├── .gitignore
├── Makefile
├── README.md
├── contributing.md
└── labs
    ├── firepower-estreamer-splunk
        ├── 1.md
        ├── 2.md
        ├── 3.md
        ├── 4.md
        ├── 5.md
        ├── assets
        │   └── images
        │   │   ├── eStreamereNcoreOperationsGuidev1.0.pdf
        │   │   ├── pic1.png
        │   │   ├── pic10.png
        │   │   ├── pic11.png
        │   │   ├── pic12.png
        │   │   ├── pic13.png
        │   │   ├── pic14.png
        │   │   ├── pic15.png
        │   │   ├── pic16.png
        │   │   ├── pic17.png
        │   │   ├── pic18.png
        │   │   ├── pic2-2.png
        │   │   ├── pic2.png
        │   │   ├── pic3-3.png
        │   │   ├── pic3.png
        │   │   ├── pic4.png
        │   │   ├── pic5.png
        │   │   ├── pic6.png
        │   │   ├── pic7.png
        │   │   ├── pic8.png
        │   │   └── pic9.png
        ├── byod.html
        └── firepower-estreamer-splunk.json
    ├── firepower-restapi-101
        ├── 0.md
        ├── 1.md
        ├── 2.md
        ├── assets
        │   └── images
        │   │   ├── FMC1.png
        │   │   ├── FMCCallFlow.jpg
        │   │   ├── SAM!.PNG
        │   │   ├── fmcapiexp.PNG
        │   │   ├── fmcexpcode.png
        │   │   ├── fmcexpobj.png
        │   │   ├── fmcui.png
        │   │   ├── sam2.PNG
        │   │   └── sam3.PNG
        ├── byod.html
        └── firepower-restapi-101.json
    ├── firepower-restapi-102
        ├── 0.md
        ├── 1.md
        ├── 2.md
        ├── 3.md
        ├── assets
        │   └── images
        │   │   └── FMCCallFlow.jpg
        ├── byod.html
        └── firepower-restapi-102.json
    ├── firepower-restapi-103
        ├── 0.md
        ├── 1.md
        ├── 2.md
        ├── 3.md
        ├── 4.md
        ├── assets
        │   └── images
        │   │   ├── FMC1.png
        │   │   ├── firesight-04.png
        │   │   └── uiimage1.PNG
        ├── byod.html
        └── firepower-restapi-103.json
    ├── firepower-restapi-104
        ├── 1.md
        ├── 2.md
        ├── byod.html
        └── firepower-restapi-104.json
    ├── firepower-restapi-105
        ├── 1.md
        ├── 2.md
        ├── byod.html
        └── firepower-restapi-105.json
    ├── firepower-restapi-106
        ├── 0.md
        ├── 1.md
        ├── 2.md
        ├── 3.md
        ├── 4.md
        ├── byod.html
        └── firepower-restapi-106.json
    ├── firepower-restapi-107
        ├── 0.md
        ├── 1.md
        ├── 2.md
        ├── 3.md
        ├── 4.md
        ├── assets
        │   └── images
        │   │   ├── image1.jpg
        │   │   ├── image2.jpg
        │   │   └── image3.jpg
        ├── byod.html
        └── firepower-restapi-107.json
    ├── firepower-restapi-109
        ├── 0.md
        ├── 1.md
        ├── 2.md
        ├── 3.md
        ├── 4.md
        ├── assets
        │   └── images
        │   │   ├── expl-01.png
        │   │   ├── expl-02.png
        │   │   ├── expl-03.png
        │   │   └── expl-04.png
        ├── byod.html
        └── firepower-restapi-109.json
    ├── firepower-restapi-110
        ├── 1.md
        ├── 2.md
        ├── assets
        │   └── images
        │   │   ├── exp01.png
        │   │   └── exp02.png
        ├── byod.html
        └── firepower-restapi-110.json
    ├── firepower-restapi-111
        ├── 1.md
        ├── 2.md
        ├── 3.md
        ├── assets
        │   └── images
        │   │   ├── Picture1.png
        │   │   ├── Picture2.png
        │   │   ├── Picture3.png
        │   │   ├── Picture4.png
        │   │   ├── Picture5.png
        │   │   ├── Picture6.png
        │   │   └── Picture7.png
        ├── byod.html
        └── firepower-restapi-111.json
    └── firepower-restapi-112
        ├── 1.md
        ├── 2.md
        ├── assets
            └── images
            │   ├── pic1.PNG
            │   ├── pic2.PNG
            │   ├── pic3.PNG
            │   ├── pic4.PNG
            │   ├── pic5.PNG
            │   ├── pic6.PNG
            │   └── pic7.PNG
        ├── byod.html
        └── firepower-restapi-112.json


/.gitignore:
--------------------------------------------------------------------------------
 1 | # Compiled source #
 2 | ###################
 3 | *.com
 4 | *.class
 5 | *.dll
 6 | *.exe
 7 | *.o
 8 | *.so
 9 | 
10 | # Packages #
11 | ############
12 | # it's better to unpack these files and commit the raw source
13 | # git has its own built in compression methods
14 | *.7z
15 | *.dmg
16 | *.gz
17 | *.iso
18 | *.jar
19 | *.rar
20 | *.tar
21 | *.zip
22 | 
23 | # Logs and databases #
24 | ######################
25 | *.log
26 | *.sql
27 | *.sqlite
28 | 
29 | # OS generated files #
30 | ######################
31 | .DS_Store
32 | .DS_Store?
33 | ._*
34 | .Spotlight-V100
35 | .Trashes
36 | ehthumbs.db
37 | Thumbs.db
38 | 


--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
1 | preview:
2 | 	docker run -p "9000:9000" -p "35729:35729" \
3 | 	-v $(CURDIR)/labs:/opt/labs \
4 | 	containers.cisco.com/asroach/learning-labs-previewer:latest
5 | 	open http://localhost:9000
6 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | ## Cisco DevNet Learning Labs: Firepower Management Center
 2 | 
 3 | These self-paced interactive tutorials provide instructions to visualize threat data provided by the Firepower Management Center (FMC). 
 4 | 
 5 | Labs are written to be displayed within the [Cisco DevNet Learning Labs system](https://developer.cisco.com/learning).
 6 | 
 7 | Contributions are welcome, and we are glad to review changes through pull requests. See [contributing.md](contributing.md) for details.
 8 | 
 9 | Once approved, Cisco DevNet reviewers then create a release that is published through our Learning Labs system. 
10 | 
11 | The goal of these Learning Labs is to ensure a 'hands-on' learning approach rather than just theory or instructions.
12 | 
13 | ## About these Learning Labs
14 | 
15 | Explores basic analysis of threats and compromised hosts.
16 | 
17 | ## Preview Learning Lab Markdown locally
18 | 
19 | Refer to the instruction for your text editor for Markdown previewing. For example, [Markdown and Visual Studio Code](https://code.visualstudio.com/Docs/languages/markdown) describes how to configure Markdown extensions. 
20 | 
21 | ## Contributing
22 | 
23 | These learning modules are for public consumption, so you must ensure that you have the rights to any content that you contribute.
24 | 
25 | Write your content in Markdown. DevNet staff reviews content according to the [Cisco Style Guide](http://www-author.cisco.com/c/en/us/td/docs/general/style/guide/Latest/stylegd.html). (Link available on Cisco VPN only.)
26 | 
27 | #### Publishing Requirements
28 | 
29 | To create and publish a new lab, take the following steps:
30 | - Add a new folder under `labs`.
31 | - Create a JSON file with the same name as the `labs/`_folder_ name.
32 | - Create markdown files named 1.md, 2.md, and so on; refer to those files in the `labs/`_folder_ JSON file.
33 | - Ensure that the JSON file contains appropriate page titles and file references.
34 | - Send a pull request to get the files committed and merged to the default branch by a DevNet reviewer.
35 | 
36 | A DevNet reviewer then creates a release on the repository with the latest changes and publishes through the admin interface.
37 | 
38 | #### Editors
39 | 
40 | You can write Markdown in a plain text editor, but there are many desktop and Web-based options that allow you to write and preview your work at the same time. We recommend Visual Studio Code [Download](https://code.visualstudio.com/) for several reasons:
41 | - Lightweight environment for coding (or writing Markdown)
42 | - Available on Mac OS, Linux or Windows
43 | - Github Client integration
44 | - Great Markdown preview features native in the editor
45 | - Intuitive operation and structure
46 | 
47 | You can validate a JSON file by using the [online formatter and validator](https://jsonformatter.curiousconcept.com).
48 | 
49 | ## Getting Involved
50 | 
51 | * If you'd like to contribute to an existing lab, refer to [contributing.md](contributing.md).
52 | * If you're interested in creating a new Cisco DevNet Learning Lab, please contact a DevNet administrator for guidance.
53 | 
54 | 
55 | 


--------------------------------------------------------------------------------
/contributing.md:
--------------------------------------------------------------------------------
 1 | # How to contribute to a Learning Lab
 2 | 
 3 | For Learning Labs, you can help in these primary ways:
 4 | 
 5 | - Testing the Learning Lab, and then reporting issues in the repo or in the common issues tracking repo.
 6 | - Using the Issue tracker to report issues, or comment that you will work on an issue.
 7 | - Updating the content in the Learning Lab repo.
 8 | - Requesting or creating a release.
 9 | - Contacting DevNet to publish new or updated Learning Labs.
10 | 
11 | 
12 | ## Using the issue tracker
13 | 
14 | For Learning Labs, there are two potential places to track issues, depending on whether the repo is public or private.
15 | 
16 | For public repo Learning Labs, use the issue tracker in the repo. All Learning Labs repos in the CiscoDevNet organization have a topic of learning-labs.
17 | 
18 | For private Learning Labs, use the common issue tracker in the [CiscoDevNet/learning-labs-issues](https://github.com/CiscoDevNet/learning-labs-issues) repo.
19 | 
20 | For DevNet Express events, use these Issue tracker repos based on the content track:
21 | 
22 | * https://github.com/CiscoDevNet/devnet-express-dna-issues
23 | * https://github.com/CiscoDevNet/devnet-express-cc-issues
24 | * https://github.com/CiscoDevNet/devnet-express-dci-issues
25 | * https://github.com/CiscoDevNet/devnet-express-security-issues/issues/
26 | 
27 | Use the issue tracker to suggest additions, report bugs, and ask questions. This is also a great way to connect with the developers of the project and find others interested in this solution.
28 | 
29 | Also use the issue tracker to find ways to contribute. Test a lab, find a bug, log an issue. Or offer an update, comment on the issue that you will take on that effort, then follow the ``Changing the Learning Lab`` content guidance below.
30 | 
31 | 
32 | ## Changing the Learning Lab content
33 | 
34 | Generally speaking, you should clone the Learning Lab repository, make changes locally, and then submit a Pull Request (PR). We expect you have validated that all documented tasks work as expected. Plus, the content should follow the [Learning Lab Style Guide](https://github.com/CiscoDevNet/devnet-writing-guidelines/wiki/Lab-Style-Guide).
35 | 
36 | The [DevNet Writing Guidelines Wiki](https://github.com/CiscoDevNet/devnet-writing-guidelines/wiki) describes the review and publishing process in detail. Please feel free to request reviews from DevNet contributors you see in the repository and we will review submissions.
37 | 


--------------------------------------------------------------------------------
/labs/firepower-estreamer-splunk/1.md:
--------------------------------------------------------------------------------
 1 | # Firepower eStreamer and Splunk
 2 | 
 3 | ## Lab Objective
 4 | 
 5 | Create a Splunk application that visualizes threat data provided by the Firepower Management Center (FMC) using the eStreamer API.
 6 | 
 7 | 
 8 | Completion time: 45 minutes
 9 | 
10 | 
11 | ## Prerequisites
12 | 
13 | Basic understanding of Splunk and the Firepower Management Center
14 | 
15 | Basic Linux CLI knowledge
16 | 
17 | A DevNet Sandbox instance from the below link:
18 | https://devnetsandbox.cisco.com/RM/Diagram/Index/2dc005dc-a5bf-4b44-8ae2-074d61076b50?diagramType=Topology
19 | 
20 | ## Learning Objective
21 | 
22 | After Completing this module, you will be able to:
23 | 
24 | -   Stream events from a FMC to a Splunk instance using eStreamer
25 | 
26 | -   Create Splunk apps that can visualize the data provided by the FMC
27 | 
28 | ## eStreamer API
29 | 
30 | The Firepower Management Center’s (FMC) eStreamer API streams Firepower events to remote clients. Users can choose which event types they wish to stream and can stream events to multiple remote clients.
31 | 
32 | ## Configuring eStreamer:
33 | 
34 | 1.  Navigate to the FMC UI
35 | 
36 |     1.  For the DEVNET live sandbox VPN into the Sandbox and navigate to: https://10.10.20.40
37 | 
38 | 2.  **Log in** with your username and password
39 | 
40 | 3.  Navigate via the menu to: **System \> Integration \> eStreamer**
41 | 
42 | 4.  In the left-hand panel select that event types shown in the screenshot below and click **‘Save’**
43 | 
44 |     ![FMC Screenshot](assets/images/pic1.png)
45 | 
46 | 5.  Click **‘Create Client’**
47 | 
48 | 6.  Enter the **‘Hostname’** of the remote Splunk server that will receive the events
49 | 
50 |     ![FMC Screenshot](assets/images/pic2.png)
51 | 
52 | 7.  Click **‘Save’** to create the new Client
53 | 
54 | 8.  Once the client configuration is saved, click on the **download** ![FMC Screenshot](assets/images/pic3-3.png) **icon** to obtain the client certificate required to connect via the eNcore eStreamer client
55 | 


--------------------------------------------------------------------------------
/labs/firepower-estreamer-splunk/2.md:
--------------------------------------------------------------------------------
 1 | ## Cisco eStreamer eNcore for Splunk Technical Add-on (TA)
 2 | 
 3 | eNcore is a new all-purpose client which requests all possible events from eStreamer, parses the binary content and outputs events in various formats to support SIEMs. eNcore supports Common Information Model (CIM) for broad support with Splunk.
 4 | 
 5 | For in-depth instructions for installing eNcore refer to the [eStreamer eNcore Operations Guide](https://supportforums.cisco.com/legacyfs/online/attachments/document/cisco_estreamer_end_user_license_agreement.pdf).
 6 | 
 7 | The [Cisco eStreamer eNcore Add-on for Splunk](https://splunkbase.splunk.com/app/3662/) is available on splunkbase.  DevNet sandboxes already have the Add-on installed.
 8 | 
 9 | 
10 | ## Setup Instructions
11 | 
12 | 1.  The eNcore client will need the client certificate obtained above to connect to the FMC.  SCP the client certificate to the Splunk server for use by the eNcore client (DevNet sandboxes already have the client certificate copied to the correct location)
13 | 
14 |         `$ scp <PATH_TO_CERT>/client.pkcs12 \<SPLUNK_SERVER\>:/opt/splunk/etc/apps/TA-eStreamer/bin/encore/client.pkcs12`
15 | 
16 | 
17 | ## Enable the Data Inputs
18 | 
19 | The eNcore client creates log files that can be parsed by Splunk.  The Add-on creates the necessary Data Inputs to allow the logs to be parsed.  The Data Inputs must be enabled before setting up the Add-on.  To enable the Data Inputs:
20 | 
21 | 1.  Log in to the Splunk server.
22 | 
23 |     1.  If you are using a DevNet sandbox navigate to [https://10.10.20.25](https://10.10.20.25) and login with the provided credentials.
24 | 
25 | 2.  Navigate to **‘Settings \> Data Inputs’**
26 | 
27 | 3.  Click **‘Files & directories’**
28 | 
29 | 4.  Locate **$SPLUNK_HOME/etc/apps/TA-eStreamer/data** and **Enable** it
30 | 
31 | 5.  Navigate to **‘Settings \> Data Inputs’**
32 | 
33 | 6.  Click **'Scripts'**
34 |  
35 | 7.  Locate the following Commands and **Enable** them
36 |  
37 |     1.  /opt/splunk/etc/apps/TA-eStreamer/bin/splencore.sh clean
38 | 
39 |     2.  /opt/splunk/etc/apps/TA-eStreamer/bin/splencore.sh start
40 | 
41 |     3.  /opt/splunk/etc/apps/TA-eStreamer/bin/splencore.sh status
42 | 
43 | ## Setup Cisco eStreamer eNcore for Splunk
44 | 
45 | 1.  Click on the **gear icon next to Apps** in the upper right hand corner of the UI. This will navigate you to the Apps page.
46 | 
47 | 2.  Locate the app named **Cisco eStreamer eNcore for Splunk** and click on the **Set up** link
48 | 
49 | 3.  In the **Control** section, click on the **Is enabled?** checkbox.
50 | 
51 | 4.  In the **Connection** section, enter in the IP/Hostname of your FMC.  For DevNet sandboxes enter: **10.10.20.40**. 
52 | 
53 | 5.  In the **Authentication** section, click on the checkbox next to **Process PKCS12 file?**
54 | 
55 | 6.  Click **Save**
56 | 
57 | 7.  You should see a success message at the top of the page stating, **"Successfully updated "TA-eStreamer".**
58 | 
59 | 8.  The eNcore Add-on is now configured and running.
60 | 


--------------------------------------------------------------------------------
/labs/firepower-estreamer-splunk/3.md:
--------------------------------------------------------------------------------
 1 | ## Creating the Splunk App: ##
 2 | 
 3 | 1.  Click on the **gear icon next to Apps** in the upper right hand corner of
 4 |     the UI. This will navigate you to the Apps page.
 5 | 
 6 | 2.  Click on **‘Create app’**
 7 | 
 8 | 3.  Enter the **name** for your app
 9 | 
10 | 4.  Enter the **directory** for your app.  Note the directory cannot contain spaces or special characters.
11 | 
12 | 5.  Click **‘Save’**
13 | 
14 | ![FMC Screenshot](assets/images/pic4.png)
15 | 


--------------------------------------------------------------------------------
/labs/firepower-estreamer-splunk/4.md:
--------------------------------------------------------------------------------
  1 | ## View the streamed data
  2 | Now you can begin analyzing your Firepower data in your splunk App.
  3 | 
  4 | 1.  Open your app by using the App menu at the top of the screen or by clicking on the icon on the home page
  5 | 
  6 | 2.  You will be presented with a search view of the data that is being indexed from your newly created data source.
  7 | 
  8 | ![FMC Screenshot](assets/images/pic9.png)
  9 | 3.  Enter in the following string into the search input
 10 | 
 11 |     ```
 12 |     sourcetype="cisco:estreamer:data" | top 10 dest_ip
 13 |     ```
 14 | 
 15 | 4. You will be presented with a tabular view of the top 10 destination IPs that have been seen in the events being streamed from the FMC
 16 | 
 17 | 5. Click on the **‘Visualization’** tab above the table and then select ***Bar Chart***
 18 | 
 19 |     - You will now see a bar chart view of the destination IP data. The chart has the count of the occurrences of the destination IP on the X-Axis and the destination IP on the Y-Axis
 20 | 
 21 |     ![FMC Screenshot](assets/images/pic10.png)
 22 | 
 23 | 
 24 | ## Build a dashboard out of the data
 25 | 
 26 | 1.  From the page with the Visualization above click on **‘Save As’** at the top right of the page
 27 | 
 28 | 2.  Select **‘Dashboard Panel’**
 29 | 
 30 | ![FMC Screenshot](assets/images/pic11.png)
 31 | 
 32 | 3.  Set the following configurations in the ‘Save as Dashboard Panel’ dialog
 33 | 
 34 |     - Dashboard Title = **‘Threat Dashboard’**
 35 | 
 36 |     - Dashboard Permissions = **‘Shared in App’**
 37 | 
 38 |     - Panel Title = **‘Top Destination IPs’**
 39 | 
 40 |     - Click **‘Save’**
 41 | 
 42 | ![FMC Screenshot](assets/images/pic12.png)
 43 | 
 44 | 4. A success dialog will appear
 45 | 
 46 | 5. Click the green **‘View Dashboard’** button at the bottom of the success dialog
 47 | 
 48 | 6. You will now be shown the newly created Dashboard
 49 | 
 50 | ![FMC Screenshot](assets/images/pic13.png)
 51 | 
 52 | 
 53 | 
 54 | ## Adding more panels to the dashboard
 55 | 
 56 | 1. Click the gray **‘Edit’** button at the top right of the screen
 57 | 
 58 |     - This will switch the view to the dashboard editor. This is where you can change all aspects of the dashboard.
 59 | 
 60 | 2. Click on the gray **‘+ Add Panel’** button at the top center-right of the page
 61 | 
 62 | 3. In the **‘Add Panel’** section click on **New** and then **Bar Chart**
 63 | 
 64 | 4. Enter in the following information
 65 | 
 66 |     - Content Title = **‘Source IPs’**
 67 | 
 68 |     - Search String (below)
 69 |     ```
 70 |     sourcetype="cisco:estreamer:data" | top 10 src_ip
 71 |     ```
 72 | 5. Click the green **‘Add to Dashboard’** button at the top
 73 | 
 74 |   ![FMC Screenshot](assets/images/pic14.png)
 75 | 
 76 | 6. Click the green **‘Add to Dashboard’** button at the top
 77 | 
 78 | 7. Click on the gray **‘+ Add Panel’** button at the top center-right of the page
 79 | 
 80 | 8. In the **‘Add Panel’** section click on **New** and then **Bar Chart**
 81 | 
 82 | 9. Enter in the following information
 83 | 
 84 |     - Content Title = **‘Transmitted Malware’**
 85 | 
 86 |     - Search String (below)
 87 |     ```
 88 |     sourcetype="cisco:estreamer:data" rec_type_desc="Malware Event Record"| top 10 file_name sha256 host
 89 |     ```
 90 | 10. Click the green **‘Add to Dashboard’** button at the top
 91 | 
 92 | 11. Click on the gray **‘+ Add Panel’** button at the top center-right of the page
 93 | 
 94 | 12. In the **‘Add Panel’** section click on **New** and then **Area Chart**
 95 | 
 96 | 13. Enter in the following information
 97 | 
 98 |     - Search String (below)
 99 |     ```
100 |     sourcetype="cisco:estreamer:data" | timechart count by rec_type_desc
101 |     ```
102 | 14. Click the green **‘Add to Dashboard’** button at the top
103 | 
104 | 15. Click on the gray **‘+ Add Panel’** button at the top center-right of the page
105 | 
106 | 16. In the **‘Add Panel’** section click on **New** and then **Choropleth Map**
107 | 
108 | 17. Enter in the following information
109 | 
110 |     - Search String (below)
111 |     ```
112 |     sourcetype="cisco:estreamer:data" | iplocation dest_ip | stats count by Country | geom geo_countries featureIdField=Country
113 |     ```
114 | 18. Click the green **‘Add to Dashboard’** button at the top
115 | 
116 | 19. Reorganize the Panels as shown in the screenshot below. Reposition panels by clicking and dragging the gray dotted bar at the top of the panel.
117 | 
118 | 20. Click the green **‘Save’** button at the top-right of the page
119 | 
120 | ![FMC Screenshot](assets/images/pic15.png)
121 | 


--------------------------------------------------------------------------------
/labs/firepower-estreamer-splunk/5.md:
--------------------------------------------------------------------------------
 1 | ## Add the dashboard to the app’s navigation
 2 | The dashboard is not easily accessible at the moment. We will now add the dashboard to the navigation of the Splunk App.
 3 | 
 4 | 1.  Navigate to **‘Settings \> Knowledge \> User Interface’** via the top navigation bar
 5 | 
 6 | 2.  Click on **‘Navigation menus’**
 7 | 
 8 | 3.  Click on **‘default’** Nav name in the table
 9 | 
10 | 4.  In the XML editor add the following line at the end of the `<nav… \>` list as shown in the screenshot below
11 | 
12 |   `<view name="threat_dashboard" />`
13 | 
14 |   ![FMC Screenshot](assets/images/pic2-2.png)
15 | 
16 | 5.  Click the green **‘Save’** button at the bottom right of the page
17 | 
18 | 6.  At the top of the page click on **‘Apps’** then on **‘\<your app\>’** to load your app
19 | 
20 | 7.  Notice that at the top navigation the **‘Threat Dashboard’** you just created is now accessible via the navigation
21 | 
22 | 8.  Click on **‘Threat Dashboard’** in the navigation at the top of the page
23 | 
24 | ![FMC Screenshot](assets/images/pic17.png)
25 | 
26 | ## Add a drilldown into the FMC User Interface
27 | 
28 | 1.  Navigate to the **‘Threat Dashboard’** within your App
29 | 
30 | 2.  Click on the gray **‘Edit’** icon at the top right of the page
31 | 
32 | 3.  Locate the Panel with the **‘Transmitted Files**’ chart
33 | 
34 | 4.  Click on the blue **‘three dot’** icon above and to the right of the chart
35 | 
36 | 5.  Click **‘Edit Drilldown’**
37 | 
38 | 6.  Set the following configuration
39 | 
40 |     1.  On click = **Link to custom URL**
41 | 
42 |     2.  URL = string below
43 | 
44 |   `https://$row.host$/ddd/#FileTrajectory;sha=$row.sha256$`
45 | 
46 | 7.  Select **‘Open in new tab’**
47 | 
48 | 8.  Click the green **‘Apply’** button at the bottom right of the dialog
49 | 
50 | 9.  Save the dashboard by clicking on the green **‘Save’** button at the top right of the page
51 | 
52 | 10. Click on one of the bars in the **‘Transmitted Files’** chart
53 | 
54 | 11. You will be redirected to the FMC’s Network File Trajectory page which provides additional context about the selected file’s trajectory through your network.
55 | 


