name fmcapi --rm --name fmcapi -v 'local directory with scripts':/usr/src/app dmickels/fmcapi:latest

Notes

  • 1: Check out the example directory's scripts for ideas on how to use fmcapi.
  • 2: A lot of work has gone into making fmcapi easier to use and to develop on. Doing this has forced us to issue a deprecation notice on some of the original fmcapi Classes (so that our Class names align with Cisco's API call names). Take note of any deprecation warnings and move to the correct Class name in your scripts.
  • 3: You can directly send requests to the FMC via the send_to_api() method in the FMC class. This allows you to access any of the API features of the FMC.

ToDos

  • Write better how-to instructions. (Anyone willing to help?)
  • Finish adding all the FMC API calls as fmcapi Classes.
Comments
  • Adding accessrule based on application instead of destination port

    Adding accessrule based on application instead of destination port

    Hello

    I am trying to post/put the access rule to add the application ( eg. Facebook) instead of ports based rule.

    I checked the unit test script and don't see the option for the application.

    Would it be possible to add the access rule to reference the application instead of the destination port?

    Thanks for your help

    opened by MSD101 19
  • Update MissionStatement and Goals

    Update MissionStatement and Goals

    Looking for help in updating the Mission Statement and Goals for this project. I haven't updated them for a long time but I don't want to "push" any agenda on anyone helping with this project. So, I'd like to use this "issue" ticket to generate discussion on what we should do going forward. https://github.com/daxm/fmcapi/blob/master/docs/MissionStatement%20and%20Goals.md

    help wanted 
    opened by daxm 14
  • Factorial Duplication - Access Rules via post

    Factorial Duplication - Access Rules via post

    Describe the bug While using the same fmc object in a loop and posting a set new access rule, it will post every rule before it.

    If I am looping 6 new rules, it will post 1 - 12 -123 -1234 -12345 - 123456 for a total of 21 rules created.

    To Reproduce Loop creation of access rules while using a with statement of a fmc object.

    Expected behavior Only posting 6 rules when supplied 6 rules.

    import fmcapi
    
    class Connection(fmcapi.FMC):
        def __init__(
            self,
            host="fmc01",
            username="admin",
            password="Admin123",
            domain='test',
            autodeploy=False,
            file_logging=None,
            logging_level="INFO",
            debug=False,
            limit=1000,
            timeout=15):
            super().__init__(
                host, username, password,
                domain, autodeploy,
                file_logging, logging_level,
                debug, limit, timeout)
    
        def rule_add(self, rule_list):
            '''
            '''
            if not isinstance(rule_list, list):
                rule_list = [rule_list]
    
            rule_results = []
            for rule in rule_list:
                rule_details = fmcapi.AccessRules(
                    fmc=self, acp_name=rule.access_policy)
    
              # prep rules
    
                rule_results.append(rule_details.post())
                print('---')
    
            return rule_results
    

    Python environment

    asttokens==2.0.5
    autopep8==1.6.0
    backcall==0.2.0
    bcrypt==3.2.2
    Brotli==1.0.9
    certifi==2022.6.15
    cffi==1.15.0
    charset-normalizer==2.1.0
    click==8.1.3
    colorama==0.4.5
    cryptography==37.0.2
    dash==2.5.1
    dash-core-components==2.0.0
    dash-cytoscape==0.3.0
    dash-html-components==2.0.0
    dash-table==5.0.0
    DateTime==4.4
    decorator==5.1.1
    diffios==0.0.9
    executing==0.8.3
    flake8==4.0.1
    Flask==2.1.2
    Flask-Compress==1.12
    fmcapi==20220914.0
    future==0.18.2
    idna==3.3
    ipaddress==1.0.23
    ipython==8.4.0
    itsdangerous==2.1.2
    jedi==0.18.1
    Jinja2==3.1.2
    MarkupSafe==2.1.1
    matplotlib-inline==0.1.3
    mccabe==0.6.1
    netmiko==4.1.0
    networkx==2.8.4
    ntc-templates==3.0.0
    paramiko==2.11.0
    parso==0.8.3
    passlib==1.7.4
    pickleshare==0.7.5
    plotly==5.9.0
    prompt-toolkit==3.0.30
    pure-eval==0.2.2
    pycodestyle==2.8.0
    pycparser==2.21
    pycryptodome==3.15.0
    pyflakes==2.4.0
    Pygments==2.12.0
    PyNaCl==1.5.0
    pyserial==3.5
    pytz==2022.1
    PyYAML==6.0
    requests==2.28.1
    scp==0.14.4
    six==1.16.0
    stack-data==0.3.0
    tenacity==8.0.1
    textfsm==1.1.2
    toml==0.10.2
    traitlets==5.3.0
    urllib3==1.26.9
    wcwidth==0.2.5
    Werkzeug==2.1.2
    zope.interface==5.4.0
    

