Net::Cisco::FMC::v1::Role::FixAccessruleLiterals - Role for Cisco Firepower Management Center (FMC) API version 1 method generation
version 0.004002
use strict; use warnings; use Net::Cisco::FMC::v1; use Moo::Role (); my $fmc = Net::Cisco::FMC::v1->new( server => 'https://fmcrestapisandbox.cisco.com', user => 'admin', passwd => '$password', clientattrs => { timeout => 30 }, ); Moo::Role->apply_roles_to_object($fmc, 'Net::Cisco::FMC::v1::Role::FixAccessruleLiterals');
Cisco FMC 6.3.0 introduced support for FQDN objects which broke literal IPv4 host and network objects via the accessrules REST API. Even worse not only are the types of the replies incorrect but updating an existing rule or creating a new one based on a reply silently swallows literal host and network objects which have their type set to FQDN.
This role works around this bug by modifying the reply of "Net::Cisco::FMC::v1/get_accessrule" and "list_accessrules" in Net::Cisco::FMC::v1 and replacing 'FQDN' with 'Network'.
This is how an accessrule API response looks like in 6.2.3.7:
{ "links": { "self": "https://fmc6237.example.com/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/policy/accesspolicies/005056A6-88ED-0ed3-0000-330712486749/accessrules?offset=0&limit=1&expanded=true" }, "items": [ { "metadata": { "ruleIndex": 1, "section": "Mandatory", "category": "--Undefined--", "accessPolicy": { "type": "AccessPolicy", "name": "test", "id": "005056A6-88ED-0ed3-0000-330712486749" }, "timestamp": 1551185188796, "domain": { "name": "Global", "id": "e276abec-e0f2-11e3-8169-6d9ed49b625f", "type": "Domain" } }, "links": { "self": "https://fmc6237.example.com/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/policy/accesspolicies/005056A6-88ED-0ed3-0000-330712486749/accessrules/005056A6-88ED-0ed3-0000-000268435459" }, "enabled": true, "name": "test", "type": "AccessRule", "action": "ALLOW", "id": "005056A6-88ED-0ed3-0000-000268435459", "sourceNetworks": { "literals": [ { "type": "Network", "value": "10.0.0.0/24" } ] }, "destinationNetworks": { "literals": [ { "type": "Host", "value": "10.1.0.1" } ] }, "logBegin": false, "logEnd": false, "variableSet": { "name": "Default-Set", "id": "76fa83ea-c972-11e2-8be8-8e45bb1343c0", "type": "VariableSet" }, "logFiles": false, "vlanTags": {}, "sendEventsToFMC": false } ], "paging": { "offset": 0, "limit": 1, "count": 1, "pages": 1 } }
And on FMC 6.3.0.1:
{ "links": { "self": "https://fmc6301.example.com/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/policy/accesspolicies/00505688-74E1-0ed3-0000-193273532969/accessrules?offset=0&limit=1&expanded=true" }, "items": [ { "metadata": { "ruleIndex": 1, "section": "Mandatory", "category": "--Undefined--", "accessPolicy": { "type": "AccessPolicy", "name": "test", "id": "00505688-74E1-0ed3-0000-193273532969" }, "timestamp": 1551185492316, "domain": { "name": "Global", "id": "e276abec-e0f2-11e3-8169-6d9ed49b625f", "type": "Domain" } }, "links": { "self": "https://fmc.6301.example.com/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/policy/accesspolicies/00505688-74E1-0ed3-0000-193273532969/accessrules/00505688-74E1-0ed3-0000-000268447785" }, "id": "00505688-74E1-0ed3-0000-000268447785", "sourceNetworks": { "literals": [ { "type": "Network", "value": "10.0.0.0/24" } ] }, "destinationNetworks": { "literals": [ { "type": "FQDN", "value": "1.1.0.1" } ] }, "logFiles": false, "logBegin": false, "logEnd": false, "variableSet": { "name": "Default-Set", "id": "76fa83ea-c972-11e2-8be8-8e45bb1343c0", "type": "VariableSet" }, "enableSyslog": false, "vlanTags": {}, "sendEventsToFMC": false, "type": "AccessRule", "action": "ALLOW", "name": "test", "enabled": true } ], "paging": { "offset": 0, "limit": 1, "count": 1, "pages": 1 } }
Alexander Hartmaier <abraxxa@cpan.org>
This software is copyright (c) 2018 - 2020 by Alexander Hartmaier.
This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself.
To install Net::Cisco::FMC::v1, copy and paste the appropriate command in to your terminal.
cpanm
cpanm Net::Cisco::FMC::v1
CPAN shell
perl -MCPAN -e shell install Net::Cisco::FMC::v1
For more information on module installation, please visit the detailed CPAN module installation guide.