--------------------------------------------------------------------------------
/labs/firepower-estreamer-splunk/assets/images/eStreamereNcoreOperationsGuidev1.0.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CiscoDevNet/fmc-rest-api/876a106eef0d936d404758e8ec9b024293eca0aa/labs/firepower-estreamer-splunk/assets/images/eStreamereNcoreOperationsGuidev1.0.pdf


--------------------------------------------------------------------------------
/labs/firepower-estreamer-splunk/assets/images/pic1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CiscoDevNet/fmc-rest-api/876a106eef0d936d404758e8ec9b024293eca0aa/labs/firepower-estreamer-splunk/assets/images/pic1.png


--------------------------------------------------------------------------------
/labs/firepower-estreamer-splunk/assets/images/pic10.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CiscoDevNet/fmc-rest-api/876a106eef0d936d404758e8ec9b024293eca0aa/labs/firepower-estreamer-splunk/assets/images/pic10.png


--------------------------------------------------------------------------------
/labs/firepower-estreamer-splunk/assets/images/pic11.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CiscoDevNet/fmc-rest-api/876a106eef0d936d404758e8ec9b024293eca0aa/labs/firepower-estreamer-splunk/assets/images/pic11.png


--------------------------------------------------------------------------------
/labs/firepower-estreamer-splunk/assets/images/pic12.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CiscoDevNet/fmc-rest-api/876a106eef0d936d404758e8ec9b024293eca0aa/labs/firepower-estreamer-splunk/assets/images/pic12.png


--------------------------------------------------------------------------------
/labs/firepower-estreamer-splunk/assets/images/pic13.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CiscoDevNet/fmc-rest-api/876a106eef0d936d404758e8ec9b024293eca0aa/labs/firepower-estreamer-splunk/assets/images/pic13.png


--------------------------------------------------------------------------------
/labs/firepower-estreamer-splunk/assets/images/pic14.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CiscoDevNet/fmc-rest-api/876a106eef0d936d404758e8ec9b024293eca0aa/labs/firepower-estreamer-splunk/assets/images/pic14.png


--------------------------------------------------------------------------------
/labs/firepower-estreamer-splunk/assets/images/pic15.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CiscoDevNet/fmc-rest-api/876a106eef0d936d404758e8ec9b024293eca0aa/labs/firepower-estreamer-splunk/assets/images/pic15.png


--------------------------------------------------------------------------------
/labs/firepower-estreamer-splunk/assets/images/pic16.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CiscoDevNet/fmc-rest-api/876a106eef0d936d404758e8ec9b024293eca0aa/labs/firepower-estreamer-splunk/assets/images/pic16.png


--------------------------------------------------------------------------------
/labs/firepower-estreamer-splunk/assets/images/pic17.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CiscoDevNet/fmc-rest-api/876a106eef0d936d404758e8ec9b024293eca0aa/labs/firepower-estreamer-splunk/assets/images/pic17.png


--------------------------------------------------------------------------------
/labs/firepower-estreamer-splunk/assets/images/pic18.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CiscoDevNet/fmc-rest-api/876a106eef0d936d404758e8ec9b024293eca0aa/labs/firepower-estreamer-splunk/assets/images/pic18.png


--------------------------------------------------------------------------------
/labs/firepower-estreamer-splunk/assets/images/pic2-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CiscoDevNet/fmc-rest-api/876a106eef0d936d404758e8ec9b024293eca0aa/labs/firepower-estreamer-splunk/assets/images/pic2-2.png


--------------------------------------------------------------------------------
/labs/firepower-estreamer-splunk/assets/images/pic2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CiscoDevNet/fmc-rest-api/876a106eef0d936d404758e8ec9b024293eca0aa/labs/firepower-estreamer-splunk/assets/images/pic2.png


--------------------------------------------------------------------------------
/labs/firepower-estreamer-splunk/assets/images/pic3-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CiscoDevNet/fmc-rest-api/876a106eef0d936d404758e8ec9b024293eca0aa/labs/firepower-estreamer-splunk/assets/images/pic3-3.png


--------------------------------------------------------------------------------
/labs/firepower-estreamer-splunk/assets/images/pic3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CiscoDevNet/fmc-rest-api/876a106eef0d936d404758e8ec9b024293eca0aa/labs/firepower-estreamer-splunk/assets/images/pic3.png


--------------------------------------------------------------------------------
/labs/firepower-estreamer-splunk/assets/images/pic4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CiscoDevNet/fmc-rest-api/876a106eef0d936d404758e8ec9b024293eca0aa/labs/firepower-estreamer-splunk/assets/images/pic4.png


--------------------------------------------------------------------------------
/labs/firepower-estreamer-splunk/assets/images/pic5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CiscoDevNet/fmc-rest-api/876a106eef0d936d404758e8ec9b024293eca0aa/labs/firepower-estreamer-splunk/assets/images/pic5.png


--------------------------------------------------------------------------------
/labs/firepower-estreamer-splunk/assets/images/pic6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CiscoDevNet/fmc-rest-api/876a106eef0d936d404758e8ec9b024293eca0aa/labs/firepower-estreamer-splunk/assets/images/pic6.png


--------------------------------------------------------------------------------
/labs/firepower-estreamer-splunk/assets/images/pic7.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CiscoDevNet/fmc-rest-api/876a106eef0d936d404758e8ec9b024293eca0aa/labs/firepower-estreamer-splunk/assets/images/pic7.png


--------------------------------------------------------------------------------
/labs/firepower-estreamer-splunk/assets/images/pic8.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CiscoDevNet/fmc-rest-api/876a106eef0d936d404758e8ec9b024293eca0aa/labs/firepower-estreamer-splunk/assets/images/pic8.png


--------------------------------------------------------------------------------
/labs/firepower-estreamer-splunk/assets/images/pic9.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CiscoDevNet/fmc-rest-api/876a106eef0d936d404758e8ec9b024293eca0aa/labs/firepower-estreamer-splunk/assets/images/pic9.png


--------------------------------------------------------------------------------
/labs/firepower-estreamer-splunk/byod.html:
--------------------------------------------------------------------------------
1 | <div style="color:#0000FF">
2 |     <p> You need one of these popular web browsers [chrome, firefox, safari or IE].</p>
3 |     <p>  You either use your own FMC setup or you can use our <a href="https://fmcrestapisandbox.cisco.com/api/api-explorer/"> FMC REST API Sandbox</a></p>
4 | </div>
5 | 


--------------------------------------------------------------------------------
/labs/firepower-estreamer-splunk/firepower-estreamer-splunk.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "labId": "firepower-estreamer-splunk",
 3 |     "title": "Firepower eStreamer and Splunk: Learn to create custom Splunk App that visualize threat data using Firepower Management Center (FMC) eStreamer API",
 4 |     "slug": "This lab gives intoduction to Firepower Management Center (FMC) eStreamer APIs. You can learn to create a Splunk application that visualizes threat data provided by the Firepower Management Center (FMC) using the eStreamer API",
 5 |     "time": "45",
 6 |     "tags": [{
 7 |         "title": "Firepower Management Center"
 8 |     }, {
 9 |         "title": "Firepower"
10 |     },
11 |     {
12 |         "title": "FMC"
13 |     },
14 |     {
15 |         "title": "Security"
16 |     },
17 |     {
18 |         "title": "Firewalls"
19 |     },{
20 |         "title": "FTD"
21 |     }, {
22 |         "title": "NGFW"
23 |     }, {
24 |         "title": "NGIPS"
25 |     }, {
26 |         "title": "Splunk"
27 |     }, {
28 |         "title": "Firepower Threat Defence"
29 |     }, {
30 |         "title": "estreamer"
31 |     }],
32 |     "files": [{
33 |         "title": "1.md"
34 |     }, {
35 |         "title": "2.md"
36 |     }, {
37 |         "title": "3.md"
38 |     }, {
39 |         "title": "4.md"
40 |     }, {
41 |         "title": "5.md"
42 |     }],
43 |    "related": [{
44 |         "labId": "firepower-restapi-110",
45 |         "title": "FMC rest api Lab 110"
46 |     }],
47 |     "authors": [{
48 |         "name": "Krishan Veer",
49 |         "email": "veer@cisco.com",
50 |         "name": "Greg Berson",
51 |         "email": "gberson@cisco.com"
52 |     }],
53 |     "byod": true
54 | }
55 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-101/0.md:
--------------------------------------------------------------------------------
 1 | # Exploring Firepower Management Center (FMC) REST APIs
 2 | 
 3 | This Learning Lab provides an introduction to FMC REST APIs and the FMC REST API Explorer tool that is packaged with FMC. The FMC REST APIs automate the management of Firepower Threat Defense (FTD) and Legacy Firepower devices.
 4 | 
 5 | ## Objectives
 6 | 
 7 | When you have completed this lab, you will be able to:
 8 | 
 9 | * Understand what FMC is.
10 | * Understand how to enable FMC REST APIs.
11 | * Reserve a login on the FMC Sandbox.
12 | * Understand the basic concepts of the FMC REST API explorer tool packaged with FMC.
13 | 
14 | ## Prerequisites
15 | 
16 | * Basic understanding of REST principles. Complete the [REST API Fundamentals Learning Lab](https://developer.cisco.com/learning/tracks/devnet-beginner/rest-api-fundamentals/what-are-rest-apis/step/1).
17 | * Basic understanding of firewalls. Review the content at [What is a Firewall?](https://www.cisco.com/c/en/us/products/security/firewalls/what-is-a-firewall.html)
18 | 
19 | **Next**: What is Firepower Management Center?
20 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-101/1.md:
--------------------------------------------------------------------------------
 1 | # What is Firepower Management Center?
 2 | 
 3 | Firepower Management Center (FMC) provides administrators with complete, unified control over firewall management, application control, intrusion prevention, URL filtering, and malware protection and remediation.
 4 | 
 5 | FMC versions 6.1 and later supplement the FMC web-based GUI with the first release of FMC REST APIs. These APIs enable administrators to integrate FMC with existing applications, and they also enable workflow automation.
 6 | 
 7 | ![Figure: FMC REST API example setup](assets/images/FMC1.png)
 8 | 
 9 | ## Enabling the FMC REST API
10 | 
11 | The FMC REST API must be enabled in your FMC setup, and it is enabled by default. It is also enabled by default in the [DevNet Sandbox](https://devnetsandbox.cisco.com/RM/Diagram/Index/1228cb22-b2ba-48d3-a70a-86a53f4eecc0?diagramType=Topology). For information about the sandbox, refer to "Obtaining a username and password for an FMC Sandbox" below.
12 | 
13 | If you need to manually enable FMC REST API, follow this procedure.
14 | 
15 | 1. In your browser, navigate to FMC UI. The URL will be `https://<FMC_hostname_or_address>`.
16 | 2. From the **System** menu in the upper left corner, select the **Configuration** tab.
17 | 3. On the **Configuration** tab, select **REST API Preferences** and ensure that **Enable REST API** is selected.
18 | 
19 | ![Figure: FMC UI API setup](assets/images/fmcui.png)
20 | 
21 | ## Obtaining a username and password for an FMC Sandbox
22 | 
23 | To log in to the FMC Sandbox, users must reserve lab time to obtain credentials. For more information refer to the [FMC Sandbox documentation](https://developer.cisco.com/docs/sandbox/#security/overview).
24 | 
25 | 1. Navigate to [the DevNet REST API Sandbox with FMC](https://devnetsandbox.cisco.com/RM/Diagram/Index/1228cb22-b2ba-48d3-a70a-86a53f4eecc0?diagramType=Topology)
26 | 2. Log in with your DevNet credentials.
27 | 3. On the DevNet Sandbox page, click the **RESERVE** button.
28 | 4. In the Reserve dialog, accept the defaults and click **Reserve**. The Sandbox reservation setup process begins, and will take up to 5 minutes to complete.
29 | 
30 | When the setup process is complete, a username and password will be emailed to you and will be displayed in the output window on this page. You can now log into the API Explorer at https://fmcrestapisandbox.cisco.com/api/api-explorer/.
31 | 
32 | These credentials are valid for the duration of your reservation. You will not be able to use these temporary credentials when the reservation has ended, but if you require further access, repeat the reservation process.
33 | 
34 | **Next**: FMC API Explorer
35 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-101/2.md:
--------------------------------------------------------------------------------
 1 | # FMC API Explorer
 2 | 
 3 | The FMC API Explorer provides a list of FMC REST APIs, describes those APIs, and provides a limited GUI. Each function in the REST API maps to permissions in the FMC GUI.
 4 | 
 5 | The API Explorer resides on the FMC, and can be accessed at: `https://<FMC_hostname_or_address>/api/api-explorer/`.
 6 | 
 7 | If you do not have an FMC instance, reserve a resource on the [FMC REST API Sandbox](https://devnetsandbox.cisco.com/RM/Diagram/Index/1228cb22-b2ba-48d3-a70a-86a53f4eecc0?diagramType=Topology). When you have reserved a resource, you can access the [API Explorer](https://fmcrestapisandbox.cisco.com/api/api-explorer/).
 8 | 
 9 | **Note**: The first time you connect to the API Explorer you may receive an error that states that the connection is not secure due to an invalid certificate. You will need to add an exception in your browser to use the certificate and accept the connection.
10 | 
11 | ![Figure: FMC REST API Explorer screen shot ](assets/images/fmcapiexp.PNG)
12 | 
13 | ## Authentication to the API Explorer
14 | 
15 | FMC REST API uses token-based authentication. You need a valid access token to invoke a REST call, and every REST call must include a header in which `key` is set to `X-auth-access-token` and the `value` contains the access token. You can learn more in [FMC REST API Authentication](https://developer.cisco.com/learning/lab/firepower-restapi-102/step/1).
16 | 
17 | The API Explorer automates the access token process, and you can log into the API Explorer using any FMC account, but you will only be able to perform the functions for which the account has permissions. For more information on setting permissions for user roles, see the [Firepower Management Center Configuration Guide](http://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-config-guide-v61/logging_into_firepower_system.html).
18 | 
19 | ## Logging into FMC
20 | 
21 | To log into the API Explorer, navigate to your FMC instance or an active FMC sandbox and log in with your username and password.
22 | 
23 | Detailed information about logging into FMC is documented in the [Firepower Management Center Configuration Guide](https://www.cisco.com/c/en/us/support/security/defense-center/products-installation-and-configuration-guides-list.html).
24 | 
25 | **Note**: Ensure that the version of the Configuration Guide matches the version of the FMC that you are using.
26 | 
27 | ## Setting the domain
28 | 
29 | The FMC REST API can perform functions globally, in the default domain, or in specific domains. To select the domain, you must have an account with permissions to access the REST API in one or more domains configured on your FMC. Select the desired domain from the **Domains** menu.
30 | 
31 | ## Obtaining sample code
32 | 
33 | The API Explorer can generate sample REST call code in Python and Perl. This code can be adapted to your specific implementation.
34 | 
35 | **Note**: Refer to the [Release Notes](https://www.cisco.com/c/en/us/support/security/defense-center/products-release-notes-list.html) for your version of FMC for more information about web browser compatibility.
36 | 
37 | 1. In the **API INFO** menu, select a resource, such as **Devices**.
38 | 2. Locate the desired function and select **DELETE**, **PUT**, **POST**, or **GET**.
39 | 3. Select and input parameters for the function.
40 | 4. In the panel on the right, locate the **Export operation in** drop-down menu and select **Python script** or **Perl script**.
41 | 
42 | The sample code will pop up in a new window. To use this code in your REST API application, review the code closely and modify it to work with your environment and application.
43 | 
44 | ### Code prerequisites
45 | 
46 | The Python scripts require you to install Python, available from https://www.python.org/. Once you’ve installed Python, you can run your script with `python <filename>.py <username> <password>`.
47 | 
48 | Perl scripts require additional set-up. You will need to install the following five components:
49 | 
50 | * Perl package, found at http://www.perl.org/
51 | * Bundle::CPAN, found at http://search.cpan.org/~andk/Bundle-CPAN-1.861/CPAN.pm
52 | * REST::Client, found at http://search.cpan.org/~mcrawfor/REST-Client-88/lib/REST/Client.pm
53 | * MIME::Base64, found at http://perldoc.perl.org/MIME/Base64.html
54 | * JSON, found at http://search.cpan.org/~makamaka/JSON-2.90/lib/JSON.pm
55 | 
56 | ![Figure: FMC REST API Explorer sample code screen shot ](assets/images/fmcexpcode.png)
57 | 
58 | ## Viewing API parameters
59 | Each resource has an associated set of parameters and fields. You can view them by selecting any of the supported operations for that resource within API Explorer. The following example shows the parameters for the GET operation of the access control policy API.
60 | 
61 | ![Figure: FMC REST API Explorer API parameters screen shot ](assets/images/fmcexpobj.png)
62 | 
63 | **Congratulations! You have completed "Exploring Firepower Management Center (FMC) REST APIs"**
64 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-101/assets/images/FMC1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CiscoDevNet/fmc-rest-api/876a106eef0d936d404758e8ec9b024293eca0aa/labs/firepower-restapi-101/assets/images/FMC1.png


--------------------------------------------------------------------------------
/labs/firepower-restapi-101/assets/images/FMCCallFlow.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CiscoDevNet/fmc-rest-api/876a106eef0d936d404758e8ec9b024293eca0aa/labs/firepower-restapi-101/assets/images/FMCCallFlow.jpg


--------------------------------------------------------------------------------
/labs/firepower-restapi-101/assets/images/SAM!.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CiscoDevNet/fmc-rest-api/876a106eef0d936d404758e8ec9b024293eca0aa/labs/firepower-restapi-101/assets/images/SAM!.PNG


--------------------------------------------------------------------------------
/labs/firepower-restapi-101/assets/images/fmcapiexp.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CiscoDevNet/fmc-rest-api/876a106eef0d936d404758e8ec9b024293eca0aa/labs/firepower-restapi-101/assets/images/fmcapiexp.PNG


--------------------------------------------------------------------------------
/labs/firepower-restapi-101/assets/images/fmcexpcode.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CiscoDevNet/fmc-rest-api/876a106eef0d936d404758e8ec9b024293eca0aa/labs/firepower-restapi-101/assets/images/fmcexpcode.png


--------------------------------------------------------------------------------
/labs/firepower-restapi-101/assets/images/fmcexpobj.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CiscoDevNet/fmc-rest-api/876a106eef0d936d404758e8ec9b024293eca0aa/labs/firepower-restapi-101/assets/images/fmcexpobj.png


--------------------------------------------------------------------------------
/labs/firepower-restapi-101/assets/images/fmcui.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CiscoDevNet/fmc-rest-api/876a106eef0d936d404758e8ec9b024293eca0aa/labs/firepower-restapi-101/assets/images/fmcui.png


--------------------------------------------------------------------------------
/labs/firepower-restapi-101/assets/images/sam2.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CiscoDevNet/fmc-rest-api/876a106eef0d936d404758e8ec9b024293eca0aa/labs/firepower-restapi-101/assets/images/sam2.PNG


--------------------------------------------------------------------------------
/labs/firepower-restapi-101/assets/images/sam3.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CiscoDevNet/fmc-rest-api/876a106eef0d936d404758e8ec9b024293eca0aa/labs/firepower-restapi-101/assets/images/sam3.PNG