    Additional context Add any other context about the problem here.

    opened by Niltak 12
  • endless loop when 2 requests happens

    endless loop when 2 requests happens

    Is your feature request related to a problem? Please describe. I have a script to add hosts to the group. The script login, get the group, search in the response if the object is already in the group, if not add, if yes skip, finally verify. This involves several get/post/get operations. While executing the script, if another user tries to execute the script again, it will invalidate the first user token, and the first script will lock in an endless loop until the refresh timer.

    Describe the solution you'd like If there was a successful first login, then wait a few seconds and try to log in again.

    opened by aegiacometti 9
  • Add categories in access policy

    Add categories in access policy

    [**Is](url categories.zip )

    I made a script for the creation of category in the access policy, however being beginning in python, could check if everything is good (and publish if you want)

    Check with FMC 6.6 and 6.5

    Best regards

    opened by rnuyttens 9
  • Docmentation: List All NAT Rules

    Docmentation: List All NAT Rules

    Is your feature request related to a problem? Please describe. A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

    I'm trying to create a script to export all the NAT rules into a CSV, but I can't quite get it working the way I want so wondering if you had a working example that you could share?

    Describe the solution you'd like A clear and concise description of what you want to happen.

    Working Example would be great, or a few pointers?

    Describe alternatives you've considered A clear and concise description of any alternative solutions or features you've considered.

    I've looked around and at the module, but can only get a list of the NAT Policies so far not the actual NAT rules. I may be missing something obvious.

    Additional context Add any other context or screenshots about the feature request here.

    opened by salsop 9
  • ACPRule.put() action not passing through well

    ACPRule.put() action not passing through well

    I'm trying to edit existing rules through the API. More specifically all I want to change is switching source and destination zone. I obtain them in following lines:

    `acprule = ACPRule(fmc=fmc1, acp_name=acpname) acprule.name = rule['name'] #rule has been obtained from a send_to_api function obtaining all policies in the ACP acprule.id = rule['id'] acprule.get()

                        acprule.sendEventsToFMC = True
                        acprule.logBegin = True
                        acprule.intrusion_policy(action='set', name='IPS-Balanced')
                        acprule.source_zone(action='clear')
                        acprule.destination_zone(action='add', name=src_zone)
    
                        print(acprule.format_data())
    
                        acprule.put()`
    

    The rule gets obtained just fine with all metadata in the get function. Printing the format_data also lists that all information from the obtained rule is still there, plus the changes made to the rule. However, when I then try to put the changes to the API, the format_data function called in the API changes "ALLOW" to "BLOCK". Even if I manually set the action to allow before calling the put function.

    Do you have any idea how the action-attribute gets lost the moment I call the put function? I'm still quite new to python, but have some experience in programming ... so I'm not sure if it's actually the fmcapi-module or not causing this.