--------------------------------------------------------------------------------
/labs/firepower-restapi-101/byod.html:
--------------------------------------------------------------------------------
1 | <div style="color:#0000FF">
2 |     <p> You need one of these popular web browsers [chrome, firefox, safari or IE].</p>
3 |     <p>  You either use your own FMC setup or you can use our <a href="https://fmcrestapisandbox.cisco.com/api/api-explorer/"> FMC REST API Sandbox</a></p>
4 | </div>
5 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-101/firepower-restapi-101.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "labId": "firepower-restapi-101",
 3 |   "title": "Exploring Firepower Management Center (FMC) REST APIs",
 4 |   "slug": "This Learning Lab provides an introduction to FMC REST APIs and the FMC REST API Explorer tool that is packaged with FMC. The FMC REST APIs automate the management of Firepower Threat Defense (FTD) and Legacy Firepower devices.",
 5 |   "time": "15",
 6 |   "tags": [
 7 |     {"title": "Firepower Management Center"},
 8 |     {"title": "Firepower"},
 9 |     {"title": "FMC"},
10 |     {"title": "Security"},
11 |     {"title": "Firewalls"},
12 |     {"title": "FTD"},
13 |     {"title": "NGFW"},
14 |     {"title": "NGIPS"},
15 |     {"title": "ASA with FP services"},
16 |     {"title": "Firepower Threat Defence"},
17 |     {"title": "Cisco Security REST API"}
18 |   ],
19 |   "files": [
20 |     {"title": "Introduction",
21 |       "file": "0.md"},
22 |     {"title": "What is Firepower Management Center?",
23 |       "file": "1.md"},
24 |     {"title": "FMC API Explorer",
25 |       "file": "2.md"}
26 |     ],
27 |   "related": [
28 |     {"labId": "firepower-restapi-102",
29 |      "title": "Firepower Management Center (FMC) REST API token-based authentication"},
30 |     {"labId": "firepower-restapi-103",
31 |      "title": "Firewall devices and sensors and the Firepower Management Center (FMC)"},
32 |     {"labId": "firepower-restapi-106",
33 |      "title": "FMC objects and CRUD operations"},
34 |     {"labId": "firepower-restapi-107",
35 |      "title": "Firewall Management Center (FMC) access control policies"},
36 |     {"labId": "firepower-restapi-109",
37 |      "title": "Threat-centric access control policies for the Firepower Management Center (FMC)"}
38 |     ],
39 | 	"authors": [{
40 |     "name": "Krishan Veer",
41 |     "email": "veer@cisco.com"
42 | 	}],
43 | 	"byod": true
44 | }
45 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-102/0.md:
--------------------------------------------------------------------------------
 1 | # Firepower Management Center (FMC) REST API authentication tokens
 2 | 
 3 | This Learning Lab teaches the basics of token-based authentication on FMC.
 4 | 
 5 | ## Objectives
 6 | 
 7 | When you have completed this lab, you will be able to:
 8 | 
 9 | * Understand how token authentication works with the FMC REST API.
10 | * Request an authentication token.
11 | * Refresh a token.
12 | * Use a Python script to submit an authentication request.
13 | 
14 | ## Prerequisites
15 | 
16 | To complete this lab you need:
17 | 
18 | * A development environment with typical tools and applications, as well as [Postman](https://www.getpostman.com/).
19 | * Basic understanding of REST principles. Complete the [REST API Fundamentals Learning Lab](https://developer.cisco.com/learning/tracks/devnet-beginner/rest-api-fundamentals/what-are-rest-apis/step/1)
20 | * Basic understanding of HTTP authentication.
21 | * Basic understanding of FCM REST APIs and the FMC REST API Explorer. Complete [Exploring Firepower Management Center (FMC) REST APIs](https://developer.cisco.com/learning/modules/Firepower/firepower-restapi-101/step/1).
22 | 
23 | **Note**: The first time you connect to the FMC REST API you may receive an error that the connection is not secure due to an invalid certificate. Add an exception in your browser to use the certificate and accept the connection.
24 | 
25 | **Next**: Overview of FMC REST token authentication
26 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-102/1.md:
--------------------------------------------------------------------------------
 1 | #  Overview of FMC REST token authentication
 2 | 
 3 | Token-based authentication enables you to access an HTTP or HTTPS service for a limited time period without the need to enter a username and password with every request. The username and password credentials are replaced by with a uniquely generated access token, which enables access to resources for up to 30 minutes, and which can be refreshed up to three times.
 4 | 
 5 | When you are generating authentication tokens, be sure to use different credentials for authenticating with the FMC API and the FMC UI. Credentials cannot be used for both interfaces simultaneously, and will be logged out without warning if used for both.
 6 | 
 7 | The following diagram illustrates the concept of token-based authentication:
 8 | ![](assets/images/FMCCallFlow.jpg)
 9 | 
10 | **Next**: Requesting a FMC REST API authentication token with Postman
11 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-102/2.md:
--------------------------------------------------------------------------------
 1 | # Requesting a FMC REST API authentication token with Postman
 2 | 
 3 | Before you begin, ensure that REST API is enabled in your FMC. This procedure is documented in [Firepower Management Center (FMC) REST APIs](https://developer.cisco.com/learning/modules/Firepower/firepower-restapi-101/).
 4 | 
 5 | 1. Open your POSTMAN REST API Client.
 6 | 2. Click **New**.
 7 | 3. In the **Create New** menu, select **Request**.
 8 | 4. In the **Save Request** dialog, give your request a name (such as "FMC Token") and create or select a collection or folder where the request will be saved.
 9 | 5. At the top of the request tab, select **POST** from the drop-down menu and enter the following URL: `https://<management_center_IP_or_name>/api/fmc_platform/v1/auth/generatetoken`.
10 | 6. Select the **Authorization** tab, and choose **Basic Auth** from the **Type** menu.
11 | 7. Enter your username and password in the appropriate fields.
12 | 8. Click **Send**.
13 | 
14 | The response will appear under **Headers**. You will see that the response includes two tokens with values generated by the API:
15 | 
16 | * **X-auth-access-token**: Include in every request that you send to the FMC REST API.
17 | * **X-auth-refresh-token**: Use in conjunction with the access token when you want to refresh the authentication token.
18 | 
19 | Be sure to copy and paste these tokens to save them for later use.
20 | 
21 | You can review a video that documents these steps [here](https://youtu.be/jjj6A-5747k). Note that there is no audio for this video.
22 | 
23 | **Next**: Refreshing a FMC REST API authentication token
24 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-102/3.md:
--------------------------------------------------------------------------------
  1 | # Refreshing a FMC REST API authentication token
  2 | 
  3 | Firepower Management Center REST API authentication tokens are valid for 30 minutes, and can be refreshed up to three times.
  4 | 
  5 | Before you begin, you must have already obtained valid access and refresh tokens. Verify that these tokens have been refreshed less than three times.
  6 | 
  7 | 1. Open your POSTMAN REST API Client.
  8 | 2. Click **New**.
  9 | 3. In the **Create New** menu, select **Request**.
 10 | 4. In the **Save Request** dialog, give your request a name (such as "FMC Token Refresh") and create or select a collection or folder where the request will be saved.
 11 | 5. At the top of the request tab, select **POST** from the drop-down menu and enter the following URL: `https://<management_center_IP_or_name>/api/fmc_platform/v1/auth/refreshtoken`.
 12 | 6. Select the **Headers** tab. Under **Key**, enter `x-auth-access-token` and under **Value** enter the corresponding token value. Do the same for `x-auth-refresh-token`.
 13 | 8. Click **Send**.
 14 | 
 15 | The response will appear under **Headers**. The response includes a new access token and a new refresh token.
 16 | 
 17 | ## Authentication to the FMC REST API
 18 | 
 19 | The following sample script shows how to use Python to interact with FMC REST API authentication.
 20 | 
 21 | ```python
 22 | # Original author of this script is Raman Vishwanathan with some additions from Krishan Veer
 23 | import base64
 24 | import sys
 25 | import requests
 26 | 
 27 | MIN_ARGS = 3;
 28 | MAX_ARGS = 4;
 29 | 
 30 | # This function manages authentication-related requests to the server located at the named URL.
 31 | # url : URL string to which the request is sent.
 32 | # headers: Custom headers to be used for the request.
 33 | # cert_loc: Location of the certificate file.
 34 | def auth_request(url, headers, cert_loc):
 35 |     # Initialize response
 36 |     resp = None
 37 | 
 38 |     # Do the POST to create the tokens
 39 |     if url.startswith("https"):
 40 |         try:
 41 |             resp = requests.post(url, headers=headers, verify=cert_loc)
 42 |             if (resp == None):
 43 |                 raise ValueError("Response is undefined")
 44 |             if (resp.status_code != 204):
 45 |                 msg = "Error Status Code: %d in response" % resp.status_code
 46 |                 raise ValueError(msg)
 47 |         except Exception, e:
 48 |             raise e
 49 |     else:
 50 |         resp = requests.post(url, headers=headers)
 51 | 
 52 |     return resp;
 53 | 
 54 | # This function logs into a server with a basic username/password authorization.
 55 | # server: The server name string to be used.
 56 | # username: The username string.
 57 | # password: The password string.
 58 | # cert_loc: Location of the certificate file.
 59 | def login(server, username, password, cert_loc):
 60 |     # API path for generating token
 61 |     api_path = "/api/fmc_platform/v1/auth/generatetoken"
 62 | 
 63 |     # Constructing the complete URL
 64 |     url = server + api_path
 65 | 
 66 |     # Creating basic authorization header using username and password that is base64 encoded
 67 |     base64string = base64.encodestring('%s:%s' % (username, password)).replace('\n', '')
 68 |     authstring = ("Basic %s" % base64string)
 69 |     headers = {'Authorization' : authstring}
 70 | 
 71 |     # Generate tokens by posting the data
 72 |     try:
 73 |         resp = auth_request(url, headers, cert_loc)
 74 |     except Exception, e:
 75 |         raise e
 76 | 
 77 |     return {'X-auth-access-token': resp.headers['X-auth-access-token'], 'X-auth-refresh-token':resp.headers['X-auth-refresh-token']}
 78 | 
 79 | # This function performs logs out of a server.
 80 | # server: The server name.
 81 | # access_token: The access token string.
 82 | # cert_loc: Location of the certificate file.
 83 | def logout(server, access_token, cert_loc):
 84 |     # API path for generating token
 85 |     api_path = "/api/fmc_platform/v1/auth/revokeaccess"
 86 | 
 87 |     # Constructing the complete URL
 88 |     url = server + api_path
 89 | 
 90 |     # Create custom header for revoke access
 91 |     headers = {'X-auth-access-token' : access_token}
 92 | 
 93 |     # Generate tokens by posting the data
 94 |     try:
 95 |         auth_request(url, headers, cert_loc)
 96 |     except Exception, e:
 97 |         raise e
 98 | 
 99 |     return (0)
100 | 
101 | # This the main method.
102 | # This method expects at least 3 arguments and a max of 4 arguments
103 | # when executed from the command line.
104 | # Usage: "python auth_util.py server username password <cert_loc>"
105 | # server: The server address.
106 | # username: The username for basic authorization.
107 | # password: The password for basic authorization.
108 | # cert_loc: Location of the certificate file.
109 | def main():
110 |     if len(sys.argv) < MIN_ARGS:
111 |         sys.exit("Insufficient inputs. The inputs must have atleast 3 arguments \"python auth_util.py <server_addr> <username> <password> <location of certificate>\"")
112 | 
113 |     # Get the server address
114 |     server = sys.argv[1]
115 | 
116 |     # Get the username
117 |     username = sys.argv[2]
118 | 
119 |     # Get the password
120 |     password = sys.argv[3]
121 | 
122 |     # Get the SSL certification check info
123 |     cert_loc = False
124 |     if len(sys.argv) > MAX_ARGS:
125 |         cert_loc = sys.argv[MAX_ARGS]
126 | 
127 |     result = login(server, username, password, cert_loc)
128 | 
129 |     access_token = result.get('X-auth-access-token');
130 |     refresh_token = result.get('X-auth-refresh-token');
131 |     if (access_token != None and refresh_token != None):
132 |         print "\nAccess tokens and Refresh tokens exist."
133 |         print "Access token: %s" % access_token
134 |         print "Refresh token: %s\n" % refresh_token
135 |         result_logout = logout(server, result['X-auth-access-token'], cert_loc)
136 |         print "Logout Results: %d" % result_logout
137 |     else:
138 |         print "Access tokens and refresh tokens does not exist."
139 | 
140 | # Stand Alone execution
141 | if __name__ == "__main__":
142 |     main()
143 | ```
144 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-102/assets/images/FMCCallFlow.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CiscoDevNet/fmc-rest-api/876a106eef0d936d404758e8ec9b024293eca0aa/labs/firepower-restapi-102/assets/images/FMCCallFlow.jpg


--------------------------------------------------------------------------------
/labs/firepower-restapi-102/byod.html:
--------------------------------------------------------------------------------
1 | <div style="color:#0000FF">
2 |     <p>  You need one of these popular web browsers [chrome, firefox, safari or IE].</p>
3 |     <p>  You either use your own FMC Lab setup or you can use our <a href="https://fmcrestapisandbox.cisco.com/api/api-explorer/"> FMC REST API Sandbox</a></p>
4 | </div>
5 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-102/firepower-restapi-102.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "labId": "firepower-restapi-102",
 3 |     "title": "Firepower Management Center (FMC) REST API token-based authentication",
 4 |     "slug": "This learning lab teaches the basics of token-based authentication on FMC.",
 5 |     "time": "15",
 6 |     "tags": [
 7 |       {"title": "Firepower Management Center"},
 8 |       {"title": "Firepower"},
 9 |       {"title": "FMC"},
10 |       {"title": "Security"},
11 |       {"title": "Firewalls"},
12 |       {"title": "FTD"},
13 |       {"title": "NGFW"},
14 |       {"title": "NGIPS"},
15 |       {"title": "ASA with FP services"},
16 |       {"title": "Firepower Threat Defense"},
17 |       {"title": "Cisco Security REST API"}
18 |     ],
19 |     "files": [
20 |       {"title": "Introduction",
21 |        "file": "0.md"},
22 |       {"title": "Firepower Management Center (FMC) REST API authentication tokens",
23 |         "file": "1.md"},
24 |       {"title": "Requesting a FMC REST API authentication token with Postman",
25 |         "file": "2.md"},
26 |       {"title": "Refreshing a FMC REST API authentication token",
27 |         "file": "3.md"}
28 |       ],
29 |       "related": [
30 |         {"labId": "firepower-restapi-101",
31 |          "title": "Exploring Firepower Management Center (FMC) REST APIs"},
32 |         {"labId": "firepower-restapi-103",
33 |          "title": "Firewall devices and sensors and the Firepower Management Center (FMC)"},
34 |         {"labId": "firepower-restapi-106",
35 |          "title": "FMC objects and CRUD operations"},
36 |         {"labId": "firepower-restapi-107",
37 |          "title": "Firewall Management Center (FMC) access control policies"},
38 |         {"labId": "firepower-restapi-109",
39 |          "title": "Threat-centric access control policies for the Firepower Management Center (FMC)"}
40 |         ],
41 |     "authors": [{
42 |         "name": "Krishan Veer",
43 |         "email": "veer@cisco.com"
44 |     }],
45 |     "byod": true
46 | }
47 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-103/0.md:
--------------------------------------------------------------------------------
 1 | # Firewall devices and sensors and the Firepower Management Center (FMC)
 2 | 
 3 | This learning lab teaches you how to enable a network device or sensor to use the FMC.
 4 | 
 5 | ## Objectives
 6 | 
 7 | When you have completed this lab, you will be able to:
 8 | 
 9 | * Add FMC to a device or sensor.
10 | * Register a device to the FMC with the FMC UI.
11 | * Register a device to the FMC through the FMC REST API.
12 | 
13 | ## Prerequisites
14 | 
15 | * A development environment with typical tools and applications, as well as [Postman](https://www.getpostman.com/).
16 | * Basic understanding of REST principles. Complete the [REST API Fundamentals Learning Lab](https://developer.cisco.com/learning/tracks/devnet-beginner/rest-api-fundamentals/what-are-rest-apis/step/1)
17 | * Basic understanding of FCM REST APIs and the FMC REST API Explorer. Complete [Exploring Firepower Management Center (FMC) REST APIs](https://developer.cisco.com/learning/modules/Firepower/firepower-restapi-101/step/1).
18 | 
19 | **Next**: Overview of adding NGIPS or NGFW sensors or devices to FMC
20 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-103/1.md:
--------------------------------------------------------------------------------
 1 | # Overview of adding NGIPS or NGFW sensors or devices to FMC
 2 | 
 3 | Let's look at this simple network setup with FMC and two devices:
 4 | ![Figure: FMC REST API example setup](assets/images/FMC1.png)
 5 | 
 6 | Adding device or sensor to FMC is a *two* step process:
 7 | 
 8 | 1. Add FMC on the sensor or device.
 9 | 2. Register the device or sensor to the FMC.
10 | 
11 | There are two ways to register a device:
12 | * FMC UI
13 | * FMC REST API
14 | 
15 | For both methods, registering a device requires one CLI step on the device itself for both methods. The next sections in this Learning Lab will describe the procedures.
16 | 
17 | **Next**: Adding FMC on the device or sensor
18 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-103/2.md:
--------------------------------------------------------------------------------
 1 | # Adding FMC on the device or sensor
 2 | 
 3 | Follow this procedure to add FMC to a firewall device or sensor. This device can be any FTD or Firepower physical or virtual appliance.
 4 | 
 5 | 1. Using a terminal or command line tool, log in with ssh to the device that you want register with FMC. You must log in with a username that has Administrator access level.
 6 | 
 7 | 2. At the prompt, register the device to a FMC using the `configure manager add` command:
 8 | 
 9 | ```shell
10 | $ configure manager add <hostname | IPv4_address | IPv6_address | DONTRESOLVE> reg_key <nat_id>
11 | ```
12 | 
13 | ## Command parameters
14 | 
15 | The `configure manager add` command has the following parameters:
16 | 
17 | * `<hostname | IPv4_address | IPv6_address | DONTRESOLVE>`: The fully qualified host name or IP address of the FMC. If the FMC is not directly addressable or is separated from the device by a NAT device, use `DONTRESOLVE`.
18 | * `reg_key`: A unique alphanumeric registration key required to register a device to the FMC. This key is defined by the user with this command, and is not the same as a license key. Be sure to record the key that you create, because you will need it to register the device.
19 | * `nat_id`: An alphanumeric string used during the registration process between the FMC and the device. It is required if the hostname is set to DONTRESOLVE. Otherwise, it is optional.
20 | 
21 | ## Usage examples
22 | 
23 | In most cases, the `configure manager add` command uses the FMC's hostname or the IP address. You define the registration key.
24 | 
25 | ```shell
26 | $ configure manager add 192.0.2.10 1234regkey
27 | ```
28 | 
29 | However, if the device and the FMC are separated by a NAT device, enter a unique NAT ID along with the registration key, and specify DONTRESOLVE instead of the hostname or IP address.
30 | 
31 | ```shell
32 | $ configure manager add DONTRESOLVE 1234regkey 1234natid
33 | ```
34 | 
35 | ## Registering the device
36 | 
37 | After you have added FMC to the device, you can now register the device with the FMC using the UI or the REST API.
38 | 
39 | **Next**: Registering a device through FMC UI
40 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-103/3.md:
--------------------------------------------------------------------------------
 1 | # Registering a device through FMC UI
 2 | 
 3 | Before you begin:
 4 | * Add FMC on the device or sensor
 5 | * Record the registration ID that you used when adding FMC
 6 | 
 7 | ## Create access policy
 8 | 
 9 | To register a device to an FMC you need to create an access policy. You can do this either through REST API or through FMC UI.
10 | 
11 | Follow this procedure to create an access policy through FMC UI.
12 | 
13 | 1. Log in to the FMC UI at your FMC's URL. If you are using the FMC Sandbox, the URL is https://fmcrestapisandbox.cisco.com/.
14 | 2. At the top of the screen, select the **Policies** drop-down and navigate to **Access Control** and click **Access Control**.
15 | 3. On the Access Control screen, click **New Policy**.
16 | 4. In the New Policy dialog, enter a name for the policy. You may also enter a description. Accept the default of **None** for the base policy, and select the default action that the device is going to perform.
17 | 5. Save the policy.
18 | 
19 | ![Figure: policy setup](assets/images/uiimage1.PNG)
20 | 
21 | ## Register device
22 | 
23 | After the policy has been created, you can register the device.
24 | 
25 | 1. At the top of the screen, select the **Devices** drop-down and navigate to **Device Management**.
26 | 2. Click **Add** and select **Device**.
27 | 3. In the“Add Device” dialog, provide the hostname or the IP address of the device, the registration key that you created when you added FMC to the device, and select the access policy that you just created. If you provided a NAT ID, enter that as well.
28 | 4. Click **Register**.
29 | 
30 | ![Figure: device setup](assets/images/firesight-04.png)
31 | 
32 | **Next**: Registering a device with FMC REST API
33 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-103/4.md:
--------------------------------------------------------------------------------
  1 | # Registering a device with FMC REST API
  2 | 
  3 | Before you begin:
  4 | 
  5 | * Add FMC on the device or sensor
  6 | * Record the registration ID that you used when adding FMC
  7 | 
  8 | The following video walks you through the process of registering a device through the FMC REST API:  [NGFW or Firepower Device/Sensor registration with Cisco FMC using REST APIs](https://youtu.be/7eTFSfL0EkU).
  9 | 
 10 | ## Sample of Python script for adding device with the FMC REST API, using REST calls
 11 | 
 12 | The following script is an example of a Python script for adding a
 13 | 
 14 | ```python
 15 | import json
 16 | import sys
 17 | import requests
 18 | 
 19 | server = "https://fmcrestapisandbox.cisco.com"
 20 | 
 21 | username = "admin"
 22 | if len(sys.argv) > 1:
 23 |     username = sys.argv[1]
 24 | password = "sf"
 25 | if len(sys.argv) > 2:
 26 |     password = sys.argv[2]
 27 | 
 28 | r = None
 29 | headers = {'Content-Type': 'application/json'}
 30 | api_auth_path = "/api/fmc_platform/v1/auth/generatetoken"
 31 | auth_url = server + api_auth_path
 32 | try:
 33 |     # 2 ways of making a REST call are provided:
 34 |     # One with "SSL verification turned off" and the other with "SSL verification turned on".
 35 |     # The one with "SSL verification turned off" is commented out. If you like to use that then
 36 |     # uncomment the line where verify=False and comment the line with =verify='/path/to/ssl_certificate'
 37 |     #
 38 |     # REST call with SSL verification turned off:
 39 |     r = requests.post(auth_url, headers=headers, auth=requests.auth.HTTPBasicAuth(username,password), verify=False)
 40 |     # REST call with SSL verification turned on: Download SSL certificates from your FMC first and provide its path for verification.
 41 |     # r = requests.post(auth_url, headers=headers, auth=requests.auth.HTTPBasicAuth(username,password), verify='/path/to/ssl_certificate')
 42 |     auth_headers = r.headers
 43 |     auth_token = auth_headers.get('X-auth-access-token', default=None)
 44 |     if auth_token == None:
 45 |         print("auth_token not found. Exiting...")
 46 |         sys.exit()
 47 | except Exception as err:
 48 |     print ("Error in generating auth token --> "+str(err))
 49 |     sys.exit()
 50 | 
 51 | headers['X-auth-access-token']=auth_token
 52 | 
 53 | api_path = "/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/devices/devicerecords"    # param
 54 | url = server + api_path
 55 | if (url[-1] == '/'):
 56 |     url = url[:-1]
 57 | 
 58 | # POST OPERATION
 59 | # When adapting this script to your own environment, update the following JSON parameters here:
 60 | # hostname, name, natID (if sensor behind the nat), registration key (created when device is configured).
 61 | # To obtain the access policy UUID number, perform a GET operation on the access policy.
 62 | 
 63 | post_data = {
 64 |   "name": "xyz",
 65 |   "hostName": "abc.xyz",
 66 |   "natID": "cisco123",
 67 |   "regKey": "regkey",
 68 |   "type": "Device",
 69 |   "license_caps": [
 70 |     "BASE",
 71 |     "MALWARE",
 72 |     "URLFilter",
 73 |     "THREAT"
 74 |   ],
 75 |   "accessPolicy": {
 76 |     "id": "accessPolicyUUID",
 77 |     "type": "AccessPolicy"
 78 |   }
 79 | }
 80 | try:
 81 |     # REST call with SSL verification turned off:
 82 |     r = requests.post(url, data=json.dumps(post_data), headers=headers, verify=False)
 83 |     # REST call with SSL verification turned on:
 84 |     #r = requests.post(url, data=json.dumps(post_data), headers=headers, verify='/path/to/ssl_certificate')
 85 |     status_code = r.status_code
 86 |     resp = r.text
 87 |     print("Status code is: "+str(status_code))
 88 |     if status_code == 201 or status_code == 202:
 89 |         print ("Post was successful...")
 90 |         json_resp = json.loads(resp)
 91 |         print(json.dumps(json_resp,sort_keys=True,indent=4, separators=(',', ': ')))
 92 |     else :
 93 |         r.raise_for_status()
 94 |         print ("Error occurred in POST --> "+resp)
 95 | except requests.exceptions.HTTPError as err:
 96 |     print ("Error in connection --> "+str(err))
 97 | finally:
 98 |     if r: r.close()
 99 | ```
100 | 
101 | **Congratulations! You have completed "Firewall devices and sensors and the Firepower Management Center (FMC)".**
102 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-103/assets/images/FMC1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CiscoDevNet/fmc-rest-api/876a106eef0d936d404758e8ec9b024293eca0aa/labs/firepower-restapi-103/assets/images/FMC1.png


--------------------------------------------------------------------------------
/labs/firepower-restapi-103/assets/images/firesight-04.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CiscoDevNet/fmc-rest-api/876a106eef0d936d404758e8ec9b024293eca0aa/labs/firepower-restapi-103/assets/images/firesight-04.png


--------------------------------------------------------------------------------
/labs/firepower-restapi-103/assets/images/uiimage1.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CiscoDevNet/fmc-rest-api/876a106eef0d936d404758e8ec9b024293eca0aa/labs/firepower-restapi-103/assets/images/uiimage1.PNG


--------------------------------------------------------------------------------
/labs/firepower-restapi-103/byod.html:
--------------------------------------------------------------------------------
1 | <div style="color:#0000FF">
2 |     <p> You need one of these popular web browsers [chrome, firefox, safari or IE].</p>
3 |     <p>  You either use your own FMC setup or you can reserve and use our sandbox <a href="https://fmcrestapisandbox.cisco.com/api/api-explorer/"> FMC REST API Sandbox</a></p>
4 | </div>
5 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-103/firepower-restapi-103.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "labId": "firepower-restapi-103",
 3 |     "title": "Firewall devices and sensors and the Firepower Management Center (FMC)",
 4 |     "slug": "Learn how to add the FMC to firewall devices or sensors and register the device to the FMC, enabling the device or sensor to use the FMC.",
 5 |     "time": "20",
 6 |     "tags": [
 7 |       {"title": "Firepower Management Center"},{
 8 |         "title": "Firepower"},
 9 |     {"title": "FMC"},
10 |     {"title": "Security"},
11 |     {"title": "Firewalls"},
12 |     {"title": "FTD"},
13 |     {"title": "NGFW"},
14 |     {"title": "NGIPS"},
15 |     {"title": "ASA with FP services"},
16 |     {"title": "Firepower Threat Defence"},
17 |     {"title": "Cisco Security REST API"}],
18 |     "files": [
19 |       {"title": "Introduction",
20 |         "file": "0.md"},
21 |       {"title": "Overview of adding NGIPS or NGFW sensors or devices to FMC",
22 |         "file": "1.md"},
23 |       {"title": "Adding FMC on the device or sensor",
24 |         "file": "2.md"},
25 |       {"title": "Registering a device through FMC UI",
26 |         "file": "3.md"},
27 |       {"title": "Registering a device with FMC REST API",
28 |         "file": "4.md"}
29 |       ],
30 |       "related": [
31 |         {"labId": "firepower-restapi-101",
32 |          "title": "Exploring Firepower Management Center (FMC) REST APIs"},
33 |         {"labId": "firepower-restapi-102",
34 |          "title": "Firepower Management Center (FMC) REST API token-based authentication"},
35 |         {"labId": "firepower-restapi-106",
36 |          "title": "FMC objects and CRUD operations"},
37 |         {"labId": "firepower-restapi-107",
38 |          "title": "Firewall Management Center (FMC) access control policies"},
39 |         {"labId": "firepower-restapi-109",
40 |          "title": "Threat-centric access control policies for the Firepower Management Center (FMC)"}
41 |         ],
42 |     "authors": [{
43 |         "name": "Krishan Veer",
44 |         "email": "veer@cisco.com"
45 |     }],
46 |     "byod": true
47 | }
48 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-104/1.md:
--------------------------------------------------------------------------------
 1 | # FMC REST API request and response structures and error codes
 2 | 
 3 | ## Objectives
 4 | 
 5 | This lab teaches the basic understanding of Firepower Management Center (FMC) REST API request and response structures and error codes.
 6 | 
 7 | 
 8 | ## Prerequisites
 9 | Basic understanding of REST principles.
10 | 
11 | 
12 | ## Learning Objectives
13 | After completing this module you will be able to get basic understanding of FMC REST APIs request and response structures, and response error codes.
14 | 
15 | ## Request structure
16 | Requests are sent to the FMC as HTTPS requests with the Uniform Resource Identifier (URI) of the form described below:
17 | 
18 | `https://<management_center_IP_or_name>:<https_port>/<object_URL>/object_UUID*options*`
19 | 
20 | Where:
21 | 
22 | -   `<management_center_IP_or_name>` is the IP address or Fully Qualified Domain Name of the Firepower Management
23 |       Center.
24 | 
25 | -   `<https_port>` is the port number used by the FMC for HTTPS connections. This port is always 443.
26 | 
27 | -   `<object_URL>` is the specific URL for the desired resource. These URLs are unique for each
28 |       resource and are given below.
29 | 
30 | -   '`*options*` are the options given with the request. Options can be used to modify the output and filter results.
31 | 
32 | -   `*{UUID}*`
33 | 
34 |       Many URLs contain one or more UUIDs, which must be specified. Most URLs include the domain UUID, which can be found in the API Explorer. When deleting or modifying an object, or requesting information about a specific object, the URL will end with the object UUID.
35 | 
36 | ### Available request methods are:
37 | 
38 | -   **GET** - retrieves data from the specified object. GET is a read-only operation.
39 | 
40 | -   **PUT** – adds the supplied information to the specified object. It returns a 404 Resource Not Found error if the object does not exist.
41 | 
42 | -  **POST** – creates the object with the supplied information.
43 | 
44 | -  **DELETE** – deletes the specified object.
45 | 
46 | -  **PATCH** – *is not supported.*
47 | 
48 | The API supports query parameters for almost all requests. For GET requests, the following query parameters can be used to control the number of of returned objects and the pagination:
49 | 
50 | -   `expanded` is a True/False value which indicates whether you get a full listing of an item in a list or only a reference.
51 | 
52 | -   `offset` indicates the position in the list where you want to start.
53 | 
54 | -   `limit` indicates the number of items you want to retrieve in a page.
55 | 
56 | The API supports filtering on the basis of query parameters passed with a request. Filtering can be done based on specific attributes in a model. The parameters available for filtering vary by object, and are listed with the request below.
57 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-104/2.md:
--------------------------------------------------------------------------------
 1 | # Response structure
 2 | The response structure can be:
 3 | 
 4 | -   `LOCATION` – newly created resource ID; for POST only—holds the new resource ID (as a URI representation).
 5 | 
 6 | -   `CONTENT-TYPE` – media type describing the response message body. It describes the representation and syntax of the response message body.
 7 | 
 8 | -   Each response includes an HTTP status or error code. Available codes fall into these categories:
 9 | 
10 |   -   20x - A two-hundred series code indicates successful operation, including:
11 | 
12 |       -   **200 OK** - Standard response for successful requests.
13 | 
14 |       -   **201 Created** - Request completed; new resource created.
15 | 
16 |       -   **202 Accepted** - Request accepted, but processing not complete.
17 | 
18 |       -   **204 No Content** - Server successfully processed request; no content is being returned.
19 | 
20 |   -   4xx - A 400-series code indicates a client-side error, including:
21 | 
22 |       -   **400 Bad Request** - Invalid query parameters, including unrecognized parameters, missing parameters, or invalid values.
23 | 
24 |       -   **404 Not Found** - The provided URL does not match an existing resource. For example, an HTTP DELETE may fail because the resource is unavailable.
25 | 
26 |       -   **405 Method not Allowed** - An HTTP request was presented that is not allowed on the resource. For example, a POST on a read-only resource.
27 | 
28 |       -   **429 Too Many Requests** - Too many requests were sent to the API. This error will occur if you send more than 120 requests per minute.
29 | 
30 |     -  5xx - A 500-series code indicates a server-side error.
31 | 
32 | In the case of an error, in addition to the error code, the return response may include an error object containing more details about the error. The JSON error/warning response schema is as follows:
33 | ```JSON
34 | [
35 | 
36 | { “code” : “string”,
37 | 
38 | “details”: “string”,
39 | 
40 | “context”: attribute name,
41 | 
42 | “level” : \<Error/Warning/Info\>
43 | 
44 | },
45 | 
46 | ...
47 | 
48 | ]
49 | ```
50 | 
51 | ### Where the object properties are:
52 | 
53 | | **Property** | **Type** |**Description** |
54 | | --- | --- | --- |
55 | | messages | List of Dictionaries | List of error or warning messages |
56 | | code     | String | Error/Warning/Info code |
57 | | details  | String | Detailed message corresponding to Error/Warning/Info |
58 | 
59 | 
60 | ### Rate limiting
61 | 
62 | The Firepower REST API implements rate limiting to reduce network load.
63 | 
64 | The API will accept no more than 120 messages in a minute. It will only allow 10 simultaneous connections per IP address. These are not configurable parameters.
65 | 
66 | If a client exceeds these limits, the API will give an HTTP 429 error.
67 | 
68 | This is the end of the FMC-REST-API-104 Lab.
69 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-104/byod.html:
--------------------------------------------------------------------------------
1 | <div style="color:#0000FF">
2 |     <p> You need one of these popular web browsers [chrome, firefox, safari or IE].</p>
3 |     <p>  You either use your own FMC setup or you can use our <a href="https://fmcrestapisandbox.cisco.com/api/api-explorer/"> FMC REST API Sandbox</a></p>
4 | </div>
5 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-104/firepower-restapi-104.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "labId": "firepower-restapi-104",
 3 |     "title": "FMC REST API request and response structures and error codes",
 4 |     "slug": "The purpose of this Learning Lab is to build a basic understanding of the FMC REST API request and response structures and understand error codes.",
 5 |     "time": "15",
 6 |     "tags": [{
 7 |         "title": "Firepower Management Center"
 8 |     }, {
 9 |         "title": "Firepower"
10 |     },
11 |     {
12 |         "title": "FMC"
13 |     },
14 |     {
15 |         "title": "Security"
16 |     },
17 |     {
18 |         "title": "Firewalls"
19 |     },{
20 |         "title": "FTD"
21 |     }, {
22 |         "title": "NGFW"
23 |     }, {
24 |         "title": "NGIPS"
25 |     }, {
26 |         "title": "ASA with FP services"
27 |     }, {
28 |         "title": "Firepower Threat Defense"
29 |     }, {
30 |         "title": "Cisco Security REST API"
31 |     }],
32 |     "files": [{
33 |        "title": "FMC REST API 104",
34 |         "file": "1.md"
35 |     }, {
36 |         "title": "Response structure",
37 |         "file": "2.md"
38 |     }],
39 |     "related": [{
40 |         "labId": "fmc-restapi-102",
41 |         "title": "FMC REST API 102"
42 |     }],
43 |     "authors": [{
44 |         "name": "Krishan Veer",
45 |         "email": "veer@cisco.com"
46 |     }],
47 |     "byod": true
48 | }
49 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-105/1.md:
--------------------------------------------------------------------------------
 1 | # Debugging the FMC REST API errors
 2 | 
 3 | ## Objectives
 4 | 
 5 | Basic understanding of debugging the FMC REST API errors.
 6 | 
 7 | 
 8 | ## Prerequisites
 9 | 
10 | Basic understanding of REST principles.
11 | 
12 | 
13 | ## Problem: HTTP 404 for a request
14 | Most likely the resource URL used in the REST Client had an error. Use the browser to access the FMC API Explorer, and verify that the relative URL used in your REST client script matches the one in the FMC API Explorer. If it doesn’t, fix the URL in the REST client script.
15 | 
16 | If you are using [DevNet Sandbox](https://fmcrestapisandbox.cisco.com/api/api-explorer), or if it's your own setup https://hostnameorIPaddressofyourFMC/api/api-explorer,
17 | and if you still get a 404, you have to login to the FMC GUI and verify that the resource corresponding to the ID in the URL exists on the FMC.
18 | 
19 | 
20 | ## Problem: API access token fails
21 | Generally this problem is due to incorrect user credentials. Try to login to the UI with the same user credentials used to generate token. If you can’t, then request your administrator to create a valid user for you to use. If you are using [DevNet Sandbox](https://fmcrestapisandbox.cisco.com/api/api-explorer/), make sure your reservation is not expired. If it is, request a new reservation.
22 | 
23 | 
24 | ## Problem: I deregistered a device, and received a 200 OK. However, when I queried the list of devices, it is still there.
25 | This is generally an update issue. Wait a few seconds, and query the list of devices again. Even though device de-registration returns a response right away, the actual de-registration takes a few seconds.
26 | 
27 | 
28 | ## Problem: Received HTTP 422
29 | This problem may be result of malformed JSON payload. Review the request including the header and JSON body.
30 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-105/2.md:
--------------------------------------------------------------------------------
 1 | ## Problem: REST operation fails with HTTP 403
 2 | This problem may be due to many access and privileges-related reasons.
 3 | 
 4 | Login into the FMC UI via your own setup (example: https://hostnameorIPaddressofyourFMC) if you are using the [DevNet Sandbox](https://fmcrestapisandbox.cisco.com).
 5 | 
 6 | Make sure you use the same user credentials for logging in as you use to request an authentication token for the API. Attempt the same operation using UI. If it fails, then you need to request your admin to change access privileges of the user.
 7 | 
 8 | Make sure the URL in the request has the right **domain** in which the *user* is authorized.
 9 | 
10 | **Note:** DevNet Sandbox may have restrictions on privileges.
11 | 
12 | 
13 | ## Problem: A REST operation fails with http 401
14 | Most likely the authentication token you are using for the API has expired. You have to refresh the token. Please read more about refreshing tokens in the [Learning Lab FMC REST API 102](https://developer.cisco.com/learning/lab/firepower-restapi-102/step/1).
15 | 
16 | 
17 | ## Problem: While deploying the policy changes to a device, the deployment fails with an exception
18 | 
19 | **Note:** *deployment features are not available in [DevNet Sandbox](https://fmcrestapisandbox.cisco.com/api/api-explorer)*.
20 | 
21 | * Make sure that there are no errors in the policy associated with the device (verify with FMC UI).
22 | * If the `ignoreWarining` field in deployment request body is set to “false”, make sure there are no warnings in the policy associated with the device (verify with FMC UI).
23 | * If the `forceDeploy` is false, then verify if the device requires a deployment. This can be done either through UI or by making a GET REST call on `/deployment/deployabledevices`. If the device is present in the response body of the GET call, then the device requires deployment.
24 | * Make sure the version in deployment request matches the version for the device in the response body of GET REST call on `/deployment/ deployabledevices`. If gives an exception, then set the time to current time in milliseconds.
25 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-105/byod.html:
--------------------------------------------------------------------------------
1 | <div style="color:#0000FF">
2 |     <p> You need one of these popular web browsers [chrome, firefox, safari or IE].</p>
3 |     <p>  You either use your own FMC setup or you can use our <a href="https://fmcrestapisandbox.cisco.com/api/api-explorer/"> FMC REST API Sandbox</a></p>
4 | </div>
5 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-105/firepower-restapi-105.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "labId": "firepower-restapi-105",
 3 |     "title": "Debugging the FMC REST API errors",
 4 |     "slug": "The purpose of this Learning Lab is to learn about and debug errors generated by the FMC REST API ",
 5 |     "time": "15",
 6 |     "tags": [{
 7 |         "title": "Firepower Management Center"
 8 |     }, {
 9 |         "title": "Firepower"
10 |     },
11 |     {
12 |         "title": "FMC"
13 |     },
14 |     {
15 |         "title": "Security"
16 |     },
17 |     {
18 |         "title": "Firewalls"
19 |     },{
20 |         "title": "FTD"
21 |     }, {
22 |         "title": "NGFW"
23 |     }, {
24 |         "title": "NGIPS"
25 |     }, {
26 |         "title": "ASA with FP services"
27 |     }, {
28 |         "title": "Firepower Threat Defense"
29 |     }, {
30 |         "title": "Cisco Security REST API"
31 |     }],
32 |     "files": [{
33 |         "file": "1.md",
34 |         "title": "FMC REST API 105"
35 |     }, {
36 |         "file": "2.md",
37 |         "title": "Problem: REST operation fails with HTTP 403"
38 |     }],
39 |     "related": [{
40 |         "labId": "firepower-restapi-104",
41 |         "title": "FMC REST API 104"
42 |     }],
43 |     "authors": [{
44 |         "name": "Krishan Veer",
45 |         "email": "veer@cisco.com"
46 |     }],
47 |     "byod": true
48 | }
49 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-106/0.md:
--------------------------------------------------------------------------------
 1 | # FMC objects and CRUD operations
 2 | 
 3 | This Learning Lab provides an overview of how to interact with FMC objects and run Create, Read, Update, and Delete (CRUD) operations with the FMC REST API.
 4 | 
 5 | ## Objectives
 6 | 
 7 | When you have completed this lab, you will be able to:
 8 | 
 9 | * Understand what FMC objects are.
10 | * Interact with FMC objects.
11 | * Perform GET and POST operations with FMC objects to configure next generation firewall (NGFW) devices and other Firepower devices.
12 | 
13 | ## Prerequisites
14 | 
15 | * A development environment with typical tools and applications, as well as [Postman](https://www.getpostman.com/).
16 | * Basic understanding of REST principles. Complete the [REST API Fundamentals Learning Lab](https://developer.cisco.com/learning/tracks/devnet-beginner/rest-api-fundamentals/what-are-rest-apis/step/1).
17 | * Basic understanding of FCM REST APIs and the FMC REST API Explorer. Complete [Exploring Firepower Management Center (FMC) REST APIs](https://developer.cisco.com/learning/modules/Firepower/firepower-restapi-101/step/1).
18 | 
19 | **Next**: Firepower Management Center (FMC) objects
20 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-106/1.md:
--------------------------------------------------------------------------------
 1 | # Firepower Management Center (FMC) objects
 2 | 
 3 | FMC uses **named objects**. A named object is a reusable configuration that associates a name with a value. When you want to use that value, use the named object instead. FMC provides many predefined objects that represent frequently used configurations. You can use objects in policies, rules, event searches, reports, and dashboards.
 4 | 
 5 | ## Objects in context of FMC multi-tenancy
 6 | 
 7 | In a multi-domain Firepower deployment, you can create objects in the *Global* parent domain, and these objects will be inherited by child domains. The exception is *Security Group Tag (SGT)* objects, which you can create only in the *Global* domain.
 8 | 
 9 | The FMC UI displays objects created in the selected domain, which you can edit. It also displays objects created in parent domains, which you cannot edit, with the exception of security zones and interface groups.
10 | 
11 | **Note:** Because security zones and interface groups are linked to device interfaces, which you configure at the leaf level, administrators in child domains can view and edit zones and groups created in parent domains. Subdomain users can add and delete interfaces from parent zones and groups, but cannot delete or rename the zones/groups.
12 | 
13 | ## Object names
14 | 
15 | Object names must be unique within the domain hierarchy. If there is an object with an identical name in an object's parent or child domain, FMC will generate an error.
16 | 
17 | ## Object groups
18 | 
19 | An object group enables you to reference multiple objects with a single configuration. The FMC UI enables you to use objects and object groups interchangeably. For example, anywhere you would use a port object, you can also use a port object group.
20 | 
21 | Object groups have the following characteristics and restrictions:
22 | 
23 | * You can group objects in the current domain with objects inherited from parent domains.
24 | * You can group network, port, VLAN tag, URL, and PKI objects.
25 | * Network object groups can be nested. In other words, you can add a network object group to another network object group up to 10 levels.
26 | * Objects and object groups of the same type cannot have the same name.
27 | * In a multi-domain deployment, the names of object groups must be unique within the domain hierarchy.
28 | 
29 | ## Object overrides
30 | 
31 | Object overrides enable you to define device-specific or domain-specific values for certain types of object, including network, port, VLAN tag, and URL. In a multi-domain deployment, you can define a default value for an object in a parent domain, but allow administrators in child domains to add override values for that object. Object overrides enable you to create a smaller set of shared policies for use across devices while still allowing you to alter policies as needed for individual devices.
32 | 
33 | In a typical use case, you will create an object whose definition works for most devices, and then use overrides to specify modifications to the object for a few devices that need different definitions.
34 | 
35 | **Example:** You want to deny ICMP traffic to the different departments in your company, each of
36 | which is connected to a different network. You can define an access control policy with a rule that includes a network object called **Departmental Network**. By allowing overrides for this object, you can then create overrides on any device that specifies the actual network where that device is connected.
37 | 
38 | ## Supported object types
39 | 
40 | The following table lists the object types supported by FMC and indicates whether they can be placed in groups, if they permit overrides, and if they are supported with the FMC REST API.
41 | 
42 | |Object Type | Groupable? | Allows Overrides |Supported via REST API?|
43 | |------------------------------------------------------------|----------------|:------------------:|----------------:|
44 | |Network| yes| yes|yes|
45 | |Port |yes |yes|yes|
46 | |Interface: Security Zone, Interface Group |no| no|yes|
47 | |Tunnel Zone| no| no| no|
48 | |Application Filter| no| no|yes|
49 | |VLAN Tag |yes| yes|yes|
50 | |Security Group Tag (SGT)| no| no| no|
51 | |Geolocation |no| no|yes|
52 | |URL |yes| yes| yes|
53 | |Variable Set |no| no|yes|
54 | |Security Intelligence: Network, DNS, and URL lists and feeds|no|no|yes|
55 | |Sinkhole| no| no|no|
56 | |Cipher Suite List| no| no|no|
57 | |File List |no| no|yes|
58 | |Distinguished Name| yes| no| no|
59 | |SLA Monitor| no |no|no|
60 | |Prefix List: IPv4 and IPv6 |no| yes|no|
61 | |Route Map |no| yes| no|
62 | |Access List: Standard and Extended| no| yes| no|
63 | |Community List| no| yes| no |
64 | |AS Path | no| yes| no |
65 | |Policy List | no | yes|no|
66 | |FlexConfig: Text and FlexConfig objects| no| yes|no|
67 | 
68 | **Next** The FMC network object
69 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-106/2.md:
--------------------------------------------------------------------------------
 1 | # The FMC network object
 2 | 
 3 | The **network object** is the most frequently used FMC object. A network object represents one or more IP addresses. You can use network objects and groups in various places in the system’s web interface, including but not limited to access control policies, network variables, intrusion rules, identity rules, network discovery rules, event searches, and reports.
 4 | 
 5 | When you configure an option that requires a network object, the list is automatically filtered to show only those objects that are valid for the option. For example, some options require host objects, while other options require subnets.
 6 | 
 7 | A network object can be one of the following types:
 8 | 
 9 | * **Host**
10 | A single IP address.
11 | `IPv4 example: 209.165.200.225`
12 | `IPv6 example: 2001:DB8::0DB8:800:200C:417A or 2001:DB8:0:0:0DB8:800:200C:417A`
13 | 
14 | * **Network**
15 | An address block, also known as a subnet.
16 | `IPv4 example: 209.165.200.224/27`
17 | `IPv6 example: 2001:DB8:0:CD30::/60`
18 | 
19 | * **Address Range**
20 | A range of IP addresses.
21 | `IPv4 example: 209.165.200.225-209.165.200.250`
22 | `IPv6 example: 2001:db8:0:cd30::1-2001:db8:0:cd30::1000`
23 | 
24 | * **Group**
25 | A group of network objects or other network object groups.
26 | For example:
27 | `209.165.200.225
28 | 209.165.201.1
29 | 209.165.202.129`
30 | 
31 | You can create nested groups by adding one network object group to another network object group. You can nest up to 10 levels of groups.
32 | 
33 | **Next**: Retrieving a network object with a GET operation
34 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-106/3.md:
--------------------------------------------------------------------------------
  1 | # Retrieving a network object with a GET operation
  2 | 
  3 | The following sample Python script uses the FMC REST API to retrieve a network object.
  4 | 
  5 | ```python
  6 | import json
  7 | import sys
  8 | import requests
  9 | import time
 10 | import re
 11 | 
 12 | server = "https://fmcrestapisandbox.cisco.com"
 13 | 
 14 | username = "testuser"
 15 | if len(sys.argv) > 1:
 16 |     username = sys.argv[1]
 17 | password = "sf2131"
 18 | if len(sys.argv) > 2:
 19 |     password = sys.argv[2]
 20 | 
 21 | r = None
 22 | headers = {'Content-Type': 'application/json'}
 23 | api_auth_path = "/api/fmc_platform/v1/auth/generatetoken"
 24 | auth_url = server + api_auth_path
 25 | try:
 26 |     # Download SSL certificates from your FMC first and provide its path for verification.
 27 |     r = requests.post(auth_url, headers=headers, auth=requests.auth.HTTPBasicAuth(username,password), verify=False)
 28 |     auth_headers = r.headers
 29 |     auth_token = auth_headers.get('X-auth-access-token', default=None)
 30 |     if auth_token == None:
 31 |         print("auth_token not found. Exiting...")
 32 |         print(auth_headers)
 33 |         sys.exit()
 34 | except Exception as err:
 35 |     print ("Error in generating auth token --> "+str(err))
 36 |     sys.exit()
 37 | 
 38 | headers['X-auth-access-token']=auth_token
 39 | 
 40 | api_path = "/api/fmc_config/v1/domain/default/object/networks"    # param
 41 | url = server + api_path
 42 | if (url[-1] == '/'):
 43 |     url = url[:-1]
 44 | 
 45 | # GET OPERATION
 46 | # We have add objects with name prefixed by Test_Py_ and this
 47 | # spans from Test_Py_0 to Test_Py_10000.
 48 | # There is a total of 10012 networks due to this addition
 49 | # We shall do GET 11 times with a limit of 1000 and see if we are able to
 50 | # see all the network objects that we added
 51 | allEntries=[]
 52 | try:
 53 |     for i in range(11):
 54 |       offsetStr = "?offset=%d&limit=1000" % (i*1000)
 55 |       url = server + api_path + offsetStr;