    The output of formate_data looks like this:

    Before put:
    {'id': 'acp_id', 'name': 'ACL_1', 'action': 'ALLOW', 'enabled': True, 'sendEventsToFMC': True, 'logFiles': False, 'logBegin': True, 'logEnd': False, 'variableSet': {'name': 'Default-Set', 'id': 'set_id', 'type': 'VariableSet'}, 'type': 'AccessRule', 'vlanTags': {}, 'sourceNetworks': {'objects': [{'type': 'NetworkGroup', 'name': 'my_group', 'id': 'group_id'}]}, 'destinationNetworks': {'objects': [{'type': 'NetworkGroup', 'name': 'any', 'id': 'group_id'}]}, 'destinationPorts': {'objects': [{'type': 'ProtocolPortObject', 'protocol': 'UDP', 'name': 'my_port', 'id': 'port_id'}, {'type': 'ProtocolPortObject', 'protocol': 'TCP', 'name': 'my_port2', 'id': 'port_id2'}]}, 'ipsPolicy': {'name': 'IPS-Balanced', 'id': 'ips_id', 'type': 'intrusionpolicy'}, 'destinationZones': {'objects': [{'name': 'INTERNET', 'id': 'zone_id', 'type': 'SecurityZone'}]}}
    
    After put:
    {'id': 'acp_id', 'name': 'ACL_1', 'action': 'BLOCK', 'enabled': True, 'sendEventsToFMC': True, 'logFiles': False, 'logBegin': False, 'logEnd': False, 'variableSet': {'name': 'Default-Set', 'id': 'set_id', 'type': 'VariableSet'}, 'type': 'AccessRule', 'vlanTags': {}, 'sourceNetworks': {'objects': [{'type': 'NetworkGroup', 'name': 'my_group', 'id': 'group_id'}]}, 'destinationNetworks': {'objects': [{'type': 'NetworkGroup', 'name': 'any', 'id': 'group_id'}]}, 'destinationPorts': {'objects': [{'type': 'ProtocolPortObject', 'protocol': 'UDP', 'name': 'my_port', 'id': 'port_id'}, {'type': 'ProtocolPortObject', 'protocol': 'TCP', 'name': 'my_port2', 'id': 'port_id2'}]}, 'ipsPolicy': {'name': 'IPS-Balanced', 'id': 'ips_id', 'type': 'intrusionpolicy'}, 'destinationZones': {'objects': [{'name': 'INTERNET', 'id': 'zone_id', 'type': 'SecurityZone'}]}}
    
    bug 
    opened by brammeskens 8
  • Access Rule Comments

    Access Rule Comments

    I would like the ability to easily add/append "comments" to the access rules for each rule change. If this functionality is available, I'm not sure how to use it at the moment.

    https://github.com/daxm/fmcapi/blob/master/fmcapi/api_objects/policy_services/accessrules.py

    image

    image

    opened by Td3v 7
  • Documentation To Modify Existing objects

    Documentation To Modify Existing objects

    Is your feature request related to a problem? Please describe. I can't fine any documentation about using fmcapi to modify existing objects. I am trying to modify a network group object to add more ip addresses to it. I would also like to modify existing rules to add destination ports or destination addresses

    Describe the solution you'd like I would like update documentation with some examples of modifying objects.

    opened by rlc9090gmail 6
  • literals in portobjectgroups

    literals in portobjectgroups

    I successfully created literals in the networkobjectgroups but that option is missing in portobjectgroups. I see a comment "Technically you can have objects OR literals" but there is no "unnamed" section. I'm just not sure if you can have literals in the portobjectgroup or you just haven't got around to coding it yet. Thanks

    opened by jmattatall 5
  • Bulk Posts?

    Bulk Posts?

    I've been poking around with this module for a couple of days now and one thing I can't determine is if you have the ability to post objects in bulk?

    I.E. I need to post thousands of individual Hosts, and Networks objects and doing this 1 by 1 takes hour(s).

    I skimmed through the few examples but didn't notice any bulk posts, I didn't notice any in the YouTube video either, and VS Code intellisense isn't pointing me to a solution.