 56 |       r = requests.get(url, headers=headers, verify=False)
 57 |       status_code = r.status_code
 58 |       resp = r.text
 59 |       if (status_code == 200):
 60 |           print "GET successful."
 61 |           #print("GET successful. Response data --> ")
 62 |           json_resp = json.loads(resp)
 63 |           items = json_resp["items"]
 64 |           # Extract the numbers from the items whose name starts with Test_Py_ and keep adding them to allEntries
 65 |           names = [ re.split("Test_Py_",item["name"])[1] for item in items if re.match("^Test_Py_",item["name"]) is not None]
 66 |           allEntries.extend(names)
 67 |       else:
 68 |           #r.raise_for_status()
 69 |           print("Error occurred in GET --> "+resp + " i --> " + str(i))
 70 | except requests.exceptions.HTTPError as err:
 71 |     print ("Error in connection --> "+str(err))
 72 | finally:
 73 |     if r : r.close()
 74 | 
 75 | myset = set(allEntries)
 76 | print("Length is %d" % len(myset))
 77 | if (len(myset) == 10000):
 78 |     print ("Test Pass")
 79 | else:
 80 |     print ("Test Fail")
 81 | ```
 82 | 
 83 | ## Response for the retrieve Operation (GET) using REST API
 84 | 
 85 | After the GET operation is performed, you will receive a JSON response similar to the following example:
 86 | 
 87 | ```JSON
 88 | {
 89 |   "links": {
 90 |     "self": "/fmc_config/v1/domain/global/object/networks?offset=0&limit=1"
 91 |   },
 92 |   "items": [
 93 |     {
 94 |       "links": {
 95 |         "self": "/fmc_config/v1/domain/global/object/networks/networkObjectUUID",
 96 |         "parent": "/fmc_config/v1/domain/global/object/networkaddresses"
 97 |       },
 98 |       "type": "Network",
 99 |       "value": "1.2.3.0/24",
100 |       "overrides": {
101 |         "parent": {
102 |           "id": "networkObjectUUID",
103 |           "type": "Network"
104 |         },
105 |         "target": {
106 |           "name": "Global \\ Asia",
107 |           "id": "subDomainUUID",
108 |           "type": "Domain"
109 |         }
110 |       },
111 |       "overridable": true,
112 |       "description": " ",
113 |       "name": "pvs_network",
114 |       "id": "networkObjectUUID",
115 |       "metadata": {
116 |         "lastUser": {
117 |           "name": "pvs"
118 |         },
119 |         "domain": {
120 |           "name": "Global \\ Asia",
121 |           "id": "subDomainUUID"
122 |         },
123 |         "ipType": "V_4",
124 |         "parentType": "NetworkAddress"
125 |       }
126 |     }
127 |   ],
128 |   "paging": {
129 |     "offset": 0,
130 |     "limit": 1,
131 |     "count": 1,
132 |     "pages": 1
133 |   }
134 | }
135 | ```
136 | 
137 | **Next**: Adding a network object with a POST operation
138 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-106/4.md:
--------------------------------------------------------------------------------
  1 | # Adding a network object with a POST operation
  2 | 
  3 | To add a network object with a POST operation, you must first create the JSON for the network object.
  4 | 
  5 | ```json
  6 | {
  7 |   "name": "test1",
  8 |   "value": "1.0.0.0/24",
  9 |   "overridable": false,
 10 |   "description": "Test REST API Object",
 11 |   "type": "Network"
 12 | }
 13 | ```
 14 | The following sample Python script uses the JSON to add the network object.
 15 | 
 16 | ```python
 17 | # # Generated FMC REST API sample script
 18 | #
 19 | 
 20 | import json
 21 | import sys
 22 | import requests
 23 | import time
 24 | 
 25 | server = "https://fmcrestapisandbox.cisco.com"
 26 | 
 27 | # Modify the username as required
 28 | username = "testuser1"
 29 | if len(sys.argv) > 1:
 30 |     username = sys.argv[1]
 31 | 
 32 | #Modify the password as required
 33 | password = "sf0123df"
 34 | if len(sys.argv) > 2:
 35 |     password = sys.argv[2]
 36 | 
 37 | r = None
 38 | headers = {'Content-Type': 'application/json'}
 39 | 
 40 | #Create the URL
 41 | api_auth_path = "/api/fmc_platform/v1/auth/generatetoken"
 42 | auth_url = server + api_auth_path
 43 | try:
 44 |     # Download SSL certificates from your FMC first and provide its path for verification.
 45 |     r = requests.post(auth_url, headers=headers, auth=requests.auth.HTTPBasicAuth(username,password), verify=False)
 46 |     auth_headers = r.headers
 47 |     auth_token = auth_headers.get('X-auth-access-token', default=None)
 48 |     if auth_token == None:
 49 |         print("auth_token not found. Exiting...")
 50 |         print(auth_headers)
 51 |         sys.exit()
 52 | except Exception as err:
 53 |     print ("Error in generating auth token --> "+str(err))
 54 |     sys.exit()
 55 | 
 56 | headers['X-auth-access-token']=auth_token
 57 | 
 58 | api_path = "/api/fmc_config/v1/domain/default/object/networks"    # param
 59 | url = server + api_path
 60 | if (url[-1] == '/'):
 61 |     url = url[:-1]
 62 | 
 63 | # POST OPERATION Sample JSON please modify the input data accordinly.You can learn more on the data model
 64 | # Using REST API Explorer at https://fmcrestapisandbox.cisco.com/api/api-explorer
 65 | post_data = {
 66 | "name" : "TestNW1",
 67 | "description" : "Test",
 68 | "value" : "10.20.30.0/24"
 69 | }
 70 | 
 71 | try:
 72 |     for i in range(0, 10000):
 73 |       post_data["name"] = "Test_Py_" + str(i);
 74 |       r = requests.post(url, data=json.dumps(post_data), headers=headers, verify=False);
 75 |       status_code = r.status_code
 76 |       resp = r.text
 77 |       if status_code == 201 or status_code == 202:
 78 |          print ("Post was successful for " + post_data["name"])
 79 |          # json_resp = json.loads(resp)
 80 |          # print(json.dumps(json_resp,sort_keys=True,indent=4, separators=(',', ': ')))
 81 |       else :
 82 |          r.raise_for_status()
 83 |          print ("Error occurred in POST --> "+resp)
 84 | except requests.exceptions.HTTPError as err:
 85 |     print ("Error in connection --> "+str(err))
 86 | finally:
 87 |     if r : r.close()
 88 | ```
 89 | 
 90 | 
 91 | #### Response for the above POST operation [HTTP 201]
 92 | ```JSON
 93 | {
 94 |   "links": {
 95 |     "self": "https://fmcrestapisandbox.cisco.com/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/object/networks/005056BB-0B24-0ed3-0000-060129543353",
 96 |     "parent": "https://fmcrestapisandbox.cisco.com/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/object/networkaddresses"
 97 |   },
 98 |   "type": "Network",
 99 |   "value": "172.0.0.0/24",
100 |   "overridable": false,
101 |   "description": "Test REST API Object",
102 |   "name": "veer-test-1",
103 |   "id": "005056BB-0B24-0ed3-0000-060129543353",
104 |   "metadata": {
105 |     "timestamp": 0,
106 |     "lastUser": {
107 |       "name": "admin"
108 |     },
109 |     "domain": {
110 |       "name": "Global",
111 |       "id": "e276abec-e0f2-11e3-8169-6d9ed49b625f"
112 |     },
113 |     "ipType": "V_4",
114 |     "parentType": "NetworkAddress"
115 |   }
116 | }
117 | ```
118 | 
119 | **Congratulations!** You have completed "FMC Objects and CRUD Operations"! Now click the green arrow button to mark the Lab completed.
120 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-106/byod.html:
--------------------------------------------------------------------------------
1 | <div style="color:#0000FF">
2 |     <p> You need one of these popular web browsers [chrome, firefox, safari or IE].</p>
3 |     <p>  You either use your own FMC setup or you can use our <a href="https://fmcrestapisandbox.cisco.com/api/api-explorer/"> FMC REST API Sandbox</a></p>
4 | </div>
5 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-106/firepower-restapi-106.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "labId": "firepower-restapi-106",
 3 |     "title": "FMC objects and CRUD operations",
 4 |     "slug": "This Learning Lab provides an overview of how to interact with FMC objects and run Create, Read, Update, and Delete (CRUD) operations with the FMC REST API.",
 5 |     "time": "30",
 6 |     "tags": [
 7 |        {"title": "Firepower Management Center"},
 8 |        {"title": "Firepower"},
 9 |        {"title": "FMC" },
10 |        {"title": "Security"},
11 |        {"title": "Firewalls"},
12 |        {"title": "FTD"},
13 |        {"title": "NGFW"},
14 |        {"title": "NGIPS"},
15 |        {"title": "ASA with FP services"},
16 |        {"title": "Firepower Threat Defence"},
17 |        {"title": "Cisco Security REST API"}
18 |      ],
19 |     "files": [
20 |       {"file": "0.md",
21 |       "title": "Introduction"},
22 |       {"file": "1.md",
23 |       "title": "Firepower Management Center (FMC) objects"},
24 |       {"file": "2.md",
25 |       "title": "The FMC network object"},
26 |       {"file": "3.md",
27 |       "title": "Retrieving a network object with a GET operation"},
28 |       {"file": "4.md",
29 |       "title": "Adding a network object with a POST operation"}
30 |     ],
31 |     "related": [
32 |       {"labId": "firepower-restapi-101",
33 |        "title": "Exploring Firepower Management Center (FMC) REST APIs"},
34 |       {"labId": "firepower-restapi-102",
35 |        "title": "Firepower Management Center (FMC) REST API token-based authentication"},
36 |       {"labId": "firepower-restapi-103",
37 |        "title": "Firewall devices and sensors and the Firepower Management Center (FMC)"},
38 |       {"labId": "firepower-restapi-107",
39 |        "title": "Firewall Management Center (FMC) access control policies"},
40 |       {"labId": "firepower-restapi-109",
41 |        "title": "Threat-centric access control policies for the Firepower Management Center (FMC)"}
42 |       ],
43 |     "authors": [{
44 |         "name": "Krishan Veer",
45 |         "email": "veer@cisco.com"
46 |     }],
47 |     "byod": true
48 |   }
49 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-107/0.md:
--------------------------------------------------------------------------------
 1 | # Firewall Management Center (FMC) access control policies
 2 | 
 3 | This Learning Lab teaches a basic understanding of managing FMC access control policies with the REST API.
 4 | 
 5 | ## Objectives
 6 | When you have completed this lab, you will be able to:
 7 | 
 8 | * Understand what access control policies are.
 9 | * Perform GET and POST operations on FMC access control policies to configure NGFW and other Firepower devices.
10 | 
11 | ## Prerequisites
12 | 
13 | * A development environment with typical tools and applications, as well as [Postman](https://www.getpostman.com/).
14 | * Basic understanding of REST principles. Complete the [REST API Fundamentals Learning Lab](https://developer.cisco.com/learning/tracks/devnet-beginner/rest-api-fundamentals/what-are-rest-apis/).
15 | * Basic understanding of FCM REST APIs and the FMC REST API Explorer. Complete [Exploring Firepower Management Center (FMC) REST APIs](https://developer.cisco.com/learning/modules/Firepower/firepower-restapi-101/).
16 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-107/1.md:
--------------------------------------------------------------------------------
 1 | # What are access control policies?
 2 | 
 3 | Access control is a hierarchical policy-based feature that allows you to specify, inspect, and log (non-fast-pathed) network traffic. You can nest access control policies, such that child policies inherit the rules and settings from a parent or base policy. You can enforce this inheritance, or allow child policies to override their parents. Each managed device can be targeted by one access control policy.
 4 | 
 5 | The data that the policy’s target devices collect about your network traffic can be used to filter and control that traffic based on:
 6 | 
 7 | * Simple, easily determined transport and network layer characteristics: source and destination, port, protocol, and so on.
 8 | * The latest contextual information on the traffic, including characteristics such as reputation, risk, business relevance, application used, or URL visited.
 9 | * Realm, user, user group, or ISE attribute.
10 | * Custom Security Group Tag (SGT).
11 | * Characteristics of encrypted traffic; you can also decrypt this traffic for further analysis.
12 | * Whether unencrypted or decrypted traffic contains a prohibited file, detected malware, or intrusion attempt.
13 | 
14 | Each type of traffic inspection and control occurs where it makes the most sense for maximum flexibility and performance. For example, reputation-based blacklisting uses simple source and destination data, so it can block prohibited traffic early in the process. In contrast, detecting and blocking intrusions and exploits is a last-line defense.
15 | 
16 | Although you can configure the system without licensing your deployment, many features require that you enable the appropriate licenses before you deploy. Also, some features are only available on certain device models. Warning icons and confirmation dialog boxes designate unsupported features.
17 | 
18 | ## Access control policy components
19 | 
20 | **Name and description**: Each access control policy must have a unique name. A description is optional.
21 | 
22 | **Inheritance settings**: Policy inheritance allows you to create a hierarchy of access control policies. A parent (or base) policy defines and enforces default settings for the child policies, which is especially useful in multidomain deployments. A policy's inheritance settings allow you to select its base policy. You can also lock settings in the current policy to force any child policies to inherit them. Child policies can override unlocked settings.
23 | 
24 | **Policy assignment**: Each access control policy identifies the devices that use it. Each device can be targeted by only one access control policy. In a multidomain deployment, you can require that all the devices in a domain use the same base policy.
25 | 
26 | **Rules**: Access control rules provide a granular method of handling network traffic. Rules in an access control policy are numbered, starting at 1, including rules inherited from ancestor policies. The system matches traffic to access control rules in top-down order by ascending rule number. Usually, the system handles network traffic according to the first access control rule, where all the rule’s conditions match the traffic. Conditions can be simple or complex, and their use often depends on certain licenses.
27 | 
28 | **Default action**: The default action determines how the system handles and logs traffic that is not handled by any other access control configuration. The default action can block or trust all traffic without further inspection, or inspect traffic for intrusions and discovery data. Although an access control policy can inherit its default action from a parent policy, you cannot enforce this inheritance.
29 | 
30 | **Security intelligence**: Security Intelligence is a first line of defense against malicious internet content. This feature allows you to blacklist (block) connections based on the latest IP address, URL, and domain name reputation intelligence. To ensure continual access to vital resources, you can override blacklists with custom whitelists.
31 | 
32 | **HTTP responses**: When the system blocks a user’s website request, you can either display a generic system-provided response page, or a custom page. You can also display a page that warns users, but also allows them to continue to the originally requested site.
33 | 
34 | **Advanced access control options**: Advanced access control policy settings typically require little or no modification. Often, the default settings are appropriate.
35 | 
36 | **Next**: Access control policy default actions
37 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-107/2.md:
--------------------------------------------------------------------------------
 1 | # Access control policy default action
 2 | 
 3 | In a simple access control policy, the default action specifies how target devices handles all traffic. In a more complex policy, the default action handles traffic that:
 4 | 
 5 | * is not trusted by Intelligent Application Bypass.
 6 | * is not blacklisted by Security Intelligence.
 7 | * is not blocked by SSL inspection (encrypted traffic only).
 8 | * matches none of the rules in the policy (except Monitor rules, which match and log—but do not handle
 9 | or inspect—traffic).
10 | 
11 | The access control policy default action can block or trust traffic without further inspection, or inspect traffic for intrusions and discovery data.
12 | 
13 | The following table lists different default actions and what they do to network traffic.
14 | 
15 | | Default Action                    | Effect on Traffic                                                      | Inspection Type and Policy                                                                                                     |
16 | |:-----------------------------------|:------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------|
17 | | Access Control: Block All Traffic | block without further inspection                                       | none                                                                                                                           |
18 | | Access Control: Trust All Traffic | trust (allow to its final destination none without further inspection) | none                                                                                                                           |
19 | | Intrusion Prevention              | allow, as long as it is passed by the intrusion policy you specify     | intrusion, using the specified intrusion policy and associated variable set, and discovery, using the network discovery policy |
20 | | Network Discovery Only            | allow                                                                  | discovery only, using the network discovery policy                                                                             |
21 | | Inherit from base policy          | defined in base policy                                                 | defined in base policy                                                                                                         |
22 | 
23 | <br>
24 | The following diagrams provide visual representations of these actions.
25 | 
26 | ![Figure: Table illustration ](assets/images/image1.jpg)
27 | 
28 | ![Figure: Block All Traffic and Trust All Traffic default actions ](assets/images/image2.jpg)
29 | 
30 | ![Figure:  Intrusion Prevention and Network Discovery default actions ](assets/images/image3.jpg)
31 | 
32 | **Next**: Access control policy inheritance
33 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-107/3.md:
--------------------------------------------------------------------------------
 1 | # Access control policy inheritance
 2 | 
 3 | Access control uses a hierarchical, policy-based implementation that complements multi-tenancy. You can create a hierarchy of access control policies that corresponds to a domain hierarchy.
 4 | 
 5 | Child access control policies inherit rules and settings from their direct parent, or base, policy. That base policy may have its own parent policy from which it inherits rules and settings, and so on.
 6 | 
 7 | An access control policy’s rules are nested between its parent policy’s Mandatory and Default rule sections. This implementation enforces Mandatory rules from ancestor policies, but allows the current policy to write rules that preempt Default rules from ancestor policies.
 8 | 
 9 | You can lock the following settings to enforce them in all descendant policies. Descendant policies can override unlocked settings if needed.
10 | 
11 | * `Security Intelligence` — blacklisting and whitelisting connections based on the latest IP address, URL, and domain name reputation intelligence.  
12 | * `HTTP Response pages` — displaying a custom or system-provided response page when you block a user's website request.  
13 | * `Advanced settings` — specifying associated sub-policies, network analysis settings, performance settings, and other general options.  
14 | 
15 | Although an access control policy can inherit its default action from an ancestor policy, you cannot enforce this inheritance.  
16 | 
17 | **Next**: Performing access policy operations with the REST API
18 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-107/4.md:
--------------------------------------------------------------------------------
  1 | # Performing access policy operations with the REST API
  2 | 
  3 | ## GET
  4 | 
  5 | The following Python script is an example of a GET action performed against an access policy.
  6 | 
  7 | ```python
  8 | #
  9 | # Generated FMC REST API sample script
 10 | #
 11 | 
 12 | import json
 13 | import sys
 14 | import requests
 15 | 
 16 | server = "https://fmcrestapisandbox.cisco.com"
 17 | 
 18 | username = "admin"
 19 | if len(sys.argv) > 1:
 20 |     username = sys.argv[1]
 21 | password = "sf"
 22 | if len(sys.argv) > 2:
 23 |     password = sys.argv[2]
 24 | 
 25 | r = None
 26 | headers = {'Content-Type': 'application/json'}
 27 | api_auth_path = "/api/fmc_platform/v1/auth/generatetoken"
 28 | auth_url = server + api_auth_path
 29 | try:
 30 |     # 2 ways of making a REST call are provided:
 31 |     # One with "SSL verification turned off" and the other with "SSL verification turned on".
 32 |     # The one with "SSL verification turned off" is commented out. If you like to use that then
 33 |     # uncomment the line where verify=False and comment the line with =verify='/path/to/ssl_certificate'
 34 |     # REST call with SSL verification turned off:
 35 |     # r = requests.post(auth_url, headers=headers, auth=requests.auth.HTTPBasicAuth(username,password), verify=False)
 36 |     # REST call with SSL verification turned on: Download SSL certificates from your FMC first and provide its path for verification.
 37 |     r = requests.post(auth_url, headers=headers, auth=requests.auth.HTTPBasicAuth(username,password), verify='/path/to/ssl_certificate')
 38 |     auth_headers = r.headers
 39 |     auth_token = auth_headers.get('X-auth-access-token', default=None)
 40 |     if auth_token == None:
 41 |         print("auth_token not found. Exiting...")
 42 |         sys.exit()
 43 | except Exception as err:
 44 |     print ("Error in generating auth token --> "+str(err))
 45 |     sys.exit()
 46 | 
 47 | headers['X-auth-access-token']=auth_token
 48 | 
 49 | api_path = "/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/policy/accesspolicies"    # param
 50 | url = server + api_path
 51 | if (url[-1] == '/'):
 52 |     url = url[:-1]
 53 | 
 54 | # GET OPERATION
 55 | 
 56 | 
 57 | try:
 58 |     # REST call with SSL verification turned off:
 59 |     # r = requests.get(url, headers=headers, verify=False)
 60 |     # REST call with SSL verification turned on:
 61 |     r = requests.get(url, headers=headers, verify='/path/to/ssl_certificate')
 62 |     status_code = r.status_code
 63 |     resp = r.text
 64 |     if (status_code == 200):
 65 |         print("GET successful. Response data --> ")
 66 |         json_resp = json.loads(resp)
 67 |         print(json.dumps(json_resp,sort_keys=True,indent=4, separators=(',', ': ')))
 68 |     else:
 69 |         r.raise_for_status()
 70 |         print("Error occurred in GET --> "+resp)
 71 | except requests.exceptions.HTTPError as err:
 72 |     print ("Error in connection --> "+str(err))
 73 | finally:
 74 |     if r : r.close()
 75 | ```
 76 | 
 77 | ## POST
 78 | 
 79 | The following Python script is an example of a POST action performed against an access policy.
 80 | 
 81 | ```python
 82 | #
 83 | # Generated FMC REST API sample script
 84 | #
 85 | 
 86 | import json
 87 | import sys
 88 | import requests
 89 | 
 90 | server = "https://fmcrestapisandbox.cisco.com"
 91 | 
 92 | username = "admin"
 93 | if len(sys.argv) > 1:
 94 |     username = sys.argv[1]
 95 | password = "sf"
 96 | if len(sys.argv) > 2:
 97 |     password = sys.argv[2]
 98 | 
 99 | r = None
100 | headers = {'Content-Type': 'application/json'}
101 | api_auth_path = "/api/fmc_platform/v1/auth/generatetoken"
102 | auth_url = server + api_auth_path
103 | try:
104 |     # 2 ways of making a REST call are provided:
105 |     # One with "SSL verification turned off" and the other with "SSL verification turned on".
106 |     # The one with "SSL verification turned off" is commented out. If you like to use that then
107 |     # uncomment the line where verify=False and comment the line with =verify='/path/to/ssl_certificate'
108 |     # REST call with SSL verification turned off:
109 |     # r = requests.post(auth_url, headers=headers, auth=requests.auth.HTTPBasicAuth(username,password), verify=False)
110 |     # REST call with SSL verification turned on: Download SSL certificates from your FMC first and provide its path for verification.
111 |     r = requests.post(auth_url, headers=headers, auth=requests.auth.HTTPBasicAuth(username,password), verify='/path/to/ssl_certificate')
112 |     auth_headers = r.headers
113 |     auth_token = auth_headers.get('X-auth-access-token', default=None)
114 |     if auth_token == None:
115 |         print("auth_token not found. Exiting...")
116 |         sys.exit()
117 | except Exception as err:
118 |     print ("Error in generating auth token --> "+str(err))
119 |     sys.exit()
120 | 
121 | headers['X-auth-access-token']=auth_token
122 | 
123 | api_path = "/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/policy/accesspolicies"    # param
124 | url = server + api_path
125 | if (url[-1] == '/'):
126 |     url = url[:-1]
127 | 
128 | # POST OPERATION
129 | 
130 | post_data = {
131 |   "type": "AccessPolicy",
132 |   "name": "AccessPolicy-veer-test-1",
133 |   "defaultAction": {
134 |     "action": "BLOCK"
135 |   }
136 | }
137 | try:
138 |     # REST call with SSL verification turned off:
139 |     # r = requests.post(url, data=json.dumps(post_data), headers=headers, verify=False)
140 |     # REST call with SSL verification turned on:
141 |     r = requests.post(url, data=json.dumps(post_data), headers=headers, verify='/path/to/ssl_certificate')
142 |     status_code = r.status_code
143 |     resp = r.text
144 |     print("Status code is: "+str(status_code))
145 |     if status_code == 201 or status_code == 202:
146 |         print ("Post was successful...")
147 |         json_resp = json.loads(resp)
148 |         print(json.dumps(json_resp,sort_keys=True,indent=4, separators=(',', ': ')))
149 |     else :
150 |         r.raise_for_status()
151 |         print ("Error occurred in POST --> "+resp)
152 | except requests.exceptions.HTTPError as err:
153 |     print ("Error in connection --> "+str(err))
154 | finally:
155 |     if r: r.close()
156 | 
157 | ```
158 | **Congratulations! You have completed "Firewall Management Center (FMC) access control policies"**
159 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-107/assets/images/image1.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CiscoDevNet/fmc-rest-api/876a106eef0d936d404758e8ec9b024293eca0aa/labs/firepower-restapi-107/assets/images/image1.jpg


--------------------------------------------------------------------------------
/labs/firepower-restapi-107/assets/images/image2.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CiscoDevNet/fmc-rest-api/876a106eef0d936d404758e8ec9b024293eca0aa/labs/firepower-restapi-107/assets/images/image2.jpg


--------------------------------------------------------------------------------
/labs/firepower-restapi-107/assets/images/image3.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CiscoDevNet/fmc-rest-api/876a106eef0d936d404758e8ec9b024293eca0aa/labs/firepower-restapi-107/assets/images/image3.jpg


--------------------------------------------------------------------------------
/labs/firepower-restapi-107/byod.html:
--------------------------------------------------------------------------------
1 | <div style="color:#0000FF">
2 |     <p> You need one of these popular web browsers [chrome, firefox, safari or IE].</p>
3 |     <p>  You either use your own FMC setup or you can use our <a href="https://fmcrestapisandbox.cisco.com/api/api-explorer/"> FMC REST API Sandbox</a></p>
4 | </div>
5 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-107/firepower-restapi-107.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "labId": "firepower-restapi-107",
 3 |     "title": "Firewall Management Center (FMC) access control policies",
 4 |     "slug": "This Learning Lab teaches a basic understanding of managing FMC access control policies with the REST API.",
 5 |     "time": "30",
 6 |     "tags": [
 7 |       {"title": "Firepower Management Center"},
 8 |       {"title": "Firepower"},
 9 |       {"title": "FMC"},
10 |       {"title": "Security"},
11 |       {"title": "Firewalls"},
12 |       {"title": "FTD"},
13 |       {"title": "NGFW"},
14 |       {"title": "NGIPS"},
15 |       {"title": "ASA with FP services"},
16 |       {"title": "Firepower Threat Defence"},
17 |       {"title": "Cisco Security REST API"}
18 |     ],
19 |     "files": [
20 |       {"file": "0.md",
21 |       "title": "Introduction"},
22 |       {"file": "1.md",
23 |       "title": "What are access control policies?"},
24 |       {"file": "2.md",
25 |       "title": "Access control policy default action"},
26 |       {"file": "3.md",
27 |       "title": "Access control policy inheritance"},
28 |       {"file": "4.md",
29 |       "title": "Performing access policy operations with the REST API"}
30 |     ],
31 |     "related": [
32 |       {"labId": "firepower-restapi-101",
33 |        "title": "Exploring Firepower Management Center (FMC) REST APIs"},
34 |       {"labId": "firepower-restapi-102",
35 |        "title": "Firepower Management Center (FMC) REST API token-based authentication"},
36 |       {"labId": "firepower-restapi-103",
37 |        "title": "Firewall devices and sensors and the Firepower Management Center (FMC)"},
38 |       {"labId": "firepower-restapi-106",
39 |        "title": "FMC objects and CRUD operations"},
40 |       {"labId": "firepower-restapi-109",
41 |        "title": "Threat-centric access control policies for the Firepower Management Center (FMC)"}
42 |       ],
43 |     "authors": [{
44 |         "name": "Krishan Veer",
45 |         "email": "veer@cisco.com"
46 |     }],
47 |     "byod": true
48 | }
49 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-109/0.md:
--------------------------------------------------------------------------------
 1 | # Threat-centric access control policies for the Firepower Management Center (FMC)
 2 | 
 3 | This Learning Lab teaches you how to create a threat-centric access control (AC) policy.
 4 | 
 5 | ## Objectives
 6 | When you have completed this lab, you will be able to:
 7 | 
 8 | * Create a threat-centric AC policy using the FMC REST API Explorer.
 9 | * Create specific rules in the context of an AC policy.
10 | * Use Python and Perl to create a threat-centric AC policy.
11 | 
12 | ## Prerequisites
13 | * A development environment with typical tools and applications, as well as [Postman](https://www.getpostman.com/).
14 | * Basic understanding of REST principles. Complete the [REST API Fundamentals Learning Lab](https://developer.cisco.com/learning/tracks/devnet-beginner/rest-api-fundamentals/what-are-rest-apis/).
15 | * Basic understanding of FMC REST APIs and the FMC REST API Explorer. Complete [Exploring Firepower Management Center (FMC) REST APIs](https://developer.cisco.com/learning/modules/Firepower/firepower-restapi-101/).
16 | * Basic understanding of access control policies. Complete [Firewall Management Center (FMC) access control policies](https://developer.cisco.com/learning/modules/Firepower/firepower-restapi-107/).
17 | 
18 | **Next**: Creating a threat-centric AC policy using the FMC API Explorer
19 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-109/1.md:
--------------------------------------------------------------------------------
 1 | # Creating a threat-centric AC policy using the FMC API Explorer
 2 | 
 3 | Before you create your policy, log into the FMC API Explorer. Refer to the [Exploring FMC REST APIs Learning Lab](https://developer.cisco.com/learning/modules/Firepower/firepower-restapi-101/) for more information about logging in to the API explorer and reserving resources on the FMC REST API Sandbox.
 4 | 
 5 | 1. Select **Policy** from the **API Info** menu.
 6 | 2. Locate the following route: `/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/policy/accesspolicies`. Click **POST**.
 7 | 3. Copy the following JSON into the **body** field. Be sure to change the name of your policy to something unique.
 8 | ```JSON
 9 | {
10 |   "type": "AccessPolicy",
11 |   "name": "My Enterprise Corporate AC Policy ",
12 |   "description": "Enterprise Policy to Block and Detect Threats",
13 |   "defaultAction": {
14 |     "intrusionPolicy": {
15 |       "name": "Security Over Connectivity",
16 |       "id": "abba9b63-bb10-4729-b901-2e2aa0f4491c",
17 |       "type": "IntrusionPolicy"
18 |     },
19 |     "variableSet": {
20 |       "name": "Default Set",
21 |       "id": "76fa83ea-c972-11e2-8be8-8e45bb1343c0",
22 |       "type": "VariableSet"
23 |     },
24 |     "type": "AccessPolicyDefaultAction",
25 |     "logBegin": false,
26 |     "logEnd": true,
27 |     "sendEventsToFMC": true
28 |   }
29 | }
30 | ```
31 | 4. Click **POST**. The response to the call will appear in the **Response Text** window.
32 | 
33 | ![Access policy creation in the FMC API Explorer](assets/images/expl-01.png)
34 | 
35 | The access control policy ID is in the response text. Look for the `"id"` line that is **not** nested under `domain`, as shown in the following sanmple code and image. **Be sure to record this ID**.
36 | 
37 | ```JSON
38 | "name": "Cisco AC Policy",
39 | "description": "Enterprise Policy to Block and Detect Threats",
40 | "id": "005056BB-0B24-0ed3-0000-064424512502"
41 | ```
42 | 
43 | ![](assets/images/expl-02.png)
44 | 
45 | **Next**: Creating access control rules
46 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-109/2.md:
--------------------------------------------------------------------------------
  1 | # Creating access control rules
  2 | 
  3 | This section demonstrates two examples of access control rules created in the context of the AC policy that you created in the previous step. The rules are created with the POST method and the access control rules route.
  4 | 
  5 | 
  6 | ## Monitoring suspicious URLs
  7 | 
  8 | This rule monitors connections to suspicious URLs.
  9 | 1. Select **Policy** from the **API Info** menu.
 10 | 2. Select the following route: `/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/policy/accesspolicies`. A list of related routes will appear below.
 11 | 3. In the **Container UUID** field, enter the ID of the access control policy that you created in the previous step of this Learning Lab.
 12 | 4. Locate the following route: `/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/policy/accesspolicies/{containerUUID}/accessrules`.
 13 | 5. Click **POST**.
 14 | 6. In the API Console, use the following JSON to create the rule. Set the `name` to a name of your choosing.
 15 | ```JSON
 16 | {
 17 |   "sendEventsToFMC": true,
 18 |   "action": "MONITOR",
 19 |   "enabled": true,
 20 |   "type": "AccessRule",
 21 |   "name": "Monitor Threat URLs",
 22 |   "logFiles": false,
 23 |   "logBegin": true,
 24 |   "logEnd": false,
 25 |   "variableSet": {
 26 |     "name": "Default Set",
 27 |     "id": "76fa83ea-c972-11e2-8be8-8e45bb1343c0",
 28 |     "type": "VariableSet"
 29 |   },
 30 |   "urls": {
 31 |     "objects": [{
 32 |       "name": "URL Exploitkit",
 33 |       "type": "SIURLFeed",
 34 |       "id": "A27C6AAE-8E52-4174-A81A-47C59FECf1c3"
 35 |     }, {
 36 |       "name": "URL Attackers",
 37 |       "type": "SIURLFeed",
 38 |       "id": "5a0b6d6b-e2c3-436f-b4a1-48248b333b57"
 39 |     }, {
 40 |       "name": "URL CnC",
 41 |       "type": "SIURLFeed",
 42 |       "id": "60f4e2ab-d96c-44a0-bd38-830252b67077"
 43 |     }, {
 44 |       "name": "URL Dga",
 45 |       "type": "SIURLFeed",
 46 |       "id": "b1df3aa8-2841-4c88-8e64-bfaacec71300"
 47 |     }, {
 48 |       "name": "URL Phishing",
 49 |       "type": "SIURLFeed",
 50 |       "id": "d7d996a6-6b92-4a56-8f10-e8506e434dd6"
 51 |     }, {
 52 |       "name": "URL Malware",
 53 |       "type": "SIURLFeed",
 54 |       "id": "23f2a124-8278-4c03-8c9d-d28fe08b8fc9"
 55 |     }],
 56 |     "urlCategoriesWithReputation": [{
 57 |       "type": "UrlCategoryAndReputation",
 58 |       "category": {
 59 |         "name": "Bot Nets",
 60 |         "id": "a774acd8-8240-11e0-9682-6814b504fd67",
 61 |         "type": "URLCategory"
 62 |       },
 63 |       "reputation": "WELL_KNOWN"
 64 |     }, {
 65 |       "type": "UrlCategoryAndReputation",
 66 |       "category": {
 67 |         "name": "Malware Sites",
 68 |         "id": "a774acd8-8240-11e0-9682-6814b504fd56",
 69 |         "type": "URLCategory"
 70 |       },
 71 |       "reputation": "WELL_KNOWN"
 72 |     }, {
 73 |       "type": "UrlCategoryAndReputation",
 74 |       "category": {
 75 |         "name": "Phishing and Other Frauds",
 76 |         "id": "a774acd8-8240-11e0-9682-6814b504fd57",
 77 |         "type": "URLCategory"
 78 |       },
 79 |       "reputation": "WELL_KNOWN"
 80 |     }, {
 81 |       "type": "UrlCategoryAndReputation",
 82 |       "category": {
 83 |         "name": "Spyware and Adware",
 84 |         "id": "a774acd8-8240-11e0-9682-6814b504fd59",
 85 |         "type": "URLCategory"
 86 |       },
 87 |       "reputation": "WELL_KNOWN"
 88 |     }, {
 89 |       "category": {
 90 |         "name": "Any",
 91 |         "type": "URLCategory"
 92 |       },
 93 |       "reputation": "SUSPICIOUS_SITES",
 94 |       "type": "UrlCategoryAndReputation"
 95 |     }]
 96 |   }
 97 | }
 98 | ```
 99 | 7. Click **POST**. The response to the call will appear in the **Response Text** window.
100 | 
101 | FMC REST API explorer API parameters screen shot
102 | ![Figure: FMC REST API explorer API parameters screen shot ](assets/images/expl-03.png)
103 | 
104 | ## Monitoring connections from internal hosts with a malware detection policy
105 | 
106 | To create a rule that monitors connections from internal hosts with a malware detection policy, follow the previous procedure and use the following JSON:
107 | ```JSON
108 | {
109 |   "sendEventsToFMC": true,
110 |   "action": "ALLOW",
111 |   "enabled": true,
112 |   "type": "AccessRule",
113 |   "name": "Malware Inspect",
114 |   "logFiles": true,
115 |   "logBegin": false,
116 |   "logEnd": false,
117 |   "variableSet": {
118 |     "name": "Default Set",
119 |     "id": "76fa83ea-c972-11e2-8be8-8e45bb1343c0",
120 |     "type": "VariableSet"
121 |   },
122 |   "sourceNetworks": {
123 |     "objects": [{
124 |       "type": "NetworkGroup",
125 |       "name": "IPv4-Private-All-RFC1918",
126 |       "id": "15b12b14-dace-4117-b9d9-a9a7dcfa356f"
127 |     }]
128 |   },
129 |   "filePolicy": {
130 |     "name": "New Malware",
131 |     "id": "59433a1e-f492-11e6-98fd-84ec1dfeed47",
132 |     "type": "FilePolicy"
133 |   }
134 | }
135 | ```
136 | 
137 | **Next**: Sample Python script to create threat-centric AC policy
138 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-109/3.md:
--------------------------------------------------------------------------------
  1 | # Sample Python script to create threat-centric AC policy
  2 | 
  3 | The following Python script is an example of a script that creates a threat-centric AC policy, similar to the output generated by the FMC API explorer.
  4 | 
  5 | ``` Python
  6 | #!/usr/bin/python
  7 | #
  8 | # Generated FMC REST API sample script
  9 | #
 10 | 
 11 | import argparse
 12 | import json
 13 | import sys
 14 | import requests
 15 | 
 16 | parser = argparse.ArgumentParser(description="AC Policy support")
 17 | parser.add_argument('--host', required=True)
 18 | parser.add_argument('--port', required=True)
 19 | parser.add_argument('--user', required=True)
 20 | parser.add_argument('--passwd', required=True)
 21 | parser.add_argument('--policy', required=True)
 22 | parser.add_argument('--verbose', required=False)
 23 | args = parser.parse_args()
 24 | 
 25 | print json.dumps(vars(args))
 26 | data = vars(args)
 27 | 
 28 | server = "https://" + data["host"] + ":" + data["port"]
 29 | username = data["user"]
 30 | password = data["passwd"]
 31 | 
 32 | r = None
 33 | headers = {'Content-Type': 'application/json'}
 34 | api_auth_path = "/api/fmc_platform/v1/auth/generatetoken"
 35 | auth_url = server + api_auth_path
 36 | try:
 37 |     # 2 ways of making a REST call are provided:
 38 |     # One with "SSL verification turned off" and the other with "SSL verification turned on".
 39 |     # The one with "SSL verification turned on" is commented out. If you like to use that then
 40 |     # uncomment the line where verify='/path/to/ssl_certificate' and comment the line with verify=False
 41 |     # REST call with SSL verification turned on: Download SSL certificates from your FMC first and provide its path for verification.
 42 |     # r = requests.post(auth_url, headers=headers, auth=requests.auth.HTTPBasicAuth(username,password), verify='/path/to/ssl_certificate')
 43 |     #
 44 |     # REST call with SSL verification turned off:
 45 |     r = requests.post(auth_url, headers=headers, auth=requests.auth.HTTPBasicAuth(username,password), verify=False)
 46 |     auth_token = r.headers.get('X-auth-access-token', default=None)
 47 |     domain_uuid = r.headers.get('Global', default=None)
 48 |     if (auth_token == None) or (domain_uuid == None):
 49 |         print("auth_token not found. Exiting...")
 50 |         sys.exit()
 51 | except Exception as err:
 52 |     print ("Error in generating auth token --> "+str(err))
 53 |     sys.exit()
 54 | 
 55 | headers['X-auth-access-token']=auth_token
 56 | 
 57 | def createACPolicy( server, headers, domain, policy ):
 58 |     api_path = '/api/fmc_config/v1/domain/' + domain + '/policy/accesspolicies'
 59 |     url = server + api_path
 60 |     if (url[-1] == '/'):
 61 |         url = url[:-1]
 62 |     post_data = {
 63 |         "type": "AccessPolicy",
 64 |         "name": policy,
 65 |         "description": "Enterprise Policy to Detect and Prevent Threats",
 66 |         "defaultAction": {
 67 |             "intrusionPolicy": {
 68 |                 "name": "Security Over Connectivity",
 69 |                 "id": "abba9b63-bb10-4729-b901-2e2aa0f4491c",
 70 |                 "type": "IntrusionPolicy"
 71 |             },
 72 |             "variableSet": {
 73 |                 "name": "Default Set",
 74 |                 "id": "76fa83ea-c972-11e2-8be8-8e45bb1343c0",
 75 |                 "type": "VariableSet"
 76 |             },
 77 |             "type": "AccessPolicyDefaultAction",
 78 |             "logBegin": False,
 79 |             "logEnd": True,
 80 |             "sendEventsToFMC": True
 81 |         }
 82 |     }
 83 |     policy_uuid = None
 84 |     try:
 85 |         # REST call with SSL verification turned on:
 86 |         # r = requests.post(url, data=json.dumps(post_data), headers=headers, verify='/path/to/ssl_certificate')
 87 |         # REST call with SSL verification turned off:
 88 |         r = requests.post(url, data=json.dumps(post_data), headers=headers, verify=False)
 89 |         status_code = r.status_code
 90 |         resp = r.text
 91 |         print("Create AC Policy Status code is: "+str(status_code))
 92 |         if not ((status_code == 201) or (status_code == 202)):
 93 |             r.raise_for_status()
 94 |             print ("Error occurred in POST --> "+resp)
 95 |         else :
 96 |             json_resp = json.loads(resp)
 97 |             policy_uuid = json_resp['id']
 98 |             #print ("Post was successful...")
 99 |             #print(json.dumps(json_resp,sort_keys=True,indent=4, separators=(',', ': ')))
100 |             #print(json_resp);
101 |     except requests.exceptions.HTTPError as err:
102 |         print ("Error in connection --> "+str(err))
103 |         print ("Error response --> " + json.dumps( r ))
104 |     finally:
105 |         if r: r.close()
106 |     return policy_uuid
107 | 
108 | def addACRule( server, headers, domain, policyUUID ):
109 |     api_path = '/api/fmc_config/v1/domain/' + domain + '/policy/accesspolicies/' + policyUUID + '/accessrules'
110 |     url = server + api_path
111 |     if (url[-1] == '/'):
112 |         url = url[:-1]
113 |     post_data = {
114 |         "sendEventsToFMC": True,
115 |         "action": "ALLOW",
116 |         "enabled": True,
117 |         "type": "AccessRule",
118 |         "name": "Deep File Inspect Dst Geos",
119 |         "logFiles": True,
120 |         "logBegin": False,
121 |         "logEnd": False,
122 |         "variableSet": {
123 |             "name": "Default Set",
124 |             "id": "76fa83ea-c972-11e2-8be8-8e45bb1343c0",
125 |             "type": "VariableSet"
126 |         },
127 |         "sourceNetworks": {
128 |             "objects": [{
129 |                 "type": "NetworkGroup",
130 |                 "name": "IPv4-Private-All-RFC1918",