    Anyway, I love this module. Thank you for writing and maintaining it.

    opened by MysticRyuujin 5
  • Add Destination/Source Ports literals to Access Rules

    Add Destination/Source Ports literals to Access Rules

    Hello Guys,

    First of all, thanks for this

    It will be really great to have the ability to add port literals for Access Rules just like we can with source and destination networks. Having to create port objects for access rules has left us with a lot of duplicated port objects.

    Thanks.

    opened by dadelowo367 5
Releases(20200330.0)
  • 20200330.0(Mar 30, 2020)

  • 20200213.0(Feb 13, 2020)

  • 20191130.1(Nov 30, 2019)

  • 20191017.0(Oct 17, 2019)

    Bug fixes Improved debug outputs Added ability to add source_sgt into AccessRules but it appears the FMC isn't using it yet. Added access to defaultAction in AccessRules. Added access to IKESettings API Added access to IPsecSettings API Added access to AdvancedSettings API Added access to Endpoints API Expanded the Example to include an example of separation of user data and code. Added extendedACL support to EndPoints. Modified INFO logging. Move some messages into DEBUG/ERROR/WARNING levels instead.

    Source code(tar.gz)
    Source code(zip)
  • 20191002.0(Oct 2, 2019)

    There was a "bug" that caused fmcapi AccessRules to not put/post to FMC. Fixed. Alpha (untested) ability to add source_sgt to AccessRules.

    Source code(tar.gz)
    Source code(zip)
  • 20190923.0(Sep 24, 2019)

  • 20190915.1(Sep 15, 2019)

    This release has a drastic reorganization of the api_objects package into sub-packages that align with the Cisco FMC API Quick Start Guide organization of the API methods. This meant that some of the "old" names of some of the fmcapi classes needed to be changed. The old name will work for a while but you should get a deprecation warning if you use the old name. When the removal of the old names happens has yet to be determined... 2021'ish? Improvements to the token refresh/generation in this release too.

    Source code(tar.gz)
    Source code(zip)
  • 20190911.0(Sep 11, 2019)

    Added a "dry_run" feature. This will allow you to see what would have been sent to the FMC's API. Works for GET, POST, PUT. (I forgot to add it to DELETE. I'll fix that in the next release.)

    Fixed "enabled" always being False in PhysicalInterface Class.

    Adjusted, again, the token refresh logic.

    Source code(tar.gz)
    Source code(zip)
  • 20190910.1(Sep 10, 2019)

  • 20190910.0(Sep 10, 2019)

    The big new feature is the ability to use the bulk POST feature for ACPRules. Misc bug fixes too. Split TestingUserScript tests out into individual files (under unit_tests) directory.

    Source code(tar.gz)
    Source code(zip)
  • 20190908.0(Sep 8, 2019)

  • 20190828.0(Aug 29, 2019)

  • 20190824.0(Aug 24, 2019)

  • 20190819.0(Aug 19, 2019)

Owner
Mark Sullivan
Mark Sullivan
This is a simple program that uses Python and pyTwitchAPI to retrieve the list of users in a streamer's chat and then checks each one of these users to see if they follow the broadcaster or not

This is a simple program that uses Python and pyTwitchAPI to retrieve the list of users in a streamer's chat and then checks each one of these users to see if they follow the broadcaster or not

RwinShow 57 Dec 18, 2022
Discord bot code to stop users that are scamming with fake messages of free discord nitro on servers in order to steal users accounts.

AntiScam Discord bot code to stop users that are scamming with fake messages of free discord nitro on servers in order to steal users accounts. How to

H3cJP 94 Dec 15, 2022
A Bot Telegram Anti Users Channel to automatic ban users who using channel to send message in group.

Tg_Anti_UsersChannel A Bot Telegram Anti Users Channel to automatic ban users who using channel to send message in group. Features: Automatic ban Whit

idzeroid 6 Dec 26, 2021
A Python interface module to the SAS System. It works with Linux, Windows, and mainframe SAS. It supports the sas_kernel project (a Jupyter Notebook kernel for SAS) or can be used on its own.