131 |                 "id": "15b12b14-dace-4117-b9d9-a9a7dcfa356f"
132 |             }]
133 |         },
134 |         "filePolicy": {
135 |             "name": "New Malware",
136 |             "id": "59433a1e-f492-11e6-98fd-84ec1dfeed47",
137 |             "type": "FilePolicy"
138 |         }
139 |     }
140 |     acRuleUUID = None
141 |     try:
142 |         # print ("Add AC Rule to Policy " + json.dumps(post_data))
143 |         # REST call with SSL verification turned on:
144 |         # r = requests.post(url, data=json.dumps(post_data), headers=headers, verify='/path/to/ssl_certificate')
145 |         # REST call with SSL verification turned off:
146 |         r = requests.post(url, data=json.dumps(post_data), headers=headers, verify=False)
147 |         status_code = r.status_code
148 |         resp = r.text
149 |         print("Add ACRule to Policy Status code is: "+str(status_code))
150 |         if not ((status_code == 201) or (status_code == 202)):
151 |             r.raise_for_status()
152 |             print ("Error occurred in POST --> "+resp)
153 |         else :
154 |             json_resp = json.loads(resp)
155 |             acRuleUUID = json_resp['id']
156 |             # print ("Post was successful...")
157 |             # json_resp = json.loads(resp)
158 |             # print(json.dumps(json_resp,sort_keys=True,indent=4, separators=(',', ': ')))
159 |             # print(json_resp);
160 |     except requests.exceptions.HTTPError as err:
161 |         print ("Error in connection --> "+str(err))
162 |         print ("Error response --> " + json.dumps( r ))
163 |     finally:
164 |         if r: r.close()
165 |     return acRuleUUID
166 | 
167 | def addSIRule( server, headers, domain, policyUUID ):
168 |     api_path = '/api/fmc_config/v1/domain/' + domain + '/policy/accesspolicies/' + policyUUID + '/accessrules'
169 |     url = server + api_path
170 |     if (url[-1] == '/'):
171 |         url = url[:-1]
172 | 
173 |     post_data = {
174 | 	"sendEventsToFMC": True,
175 | 	"action": "MONITOR",
176 | 	"enabled": True,
177 | 	"type": "AccessRule",
178 | 	"name": "Monitor Threat URL's",
179 | 	"logFiles": False,
180 | 	"logBegin": True,
181 | 	"logEnd": False,
182 | 	"variableSet": {
183 |             "name": "Default Set",
184 |             "id": "76fa83ea-c972-11e2-8be8-8e45bb1343c0",
185 |             "type": "VariableSet"
186 | 	},
187 | 	"urls": {
188 |             "objects": [{
189 |                 "name": "URL Exploitkit",
190 |                 "type": "SIURLFeed",
191 |                 "id": "A27C6AAE-8E52-4174-A81A-47C59FECf1c3"
192 |             }, {
193 |                 "name": "URL Attackers",
194 |                 "type": "SIURLFeed",
195 |                 "id": "5a0b6d6b-e2c3-436f-b4a1-48248b333b57"
196 |             }, {
197 |                 "name": "URL CnC",
198 |                 "type": "SIURLFeed",
199 |                 "id": "60f4e2ab-d96c-44a0-bd38-830252b67077"
200 |             }, {
201 |                 "name": "URL Dga",
202 |                 "type": "SIURLFeed",
203 |                 "id": "b1df3aa8-2841-4c88-8e64-bfaacec71300"
204 |             }, {
205 |                 "name": "URL Phishing",
206 |                 "type": "SIURLFeed",
207 |                 "id": "d7d996a6-6b92-4a56-8f10-e8506e434dd6"
208 |             }, {
209 |                 "name": "URL Malware",
210 |                 "type": "SIURLFeed",
211 |                 "id": "23f2a124-8278-4c03-8c9d-d28fe08b8fc9"
212 |             }],
213 |             "urlCategoriesWithReputation": [{
214 |                 "type": "UrlCategoryAndReputation",
215 |                 "category": {
216 |                     "name": "Bot Nets",
217 |                     "id": "a774acd8-8240-11e0-9682-6814b504fd67",
218 |                     "type": "URLCategory"
219 |                 },
220 |                 "reputation": "WELL_KNOWN"
221 |             }, {
222 |                 "type": "UrlCategoryAndReputation",
223 |                 "category": {
224 |                     "name": "Malware Sites",
225 |                     "id": "a774acd8-8240-11e0-9682-6814b504fd56",
226 |                     "type": "URLCategory"
227 |                 },
228 |                 "reputation": "WELL_KNOWN"
229 |             }, {
230 |                 "type": "UrlCategoryAndReputation",
231 |                 "category": {
232 |                     "name": "Phishing and Other Frauds",
233 |                     "id": "a774acd8-8240-11e0-9682-6814b504fd57",
234 |                     "type": "URLCategory"
235 |                 },
236 |                 "reputation": "WELL_KNOWN"
237 |             }, {
238 |                 "type": "UrlCategoryAndReputation",
239 |                 "category": {
240 |                     "name": "Spyware and Adware",
241 |                     "id": "a774acd8-8240-11e0-9682-6814b504fd59",
242 |                     "type": "URLCategory"
243 |                 },
244 |                 "reputation": "WELL_KNOWN"
245 |             }, {
246 |                 "category": {
247 |                     "name": "Any",
248 |                     "type": "URLCategory"
249 |                 },
250 |                 "reputation": "SUSPICIOUS_SITES",
251 |                 "type": "UrlCategoryAndReputation"
252 |             }]
253 | 	}
254 |     }
255 |     siRuleUUID = None
256 |     try:
257 |         # print ("Add SI Rule to Policy " + json.dumps(post_data))
258 |         # REST call with SSL verification turned on:
259 |         # r = requests.post(url, data=json.dumps(post_data), headers=headers, verify='/path/to/ssl_certificate')
260 |         # REST call with SSL verification turned off:
261 |         r = requests.post(url, data=json.dumps(post_data), headers=headers, verify=False)
262 |         status_code = r.status_code
263 |         resp = r.text
264 |         print("Add SIRule to Policy Status code is: "+str(status_code))
265 |         if not ((status_code == 201) or (status_code == 202)):
266 |             r.raise_for_status()
267 |             print ("Error occurred in POST --> "+resp)
268 |         else :
269 |             json_resp = json.loads(resp)
270 |             siRuleUUID = json_resp['id']
271 |             # print ("Post was successful...")
272 |             # json_resp = json.loads(resp)
273 |             # print(json.dumps(json_resp,sort_keys=True,indent=4, separators=(',', ': ')))
274 |             # print(json_resp);
275 |     except requests.exceptions.HTTPError as err:
276 |         print ("Error in connection --> "+str(err))
277 |         print ("Error response --> " + json.dumps( r ))
278 |     finally:
279 |         if r: r.close()
280 |     return siRuleUUID
281 | 
282 | policyUUID = createACPolicy( server, headers, domain_uuid, data["policy"] )
283 | if policyUUID == None:
284 |     sys.exit(1)
285 | print "AC Policy id " + policyUUID
286 | 
287 | acrUUID = addACRule( server, headers, domain_uuid, policyUUID )
288 | if acrUUID == None:
289 |     sys.exit(1)
290 | print "AC Rule id " + policyUUID
291 | 
292 | sirUUID = addSIRule( server, headers, domain_uuid, policyUUID )
293 | if acrUUID == None:
294 |     sys.exit(1)
295 | print "SI Rule id " + policyUUID
296 | 
297 | ```
298 | 
299 | **Next**: Sample Perl script to create threat-centric AC policy
300 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-109/4.md:
--------------------------------------------------------------------------------
  1 | # Sample Perl script to create threat-centric AC policy
  2 | 
  3 | The following Perl script is an example of a script that creates a threat-centric AC policy, similar to the output generated by the FMC API explorer.
  4 | 
  5 | ```Perl
  6 | #!/usr/bin/perl
  7 | use strict;
  8 | use warnings;
  9 | 
 10 | use Error qw(:try);
 11 | use Getopt::Long;
 12 | use REST::Client;  
 13 | use MIME::Base64;  
 14 | use JSON;  
 15 | use Data::Dumper;
 16 | 
 17 | #allows JSON with boolean to display properly
 18 | $JSON::PP::true= "true";
 19 | $JSON::PP::false = "false";
 20 | 
 21 | # Default value for variables
 22 | my $host = "somehost.cisco.com";
 23 | my $port = "443";
 24 | my $user = "admin";
 25 | my $passwd = "blank";
 26 | my $policy = "Default Policy";
 27 | my $verbose = 0;
 28 | 
 29 | my $auth_url = "/api/fmc_platform/v1/auth/generatetoken";
 30 | 
 31 | GetOptions( "host=s" => \$host, "port=i" => \$port,
 32 |     "user=s" => \$user, "passwd=s" => \$passwd,
 33 |     "policy=s" => \$policy, "verbose" => \$verbose )
 34 |     or die( "Error in command line arguments\n" );
 35 | 
 36 | my $endpoint = "https://${host}:${port}";
 37 | my $userpass = "${user}:${passwd}";
 38 | 
 39 | # Older implementations of LWP check this to disable server verification  
 40 | $ENV{PERL_LWP_SSL_VERIFY_HOSTNAME}=0;  
 41 | 
 42 | # Set up the connection  
 43 | my $client = REST::Client->new( );  
 44 | 
 45 | # 2 ways of making a REST call are provided:
 46 | # One with "SSL verification turned off" and the other with "SSL verification turned on".
 47 | # The one with "SSL verification turned on" is commented out. If you like to use that then
 48 | # uncomment the line where SSL_verify_mode => 1 and comment the line with SSL_verify_mode => 0.
 49 | # Configuration to turn off SSL verification for a REST call:   
 50 | # Configuration to turn on SSL verification for a REST call:
 51 | #    Download SSL certificates from your FMC and provide the downloaded path  
 52 | #
 53 | #$client->getUseragent()->ssl_opts( SSL_verify_mode => 1 , SSL_ca_file => 'path/to/ssl_certificate');  
 54 | 
 55 | $client->getUseragent()->ssl_opts( SSL_verify_mode => 0);
 56 | 
 57 | $client->setHost( $endpoint );  
 58 | $client->addHeader( "Authorization", "Basic ".encode_base64( $userpass ) );
 59 | $client->addHeader( "Content-Type", "application/json");
 60 | 
 61 | #Generating auth token
 62 | $client->POST($auth_url);
 63 | my $auth_token = $client->responseHeader('X-auth-access-token');
 64 | my $domain = $client->responseHeader('Global');
 65 | 
 66 | $client->addHeader("X-auth-access-token",$auth_token);
 67 | my $policyUUID = createACPolicy( $client, $domain, $policy );
 68 | my $ruleUUID = addACRule( $client, $domain, $policyUUID );
 69 | my $siUUID = addSIRule( $client, $domain, $policyUUID );
 70 | 
 71 | sub decodeResponse
 72 | {
 73 |     my ( $respText ) = @_;
 74 | 
 75 |     return undef unless( $respText );
 76 |     return decode_json( $respText );
 77 | }
 78 | 
 79 | sub createACPolicy
 80 | {
 81 |     my ( $client, $domainUUID, $policyName ) = @_;
 82 | 
 83 |     my $api_url = '/api/fmc_config/v1/domain/default/policy/accesspolicies';
 84 |     $api_url =~ s/DOMAIN_UUID/$domainUUID/;
 85 |     chop($api_url) if ( substr($api_url,-1) eq '/' );
 86 | 
 87 |     # Perform a HTTP POST on this URI
 88 |     my $data =<<EOL;
 89 |     {
 90 |   "type": "AccessPolicy",
 91 |   "name": "$policyName",
 92 |   "description": "Enterprise Policy to Detect and Prevent Threats",
 93 |   "defaultAction": {
 94 |             "intrusionPolicy": {
 95 |                 "name": "Security Over Connectivity",
 96 |                 "id": "abba9b63-bb10-4729-b901-2e2aa0f4491c",
 97 |                 "type": "IntrusionPolicy"
 98 |             },
 99 |             "variableSet": {
100 |                 "name": "Default Set",
101 |                 "id": "76fa83ea-c972-11e2-8be8-8e45bb1343c0",
102 |                 "type": "VariableSet"
103 |             },
104 |             "type": "AccessPolicyDefaultAction",
105 |             "logBegin": false,
106 |             "logEnd": true,
107 |             "sendEventsToFMC": true
108 |   }
109 |     }
110 | EOL
111 | 
112 |     $client->POST( $api_url, $data );
113 | 
114 |     #decode and print json response
115 |     print "Response code ( create AC Policy ) : ";
116 |     print $client->responseCode();
117 |     print "\n";
118 |     my $acPolicy = decodeResponse( $client->responseContent() );
119 | 
120 |     exit 1 unless( $acPolicy );
121 |     return $acPolicy->{id};
122 | }
123 | 
124 | sub addACRule
125 | {
126 |     my ( $client, $domainUUID, $policyUUID ) = @_;
127 | 
128 |     my $api_url = "/api/fmc_config/v1/domain/DOMAIN_UUID/policy/accesspolicies/POLICY_UUID/accessrules"; #param
129 |     $api_url =~ s/DOMAIN_UUID/$domainUUID/;
130 |     $api_url =~ s/POLICY_UUID/$policyUUID/;
131 |     chop($api_url) if ( substr($api_url,-1) eq '/' );
132 | 
133 |     # Perform a HTTP POST on this URI
134 |     my $data =<<EOL;
135 |     {
136 |   "sendEventsToFMC": true,
137 |   "action": "ALLOW",
138 |   "enabled": true,
139 |   "type": "AccessRule",
140 |   "name": "Deep File Inspect Dst Geos",
141 |   "logFiles": true,
142 |   "logBegin": false,
143 |   "logEnd": false,
144 |   "variableSet": {
145 |             "name": "Default Set",
146 |             "id": "76fa83ea-c972-11e2-8be8-8e45bb1343c0",
147 |             "type": "VariableSet"
148 |   },
149 |   "sourceNetworks": {
150 |             "objects": [{
151 |                 "type": "NetworkGroup",
152 |                 "name": "IPv4-Private-All-RFC1918",
153 |                 "id": "15b12b14-dace-4117-b9d9-a9a7dcfa356f"
154 |             }]
155 |   },
156 |   "filePolicy": {
157 |             "name": "New Malware",
158 |             "id": "59433a1e-f492-11e6-98fd-84ec1dfeed47",
159 |             "type": "FilePolicy"
160 |   }
161 |     }
162 | EOL
163 | 
164 |     $client->POST( $api_url, $data );
165 | 
166 |     #decode and print json response
167 |     print "Response code ( add AC rule to Policy ) : ";
168 |     print $client->responseCode();
169 |     print "\n";
170 |     my $acRule = decodeResponse( $client->responseContent() );
171 | 
172 |     exit 1 unless( $acRule );
173 |     return $acRule->{id};
174 | }
175 | 
176 | sub addSIRule
177 | {
178 |     my ( $client, $domainUUID, $policyUUID ) = @_;
179 | 
180 |     my $api_url = "/api/fmc_config/v1/domain/DOMAIN_UUID/policy/accesspolicies/POLICY_UUID/accessrules"; #param
181 |     $api_url =~ s/DOMAIN_UUID/$domainUUID/;
182 |     $api_url =~ s/POLICY_UUID/$policyUUID/;
183 |     chop($api_url) if ( substr($api_url,-1) eq '/' );
184 | 
185 |     # Perform a HTTP POST on this URI
186 |     my $data =<<EOL;
187 |     {
188 |   "sendEventsToFMC": true,
189 |   "action": "MONITOR",
190 |   "enabled": true,
191 |   "type": "AccessRule",
192 |   "name": "Monitor Threat URL's",
193 |   "logFiles": false,
194 |   "logBegin": true,
195 |   "logEnd": false,
196 |   "variableSet": {
197 |             "name": "Default Set",
198 |             "id": "76fa83ea-c972-11e2-8be8-8e45bb1343c0",
199 |             "type": "VariableSet"
200 |   },
201 |   "urls": {
202 |             "objects": [{
203 |       "name": "URL Exploitkit",
204 |       "type": "SIURLFeed",
205 |       "id": "A27C6AAE-8E52-4174-A81A-47C59FECf1c3"
206 |             }, {
207 |       "name": "URL Attackers",
208 |       "type": "SIURLFeed",
209 |       "id": "5a0b6d6b-e2c3-436f-b4a1-48248b333b57"
210 |             }, {
211 |       "name": "URL CnC",
212 |       "type": "SIURLFeed",
213 |       "id": "60f4e2ab-d96c-44a0-bd38-830252b67077"
214 |             }, {
215 |       "name": "URL Dga",
216 |       "type": "SIURLFeed",
217 |       "id": "b1df3aa8-2841-4c88-8e64-bfaacec71300"
218 |             }, {
219 |       "name": "URL Phishing",
220 |       "type": "SIURLFeed",
221 |       "id": "d7d996a6-6b92-4a56-8f10-e8506e434dd6"
222 |             }, {
223 |       "name": "URL Malware",
224 |       "type": "SIURLFeed",
225 |       "id": "23f2a124-8278-4c03-8c9d-d28fe08b8fc9"
226 |             }],
227 |             "urlCategoriesWithReputation": [{
228 |                 "type": "UrlCategoryAndReputation",
229 |                 "category": {
230 |                     "name": "Bot Nets",
231 |                     "id": "a774acd8-8240-11e0-9682-6814b504fd67",
232 |                     "type": "URLCategory"
233 |                 },
234 |                 "reputation": "WELL_KNOWN"
235 |             }, {
236 |                 "type": "UrlCategoryAndReputation",
237 |                 "category": {
238 |                     "name": "Malware Sites",
239 |                     "id": "a774acd8-8240-11e0-9682-6814b504fd56",
240 |                     "type": "URLCategory"
241 |                 },
242 |                 "reputation": "WELL_KNOWN"
243 |             }, {
244 |                 "type": "UrlCategoryAndReputation",
245 |                 "category": {
246 |                     "name": "Phishing and Other Frauds",
247 |                     "id": "a774acd8-8240-11e0-9682-6814b504fd57",
248 |                     "type": "URLCategory"
249 |                 },
250 |                 "reputation": "WELL_KNOWN"
251 |             }, {
252 |                 "type": "UrlCategoryAndReputation",
253 |                 "category": {
254 |                     "name": "Spyware and Adware",
255 |                     "id": "a774acd8-8240-11e0-9682-6814b504fd59",
256 |                     "type": "URLCategory"
257 |                 },
258 |                 "reputation": "WELL_KNOWN"
259 |             }, {
260 |                 "category": {
261 |                     "name": "Any",
262 |                     "type": "URLCategory"
263 |                 },
264 |                 "reputation": "SUSPICIOUS_SITES",
265 |                 "type": "UrlCategoryAndReputation"
266 |             }]
267 |   }
268 |     }
269 | EOL
270 | 
271 |     $client->POST( $api_url, $data );
272 | 
273 |     #decode and print json response
274 |     print "Response code ( add SI rule to Policy ) : ";
275 |     print $client->responseCode();
276 |     print "\n";
277 |     my $siRule = decodeResponse( $client->responseContent() );
278 | 
279 |     exit 1 unless( $siRule );
280 |     return $siRule->{id};
281 | }
282 | 
283 | 
284 | ```
285 | 
286 | **Congratulations! You have completed "Threat-centric access control policies for the Firepower Management Center (FMC)"**
287 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-109/assets/images/expl-01.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CiscoDevNet/fmc-rest-api/876a106eef0d936d404758e8ec9b024293eca0aa/labs/firepower-restapi-109/assets/images/expl-01.png