A Python interface to MVA SAS Overview This module creates a bridge between Python and SAS 9.4. This module enables a Python developer, familiar with

SAS Software 319 Dec 19, 2022
One version package to rule them all, One version package to find them, One version package to bring them all, and in the darkness bind them.

AwesomeVersion One version package to rule them all, One version package to find them, One version package to bring them all, and in the darkness bind

Joakim Sørensen 39 Dec 31, 2022
An async python wrapper to interact with the Steam API and its CMs

steam.py A modern, easy to use, and async ready package to interact with the Steam API. Heavily inspired by discord.py and borrowing functionality fro

James Hilton-Balfe 90 Dec 15, 2022
Python Package For MTN Zambia Momo API. This package can also be used by MTN momo in other countries.

MTN MoMo API Lite Python Client Power your apps with Lite-Python MTN MoMo API Usage Installation Add the latest version of the library to your project

Mathews Musukuma 7 Jan 1, 2023
This Bot Can Upload Video from Link Of Pdisk to Pdisk using its API. @PredatorHackerzZ

?????????? ?????????????????? ?????? Make short link by using ?????????? API key Installation ?????? ???????? ?????? ???????????????? ????????????????

ρяє∂αтσя 25 Dec 2, 2022
AirDrive lets you store unlimited files to cloud for free. Upload & download files from your personal drive at any time using its super-fast API.

AirDrive lets you store unlimited files to cloud for free. Upload & download files from your personal drive at any time using its super-fast API.

Sougata 4 Jul 12, 2022
A Python bot that uses the Reddit API to send users inspiring messages.

AnonBot By Edric Antoine A Python bot that uses the Reddit API to send users inspiring messages. When a message includes 'What would Anon do?', the bo

null 1 Jan 5, 2022
PRAW, an acronym for "Python Reddit API Wrapper", is a python package that allows for simple access to Reddit's API.

PRAW: The Python Reddit API Wrapper PRAW, an acronym for "Python Reddit API Wrapper", is a Python package that allows for simple access to Reddit's AP

Python Reddit API Wrapper Development 3k Dec 29, 2022
PRAW, an acronym for "Python Reddit API Wrapper", is a python package that allows for simple access to Reddit's API.

PRAW: The Python Reddit API Wrapper PRAW, an acronym for "Python Reddit API Wrapper", is a Python package that allows for simple access to Reddit's AP

Python Reddit API Wrapper Development 3k Dec 29, 2022
Using multiple API sources, create an app that allows users to filter through random locations based on their temperature range choices.

World_weather_analysis Overview Using multiple API sources, create an app that allows users to filter through random locations based on their temperat

Jason Boyer 2 Sep 16, 2022
Send song lyrics to iMessage users using the Genius lyrics API

pyMessage Send song lyrics to iMessage users using the Genius lyrics API. Setup 1.) Open the main.py file, and add your API key on line 7. 2.) Install

therealkingnull 1 Jan 23, 2022
Send OpenWeatherMap alerts (One Call API) to telegram users.

OpenWeatherMap Telegram Alert Send OpenWeatherMap alerts (One Call API) to telegram users. Installation Requirements: $ apt install python3-yaml pytho

Michael Hacker 1 Jun 4, 2022
Public API client for GETTR, a "non-bias [sic] social network," designed for data archival and analysis.

GoGettr GoGettr is an API client for GETTR, a "non-bias [sic] social network." (We will not reward their domain with a hyperlink.) GoGettr is built an

Stanford Internet Observatory 72 Dec 14, 2022
The official wrapper for spyse.com API, written in Python, aimed to help developers build their integrations with Spyse.

Python wrapper for Spyse API The official wrapper for spyse.com API, written in Python, aimed to help developers build their integrations with Spyse.

Spyse 15 Nov 22, 2022
A python telegram bot to fetch the details of an ipadress with help of ip-api

ipfetcher A python(Pyrogram) oriented telegram bot to fetch the details of an ipadress developed by @riz4d with the API of https://ip-api.com Deployme

Mohamed Rizad 5 Mar 12, 2022