--------------------------------------------------------------------------------
/labs/firepower-restapi-109/assets/images/expl-02.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CiscoDevNet/fmc-rest-api/876a106eef0d936d404758e8ec9b024293eca0aa/labs/firepower-restapi-109/assets/images/expl-02.png


--------------------------------------------------------------------------------
/labs/firepower-restapi-109/assets/images/expl-03.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CiscoDevNet/fmc-rest-api/876a106eef0d936d404758e8ec9b024293eca0aa/labs/firepower-restapi-109/assets/images/expl-03.png


--------------------------------------------------------------------------------
/labs/firepower-restapi-109/assets/images/expl-04.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CiscoDevNet/fmc-rest-api/876a106eef0d936d404758e8ec9b024293eca0aa/labs/firepower-restapi-109/assets/images/expl-04.png


--------------------------------------------------------------------------------
/labs/firepower-restapi-109/byod.html:
--------------------------------------------------------------------------------
1 | <div style="color:#0000FF">
2 |     <p> You need a web browser [chrome].</p>
3 |     <p>  You either use your own FMC setup or you can use our <a href="https://fmcrestapisandbox.cisco.com/api/api-explorer/"> FMC REST API Sandbox</a></p>
4 | </div>
5 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-109/firepower-restapi-109.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "labId": "firepower-restapi-109",
 3 |   "title": "Threat-centric access control policies for the Firepower Management Center (FMC)",
 4 |   "slug": "This Learning Lab teaches you how to create a threat-centric access control (AC) policy.",
 5 |   "time": "25",
 6 |     "tags": [
 7 |       {"title": "Firepower Management Center"},
 8 |       {"title": "Firepower"},
 9 |       {"title": "FMC"},
10 |       {"title": "Security"},
11 |       {"title": "Firewalls"},
12 |       {"title": "FTD"},
13 |       {"title": "NGFW"},
14 |       {"title": "NGIPS"},
15 |       {"title": "ASA with FP services"},
16 |       {"title": "Firepower Threat Defence"},
17 |       {"title": "Cisco Security REST API"}
18 |     ],
19 |     "files": [
20 |       {"title": "Introduction",
21 |         "file": "0.md"},
22 |       {"title": "Creating a threat-centric AC policy using the FMC API Explorer",
23 |         "file": "1.md"},
24 |       {"title": "Creating access control rules",
25 |         "file": "2.md"},
26 |       {"title": "Sample Python script to create threat-centric AC policy",
27 |         "file": "3.md"},
28 |       {"title": "Sample Perl script to create threat-centric AC policy",
29 |         "file": "4.md"}
30 |       ],
31 |       "related": [
32 |         {"labId": "firepower-restapi-101",
33 |          "title": "Exploring Firepower Management Center (FMC) REST APIs"},
34 |         {"labId": "firepower-restapi-102",
35 |          "title": "Firepower Management Center (FMC) REST API token-based authentication"},
36 |         {"labId": "firepower-restapi-103",
37 |          "title": "Firewall devices and sensors and the Firepower Management Center (FMC)"},
38 |         {"labId": "firepower-restapi-106",
39 |          "title": "FMC objects and CRUD operations"},
40 |         {"labId": "firepower-restapi-107",
41 |          "title": "Firewall Management Center (FMC) access control policies"}
42 |         ],
43 |     "authors": [{
44 |         "name": "Krishan Veer",
45 |         "email": "veer@cisco.com"
46 |     }],
47 |     "byod": true
48 | }
49 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-110/1.md:
--------------------------------------------------------------------------------
 1 | # Using the Event Streamer API to identify a potentially compromised host
 2 | 
 3 | ## Objectives
 4 | 
 5 | This lab teaches you how to use the Event Streamer (eStreamer) API to extract events from the Firepower Management Center (FMC) and perform basic analysis of a potentially compromised host.
 6 | 
 7 | Once you complete this module, you will be able to use the eStreamer SDK reference client included in the eStreamer SDK to exchange messages with the FMC using the eStreamer application protocol. Analyze the events you have extracted from the FMC to determine activity that was logged around the time of a potential compromise of one or more hosts in your network.
 8 | 
 9 | ## Prerequisites
10 | It's best if you already have a basic understanding of Firepower Solutions and Firepower threat technologies.
11 | 
12 | ### eStreamer reference client setup
13 | 
14 | * Setup the system you plan to use to run the eStreamer reference client by installing the following libraries:
15 | 
16 |     * The reference client uses the Secure Socket Layer (SSL) for data communication. You must install OpenSSL on the computer you plan to use as a client, and configure it appropriately for your environment.
17 | 
18 |     `Note: For initial installations on Linux operating systems, you must install the libssl- dev component as part of this download.`
19 | 
20 | 
21 |     * Before you can run the eStreamer Perl reference client, you must install the IO::Socket::SSL Perl module the client computer. You can install the module manually, or use CPAN to do so.
22 | 
23 |     `Note If the Net::SSLeay module is not installed on the client computer, install that module as well. Net::SSLeay is required for communication with OpenSSL.`
24 | 
25 | 
26 | * Configure the eStreamer server on the Firepower Management Center (FMC) to stream events of interest:
27 | 
28 |     ![](assets/images/exp01.png)
29 | 
30 | 
31 | * Generate a certificate for the eStreamer client on the FMC, and copy the generated certificate to the system where you plan to run the eStreamer client. You can generate the certificate by doing these steps:
32 | ![](assets/images/exp02.png)
33 | 
34 |   * Choose **System** \> **Integration** \> **eStreamer**.
35 |   * Click the **eStreamer** tab.
36 |   * Click **Create Client**.
37 |   * In the **Hostname** field, enter the host name or IP address of the host running the eStreamer client.
38 | 
39 |     `Note: If you have not configured DNS resolution, use an IP address.`
40 | 
41 |   * If you want to encrypt the certificate file, enter a password in the **Password** field.
42 | 
43 |   * Click **Save**. The eStreamer server now allows the host to access port 8302 on the eStreamer server, and creates an    authentication certificate to use during client-server authentication.
44 | 
45 |   * Click the download file icon () next to the client hostname to download the certificate file. Copy it to the system on which you plan to run the eStreamer client.
46 | 
47 |   * To revoke access for a client, click the delete icon () next to the host you want to remove. Note that you do not need to restart the eStreamer service; access is revoked immediately.
48 | 
49 |     `Note: In a multi domain deployment, you can create an eStreamer client in any domain. The authentication certificate allows the client to request events only from the client certificate's domain and any descendant domains. The eStreamer configuration page shows only clients associated with the current domain, so if you want to download or revoke a certificate, switch to the domain where the client was created.`
50 | 
51 | * From <https://developer.cisco.com/site/firepower/docs/downloads/estreamer-api/> download the version of the eStreamer SDK which matches the version of your FMC.
52 | 
53 | * Unpack the eStreamer SDK on the system you have setup to run your eStreamer reference client.
54 | 
55 | * Copy the eStreamer client certificate file to the directory which contains the reference client names `ssl\_test.pl`.
56 | 
57 | * Connect your client application to the FMC and begin exchanging data using the following command `./ssl\_test.pl \<FMC Hostname or IP\> –s=all`.
58 | 
59 | * A script to analyze events around a potential host compromise has been provided. Use the steps below to run the script, and examine the output to understand chronology of events around the potential compromise.
60 | 
61 |   * Run the estreamer client and dump the events to a file on disk:
62 | ```shell
63 | >   ./ssl\_test.pl \<FMC Hostname or IP\> –s=all \> ./all\_events
64 | ```
65 |   * Run the script:
66 | ``` shell
67 | ./identify\_compromised\_host.pl ./all\_events
68 | ```
69 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-110/2.md:
--------------------------------------------------------------------------------
  1 | ### Sample script to analyze events associated with a potential host compromise
  2 | ``` Perl
  3 | #!/usr/bin/perl
  4 | 
  5 | use warnings;
  6 | use strict;
  7 | use Getopt::Long;
  8 | use Data::Dumper;
  9 | use Time::Local;
 10 | use Time::localtime;
 11 | 
 12 | my $event_data_mappings =
 13 | {
 14 |     #Flowstats
 15 |     "163"       =>  {
 16 |                         "time"          => "lastPktsecond",
 17 |                         "src_ip"        => "initiatorIp",
 18 |                         "dst_ip"        => "responderIp",
 19 |                         "url"           => "url",
 20 |                         "urlcat"        => "urlCategory",
 21 |                         "urlrep"        => "urlReputation",
 22 |                         "src_port"      => "initiatorPort",
 23 |                         "dst_port"      => "responderPort",
 24 |                         "application"   => "applicationId",
 25 |                         "fw_rule"       => "ruleId",
 26 |                         "src_country"   => "initiator_country",
 27 |                         "dst_country"   => "responder_country",
 28 |                         "action"        => "ruleAction",
 29 |                         "sec_intel"     => "si_category[1]",
 30 |                     },
 31 |     #File
 32 |     "56"        =>  {
 33 |                         "time"          => "file_event_timestamp",
 34 |                         "src_ip"        => "ip_src",
 35 |                         "dst_ip"        => "ip_dst",
 36 |                         "url"           => "uri",
 37 |                         "src_port"      => "port_src",
 38 |                         "dst_port"      => "port_dst",
 39 |                         "application"   => "webApp",
 40 |                         "filename"      => "file_name",
 41 |                         "sha"           => "sha256",
 42 |                         "disposition"   => "disposition",
 43 |                         "threat_score"  => "threat_score",
 44 |                         "src_country"   => "ip_src_country",
 45 |                         "dst_country"   => "ip_dst_country",
 46 |                     },
 47 | 
 48 |     #IPS
 49 |     "60"        =>  {
 50 |                         "time"          => "event_second",
 51 |                         "src_ip"        => "ip_source",
 52 |                         "dst_ip"        => "ip_destination",
 53 |                         "src_port"      => "sport_itype",
 54 |                         "dst_port"      => "dport_icode",
 55 |                         "application"   => "application_protocol_id",
 56 |                         "fw_rule"       => "firewall_rule_id",
 57 |                         "impact"        => "impact_flag",
 58 |                         "src_country"   => "ip_src_country",
 59 |                         "dst_country"   => "ip_dst_country",
 60 |                         "sid"           => "signature_id",
 61 |                         "gid"           => "generator_id",
 62 |                     },
 63 | 
 64 |     #Host IOC
 65 |     "160"        =>  {
 66 |                         "time"          => "event_sec",
 67 |                         "host_ip"       => "ip_address",
 68 |                         "vuln"          => "rna_block",
 69 |                     },
 70 | 
 71 |     #Geolocation: This is Metadata, has no time field. Needs to go in a different array.
 72 |     "28"        =>  {
 73 |                         "country_code"  => "country_code",
 74 |                         "country"       => "name_string",
 75 |                     },
 76 | 
 77 |     #IOC information from vul.id mapping: Metadata again.
 78 |     "39"        =>  {
 79 |                         "ioc_id"        =>  "ioc_id",
 80 |                         "category"      =>  "category",
 81 |                         "type"          =>  "event_type",
 82 |                     },
 83 | 
 84 |     #Payload for app id to name etc. Metadata again.
 85 |     "109"        =>  {
 86 |                         "id"            =>  "id",
 87 |                         "data"          =>  "name_string_data",
 88 |                     },
 89 | 
 90 |     #IDS rule data to map the rule_id to msg. Metadata only.
 91 |     "66"        =>  {
 92 |                         "id"            =>  "rule_id",
 93 |                         "data"          =>  "msg",
 94 |                     },
 95 | 
 96 |     #Security Intelligence rule name: Metadata only
 97 |     "22"        =>  {
 98 |                         "id"            =>  "rule_id",
 99 |                         "name"          =>  "rule_name",
100 |                     },
101 | 
102 |     #URL category: Metadata only
103 |     "121"        =>  {
104 |                         "id"            =>  "id",
105 |                         "name"          =>  "name_string_data",
106 |                     },
107 | 
108 |     #URL reputation: Metadata only
109 |     "122"        =>  {
110 |                         "id"            =>  "id",
111 |                         "name"          =>  "name_string_data",
112 |                     },
113 | 
114 |     #URL ruleaction: Metadata only
115 |     "120"        =>  {
116 |                         "id"            =>  "id",
117 |                         "name"          =>  "name_string_data",
118 |                     },
119 | };
120 | 
121 | sub get_beautify_key {
122 | 
123 |     my ($ht, $hval) = @_;
124 | 
125 |     my $hk;
126 |     foreach $hk (keys %$ht) {
127 |         if ($ht->{$hk} eq $hval) {
128 |             return $hk;
129 |         }
130 |     }
131 | 
132 |     return "undef";
133 | }
134 | 
135 | sub populate_block {
136 | 
137 |     my ($block_type, $line, $block)      = @_;
138 | 
139 |     # Reference the block from the hash table for each access.
140 |     my $event_data                      = $event_data_mappings->{$block_type};
141 | 
142 |     #Parse the tokens from the line.
143 |     my @tokens                          = split /:/, $line;
144 | 
145 |     if (scalar @tokens != 2) {
146 |         return "";
147 |     }
148 | 
149 |     #Get event data key, get rid of all leading spaces.
150 |     my $event_data_key                  = $tokens[0];
151 |     $event_data_key =~ s/^(\s*)//g;
152 | 
153 |     #Check if we are interested in this key.
154 |     if (grep {$_ eq $event_data_key} values %$event_data) {
155 |         my $beautify_key                = get_beautify_key($event_data, $event_data_key);
156 |         my $beautify_val                = $tokens[1];
157 | 
158 |         #Get rid of preceding and training spaces.
159 |         $beautify_val =~ s/^(\s*)//g;
160 |         $beautify_val =~ s/(\s*)$//g;
161 | 
162 |         $block->{$beautify_key}         = $beautify_val;
163 | 
164 |         return ($beautify_val eq "") ? $beautify_key : "";
165 |     }
166 | 
167 |     return "";
168 | }
169 | 
170 | sub is_metadata {
171 | 
172 |     my $block_type      = $_[0];
173 |     $block_type         =~ /(\d+)/;
174 | 
175 |     #TODO: Metadata should be in a different hash table, lookup based on hash keys.
176 |     if ($1 eq '28' or
177 |         $1 eq '39' or
178 |         $1 eq '66' or
179 |         $1 eq '109' or
180 |         $1 eq '22' or
181 |         $1 eq '121' or
182 |         $1 eq '122' or
183 |         $1 eq '120') {
184 |         return 1;
185 |     }
186 | 
187 |     return 0;
188 | }
189 | 
190 | #Metadata extraction
191 | my          @metadata_blocks;
192 | 
193 | sub get_country {
194 | 
195 |     my $code            = $_[0];
196 | 
197 |     foreach my $melem (@metadata_blocks) {
198 | 
199 |         if (exists $melem->{country_code} and
200 |             $melem->{country_code}  eq $code) {
201 |             return $melem->{country};
202 |         }
203 |     }
204 | 
205 |     return $code == 0 ? "local" : "not found";
206 | }
207 | 
208 | sub get_ioc_info {
209 |     my $ioc_code        = $_[0];
210 |     $ioc_code           =~ /(\d+)/;    
211 |     foreach my $melem (@metadata_blocks) {
212 | 
213 |         if (exists $melem->{'ioc_id'} and
214 |             $melem->{ioc_id}  eq $1) {
215 |             return $melem->{type}."-".$melem->{category};
216 |         }
217 |     }
218 | 
219 |     return "not found";
220 | }
221 | 
222 | sub get_app_proto {
223 |     my $proto            = $_[0];
224 | 
225 |     foreach my $melem (@metadata_blocks) {
226 | 
227 |         if (exists $melem->{id} and
228 |             $melem->{id}  eq $proto) {
229 |             return $melem->{data};
230 |         }
231 |     }
232 | 
233 |     return "not found";
234 | }
235 | 
236 | sub get_ids_rule_msg {
237 |     my $rule_id            = $_[0];
238 | 
239 |     foreach my $melem (@metadata_blocks) {
240 | 
241 |         if (exists $melem->{id} and
242 |             $melem->{id}  eq $rule_id) {
243 |             return $melem->{data};
244 |         }
245 |     }
246 | 
247 |     return "not found";
248 | }
249 | 
250 | sub get_si_rule_name {
251 |     my $rule_id            = $_[0];
252 | 
253 |     foreach my $melem (@metadata_blocks) {
254 | 
255 |         if (exists $melem->{id} and
256 |             $melem->{id}  eq $rule_id) {
257 |             return $melem->{name};
258 |         }
259 |     }
260 | 
261 |     return "not found";
262 | }
263 | 
264 | sub get_url_cat {
265 |     my $cat_id            = $_[0];
266 | 
267 |     foreach my $melem (@metadata_blocks) {
268 | 
269 |         if (exists $melem->{id} and
270 |             $melem->{id}  eq $cat_id) {
271 |             return $melem->{name};
272 |         }
273 |     }
274 | 
275 |     return "not found";
276 | }
277 | 
278 | sub get_url_rep {
279 |     my $rep_id            = $_[0];
280 | 
281 |     foreach my $melem (@metadata_blocks) {
282 | 
283 |         if (exists $melem->{id} and
284 |             $melem->{id}  eq $rep_id) {
285 |             return $melem->{name};
286 |         }
287 |     }
288 | 
289 |     return "not found";
290 | }
291 | 
292 | sub get_rule_action {
293 |     my $rule_id            = $_[0];
294 | 
295 |     foreach my $melem (@metadata_blocks) {
296 | 
297 |         if (exists $melem->{id} and
298 |             $melem->{id}  eq $rule_id) {
299 |             return $melem->{name};
300 |         }
301 |     }
302 | 
303 |     return "not found";
304 | }
305 | 
306 | sub pretty_print_event {
307 | 
308 |     my $event_block             = $_[0];
309 | 
310 |     foreach my $key (keys %$event_block) {
311 |         if ($key eq 'Event') {
312 |             printf("%-5s:", $key);
313 |             printf("%s\n", $event_block->{$key});
314 |             last;
315 |         }
316 |     }
317 | 
318 |     #Now print the rest.
319 |     foreach my $key (sort keys %$event_block) {
320 |         if ($key eq 'Event') {
321 |             next;
322 |         }
323 |         printf("\t%-20s:", $key);
324 | 
325 |         #Format, add metadata where possible
326 |         if ($key eq 'time') {
327 |             printf("%s\n", ctime($event_block->{$key}));
328 |         } elsif ($key eq 'src_country' or $key eq 'dst_country') {
329 |             my $country     = get_country  ($event_block->{$key});
330 |             printf("%s (%s)\n", $event_block->{$key}, $country);
331 |         } elsif ($key eq 'vuln') {
332 |             my $ioc_info    = get_ioc_info  ($event_block->{$key});
333 |             printf("%s (%s)\n", $event_block->{$key}, $ioc_info);
334 |         } elsif ($key eq 'application') {
335 |             my $app         = get_app_proto($event_block->{$key});
336 |             printf("%s (%s)\n", $event_block->{$key}, $app);
337 |         } elsif ($key eq 'sid') {
338 |             my $rule_msg    = get_ids_rule_msg($event_block->{$key});
339 |             printf("%s (%s)\n", $event_block->{$key}, $rule_msg);
340 |         } elsif ($key eq 'sec_intel') {
341 |             my $rule_name    = get_si_rule_name($event_block->{$key});
342 |             printf("%s (%s)\n", $event_block->{$key}, $rule_name);
343 |         } elsif ($key eq 'urlcat') {
344 |             my $cat_name     = get_url_cat($event_block->{$key});
345 |             printf("%s (%s)\n", $event_block->{$key}, $cat_name);
346 |         } elsif ($key eq 'urlrep') {
347 |             my $rep_name     = get_url_rep($event_block->{$key});
348 |             printf("%s (%s)\n", $event_block->{$key}, $rep_name);
349 |         } elsif ($key eq 'action') {
350 |             my $act_name     = get_rule_action($event_block->{$key});
351 |             printf("%s (%s)\n", $event_block->{$key}, $act_name);
352 |         } else {
353 |             printf("%s\n", $event_block->{$key});
354 |         }
355 |     }
356 | }
357 | 
358 | my $vuln_hosts;
359 | sub is_tracked {
360 | 
361 |     my $ip      = $_[0];
362 |     return exists $vuln_hosts->{$ip};
363 | }
364 | 
365 | sub track_and_display_host_vuln_events {
366 | 
367 |     my      $event_arr      = $_[0];
368 | 
369 |     foreach my $ev (@$event_arr) {
370 |         if (exists $ev->{vuln} and
371 |             exists $ev->{host_ip}) {
372 |             $vuln_hosts->{$ev->{host_ip}} = 1;
373 |             pretty_print_event($ev);
374 |             printf("\n");
375 |         }
376 |     }
377 | }
378 | 
379 | #Get the estreamer output file as an argument.
380 | if (scalar @ARGV != 1) {
381 |     warn "Pass estreamer output filename as argument!\n";
382 |     exit(1);
383 | }
384 | 
385 | my $es_ofn = $ARGV[0];
386 | 
387 | if (!-f $es_ofn) {
388 |     warn "Output file $es_ofn does not exist!\n";
389 |     exit(1);
390 | }
391 | 
392 | my $fh;
393 | open ($fh, "<", $es_ofn) or die "could not open $es_ofn! $!\n";
394 | 
395 | #How many events are we going to parse? We need a new hash structure for each
396 | 
397 | #Flag to indicate beginning of parsing of an interested block.
398 | my          $block_parsing          = 0;
399 | my          $parsed_block           = {};
400 | my          @parsed_blocks;
401 | my          $block_type_num;
402 | my          $parse_string_block     = 0;
403 | my          $beautify_cached_key    = "";
404 | my          $str_val_counter        = 0;
405 | my          $prev_block_type;
406 | 
407 | my          $filelog_detected       = 0;
408 | 
409 | while (my $line = <$fh>) {
410 | 
411 |     if ($beautify_cached_key ne "") {
412 |         $str_val_counter            += 1;
413 |     }
414 | 
415 |     #Determine the start of a new block.
416 |     if ($line =~ /block_type/ or
417 |         $line =~ /rec_type/) {
418 | 
419 |         #See of we are interested.
420 |         my @tokens      = split /:/,$line;
421 |         if (scalar @tokens > 1) {
422 |             my $block_type  = $tokens[1];
423 |             chomp($block_type);
424 | 
425 |             #If this is a string block type, continue.
426 |             if ($block_type =~ /String/) {
427 |                 next;
428 |             }
429 | 
430 |             $block_type     =~ /(\d+)/;
431 | 
432 |             #Have we already detected a filelog? If so, don't detect another one.
433 |             if (exists $event_data_mappings->{$1}) {
434 | 
435 | 
436 |                 if ($1 eq '56' and $filelog_detected == 1) {
437 |                     next;
438 |                 } elsif ($1 eq '56') {
439 |                     $filelog_detected       = 1;
440 |                 }  
441 | 
442 |                 $block_parsing  = 1;
443 | 
444 |                 #If a previous block exists, dump it in an array
445 |                 if ( keys %$parsed_block) {
446 |                     #warn "Block: $prev_block_type\n".Dumper(%parsed_block)."\n";
447 |                     $parsed_block->{Event}  = $prev_block_type;
448 |                     my $is_metadata         = is_metadata($prev_block_type);
449 |                     $prev_block_type        = $block_type;
450 | 
451 |                     #Push either in regular event blocks or metadata blocks.
452 |                     if ($is_metadata) {
453 |                         push @metadata_blocks, $parsed_block;
454 |                     } else {
455 |                         push @parsed_blocks, $parsed_block;
456 |                     }
457 |                 } else {
458 |                     #Initialize.
459 |                     $prev_block_type        = $block_type;
460 |                 }
461 | 
462 |                 #Initialize a new hash. Start parsing it.
463 |                 $parsed_block = {};
464 |                 $block_type_num     = $1;
465 |                 my $beautify_key = populate_block($block_type_num, $line, $parsed_block);
466 |                 if ($beautify_key ne "") {
467 |                     $beautify_cached_key    = $beautify_key;
468 |                 }
469 |             } else {
470 |                 #New block and we are not interested in parsing it.
471 |                 $block_parsing = 0;
472 |             }
473 |         }
474 |         #If we got a nonempty string, it means we didn't get the value yet.
475 |     } elsif ($str_val_counter == 3) {
476 | 
477 |         #Remove data: part from the string.
478 |         $line =~ s/data:(\s*)//g;
479 | 
480 |         #Get the string value. Remove preceding and trailing spaces.
481 |         my $beautify_val                    = $line;
482 |         $beautify_val =~ s/^(\s*)//g;
483 |         $beautify_val =~ s/(\s*)$//g;
484 | 
485 |         #If this is url, check to see if there is http:// in front. If not, add it.
486 |         if ($beautify_cached_key eq 'url') {
487 |             if ($beautify_val !~ /^http:\/\//) {
488 |                 $beautify_val = "http://".$beautify_val;
489 |             }
490 |         }
491 | 
492 |         #Set the parsed value.
493 |         $parsed_block->{$beautify_cached_key} = $beautify_val;
494 | 
495 |         #Reset our state information.
496 |         $beautify_cached_key    = "";
497 |         $str_val_counter        = 0;        
498 | 
499 |     } elsif ($block_parsing == 1) {
500 |         my $beautify_key = populate_block($block_type_num, $line, $parsed_block);
501 |         if ($beautify_key ne "") {
502 |             $beautify_cached_key    = $beautify_key;
503 |         }
504 |     }
505 | }
506 | 
507 | #Get the last record.
508 | if ( keys %$parsed_block) {
509 | #   warn "Block: $prev_block_type\n".Dumper($parsed_block)."\n";
510 |     $parsed_block->{Event}          = $prev_block_type;
511 |     my $is_metadata                 = is_metadata($prev_block_type);
512 | 
513 |     #Push either in regular event blocks or metadata blocks.
514 |     if ($is_metadata) {
515 |         push @metadata_blocks, $parsed_block;
516 |     } else {
517 |         push @parsed_blocks, $parsed_block;
518 |     }
519 | }
520 | 
521 | #Sort the array.
522 | my @sorted_blocks      = sort {$a->{time} <=> $b->{time}} @parsed_blocks;
523 | 
524 | #Pull out each host event with vuln.id set.
525 | track_and_display_host_vuln_events(\@sorted_blocks);
526 | 
527 | #warn "Cisco test\n".Dumper(\@metadata_blocks)."\n";
528 | #Pretty print of all vulnerable host events:
529 | foreach my $event_block (@sorted_blocks) {
530 | 
531 |     #This event is only considered if either src or dest ip is
532 |     #being tracked as vulnerable.
533 |     if ((   exists $event_block->{src_ip}
534 |             and is_tracked($event_block->{src_ip})) or
535 |             (exists $event_block->{dst_ip}
536 |             and is_tracked($event_block->{dst_ip}))) {
537 |         pretty_print_event($event_block);
538 |         printf("\n");
539 |     }
540 | }
541 | 
542 | 
543 | 
544 | ```
545 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-110/assets/images/exp01.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CiscoDevNet/fmc-rest-api/876a106eef0d936d404758e8ec9b024293eca0aa/labs/firepower-restapi-110/assets/images/exp01.png


--------------------------------------------------------------------------------
/labs/firepower-restapi-110/assets/images/exp02.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CiscoDevNet/fmc-rest-api/876a106eef0d936d404758e8ec9b024293eca0aa/labs/firepower-restapi-110/assets/images/exp02.png


--------------------------------------------------------------------------------
/labs/firepower-restapi-110/byod.html:
--------------------------------------------------------------------------------
1 | <div style="color:#0000FF">
2 |     <p> You need a web browser [chrome].</p>
3 |     <p>  You either use your own FMC setup or you can use our <a href="https://fmcrestapisandbox.cisco.com/api/api-explorer/"> FMC REST API Sandbox</a></p>
4 | </div>
5 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-110/firepower-restapi-110.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "labId": "firepower-restapi-110",
 3 |     "title": "Using the Event Streamer API to identify a potentially compromised host",
 4 |     "slug": "Expose developers to using the Event Streamer (eStreamer) API to extract events from the Firepower Management Center (FMC) and perform basic analysis of a potentially compromised host",
 5 |     "time": "15",
 6 |     "tags": [{
 7 |         "title": "Firepower Management Center"
 8 |     }, {
 9 |         "title": "Firepower"
10 |     },
11 |     {
12 |         "title": "FMC"
13 |     },
14 |     {
15 |         "title": "Security"
16 |     },
17 |     {
18 |         "title": "eStreamer"
19 |     },
20 |     {
21 |         "title": "Firewalls"
22 |     },{
23 |         "title": "FTD"
24 |     }, {
25 |         "title": "NGFW"
26 |     }, {
27 |         "title": "NGIPS"
28 |     }, {
29 |         "title": "ASA with FP services"
30 |     }, {
31 |         "title": "Firepower Threat Defence"
32 |     }, {
33 |         "title": "Cisco Security REST API"
34 |     }],
35 |     "files": [{
36 |         "title": "Using the Event Streamer API to identify a potentially compromised host",
37 |         "file": "1.md"
38 |     }, {
39 |         "title": "Sample script to analyze events associated with a potential host compromise",
40 |         "file": "2.md"
41 |     }],
42 |     "related": [{
43 |         "labId": "fmc-restapi-102",
44 |         "title": "FMC - REST - API - 102"
45 |     }],
46 |     "authors": [{
47 |         "name": "Krishan Veer",
48 |         "email": "veer@cisco.com"
49 |     }],
50 |     "byod": true
51 | }
52 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-111/1.md:
--------------------------------------------------------------------------------
  1 | # Cisco Threat Intelligence Director (TID) APIs and their usage via API Explorer and Postman
  2 | 
  3 | ## Objectives
  4 | 
  5 | This lab teaches you the basic understanding of Cisco Threat Intelligence Director (TID) APIs and their usage via API Explorer and Postman.  
  6 | 
  7 | After completing this module you will have a basic understanding of the available Firepower Management Center (FMC) TID APIs and their usage.
  8 | 
  9 | ## Prerequisites
 10 | It's best if you already  have basic understanding of REST principles. Optionally, you can work through [Learning Lab "FMC - REST - API - 102](https://developer.cisco.com/learning/lab/firepower-restapi-102/step/1) before this lab, in order to get basic understanding of accessing FMC REST APIs using tokens.
 11 | 
 12 | ## FMC REST API Explorer
 13 | The API Explorer provides the list of APIs available on the FMC, their details, and the ability to make permissible Rest API calls using a simplified API console.
 14 | 
 15 | 
 16 | ### Using API Explorer:
 17 | 1. Navigate to the `https://<management_center_IP_or_name>/api/api-explorer` URL. Or try the [DevNet Live Sandbox](https://devnetsandbox.cisco.com/RM/Diagram/Index/1b4eeaec-d910-4f65-ad89-f9399b391428?diagramType=Topology).
 18 | 
 19 | 2. Log in with your username and password and click "Sign In".
 20 | 
 21 | 3. Select the Intelligence tab on from the left-most menu to see all the APIs available for the Cisco TID.
 22 | 
 23 | ![Figure: FMC REST API example setup](assets/images/Picture1.png)
 24 | 
 25 | 
 26 | ## Creating a TID Source
 27 | 
 28 | ### To Create a TID Source using URL download
 29 | 1. Select API Operations on Source objects and choose the POST Operation. Based on the type of source and its contents, you can modify the fields `feedType` and `feedContent` in the JSON sample below.
 30 | 
 31 | 2. In the API CONSOLE, post the JSON below to configure a [STIX source](https://upload-large-file.s3.us-east-2.amazonaws.com/production/WannaCry-devnet.txt?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAXOWDCPZVRLTV4I2S%2F20210916%2Fus-east-2%2Fs3%2Faws4_request&X-Amz-Date=20210916T142835Z&X-Amz-Expires=900&X-Amz-SignedHeaders=host&X-Amz-Signature=f28f2d8576aa66e8ddbee67ef48319a0c9f805702edab14670d44ff813dc6879).  
 32 | 
 33 | Change the name of the source to a unique name instead of "WannaCry".
 34 | 
 35 | 3. A successful post operation returns a 201 OK.
 36 | ```JSON
 37 | {
 38 | 	"name": "WannaCry",
 39 | 	"uri":"https://upload-large-file.s3.us-east-2.amazonaws.com/production/WannaCry-devnet.txt?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAXOWDCPZVRLTV4I2S%2F20210916%2Fus-east-2%2Fs3%2Faws4_request&X-Amz-Date=20210916T142835Z&X-Amz-Expires=900&X-Amz-SignedHeaders=host&X-Amz-Signature=f28f2d8576aa66e8ddbee67ef48319a0c9f805702edab14670d44ff813dc6879",
 40 | 	"feedType": "stix",
 41 | 	"feedContent": "stix",
 42 | 	"delivery": "url",
 43 | 	"refresh": 1440,
 44 | 	"version": "1.0.0",
 45 | 	"downloadOn": true,
 46 | 	"params": {
 47 | 		"selfSignedServerCertificate": "false",
 48 | 		"hostnameVerifier": "allow_all"
 49 | 	},
 50 | 	"property": {
 51 | 		"ttl": 90,
 52 | 		"publish": true,
 53 | 		"action": "monitor"
 54 | 	}
 55 | }
 56 | ```
 57 | 
 58 | 4. *Optional:* To download a simple IP intelligence source located at: [Downloads](https://upload-large-file.s3.us-east-2.amazonaws.com/production/torips-devnet.txt?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAXOWDCPZVRLTV4I2S%2F20210916%2Fus-east-2%2Fs3%2Faws4_request&X-Amz-Date=20210916T142814Z&X-Amz-Expires=900&X-Amz-SignedHeaders=host&X-Amz-Signature=f851a5369e86a26b52137d2e50428d078729e6c3b61b37aa72ff6e3755845b01)
 59 | 
 60 | Change the name of the source to a unique name instead of `TorIpList`.
 61 | 
 62 | In the API CONSOLE post the JSON below.
 63 | 
 64 | ```JSON
 65 | {
 66 | 	"name": "TorIpList",
 67 | 	"uri":"https://upload-large-file.s3.us-east-2.amazonaws.com/production/torips-devnet.txt?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAXOWDCPZVRLTV4I2S%2F20210916%2Fus-east-2%2Fs3%2Faws4_request&X-Amz-Date=20210916T142814Z&X-Amz-Expires=900&X-Amz-SignedHeaders=host&X-Amz-Signature=f851a5369e86a26b52137d2e50428d078729e6c3b61b37aa72ff6e3755845b01",
 68 | 	"feedType": "flatfile",
 69 | 	"feedContent": "IPV_4_ADDR",
 70 | 	"delivery": "url",
 71 | 	"refresh": 1440,
 72 | 	"version": "1.0.0",
 73 | 	"downloadOn": true,
 74 | 	"params": {
 75 | 		"selfSignedServerCertificate": "false",
 76 | 		"hostnameVerifier": "allow_all"
 77 | 	},
 78 | 	"property": {
 79 | 		"ttl": 90,
 80 | 		"publish": true,
 81 | 		"action": "monitor"
 82 | 	}
 83 | }
 84 | ```
 85 | 
 86 | 
 87 | ### To view indicators of compromise
 88 | 1. Select API Operations on Indicator objects.
 89 | 2. To see all Indicators of Compromise downloaded by TID, a GET ALL operation can be performed by simply pressing GET.
 90 | 3. To retrieve a specific indicator object an objectId needs to be provided for the Get operation.
 91 | ![Figure: FMC REST API example setup](assets/images/Picture2.png)
 92 | 
 93 | 4. More complex queries can be run on the data to get enhanced results. The screenshot below shows a query to get all indicators ingested in the last one hour by specifying a filter, sorted by `updatedAt time field` and returned with all links expanded.
 94 | Following are the key/value pairs:
 95 | 
 96 | | KEY      | VALUE                            |
 97 | |----------|----------------------------------|
 98 | | filter   | updatedAt:1495425937..1495429537 |
 99 | | sort     | -updatedAt                        |
100 | | expanded | true                             |
101 | | limit    | 40                               |
102 | 
103 | ![Figure: FMC REST API example setup](assets/images/Picture3.png)
104 | 
105 | 
106 | ### To View observables
107 | 
108 | Observables represent stateful properties or measurable events pertinent to the operation of computers and networks. For example, IPs, Domains, URLs, File SHA’s etc.
109 | 
110 | Select API Operations on observable objects and follow the steps described in the Indicators of Compromise section.
111 | 
112 | 
113 | ### To View incidents
114 | 
115 | Incidents are discrete instances of indicators affecting an organization, along with information discovered or decided during an incident response investigation.
116 | 
117 | Select API Operations on Indicator objects and follow the steps described in the Indicators of Compromise section.
118 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-111/2.md:
--------------------------------------------------------------------------------
  1 | # Use Postman
  2 | 
  3 | 1.  Open your POSTMAN REST API Client.
  4 | 
  5 | 2.  Set the client to make a POST command to the this [URL](https://cisco-tid.cisco.com/api/fmc_platform/v1/auth/generatetoken).
  6 | 
  7 | 3.  Click on Authorization, select Basic Auth, and type in your username and password.
  8 | 
  9 | 4.  Click Send.
 10 | 
 11 |  ![Figure: FMC REST API example setup](assets/images/Picture4.png)
 12 | 
 13 | 
 14 | 1.  From the response copy the following for future API calls:
 15 |   - X-auth-access-token: you need to add this token header to every request sent using FMC REST API.
 16 | 
 17 |   - X-auth-refresh-token: is needed to refresh the token.
 18 | 
 19 |   - DOMAIN\_UUID: this needs to be added to every Rest API route.
 20 | 
 21 | ![Figure: FMC REST API example setup](assets/images/Picture5.png)
 22 | 
 23 | 
 24 | ## Create a TID source
 25 | 
 26 | ### Create a TID source using URL download:
 27 | 
 28 | 1.  Open another tab in Postman and fill in the values as shown in the screenshot below:
 29 | 
 30 | 2.  Select POST operation and add the [route](https://cisco-tid.cisco.com/api/fmc_tid/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/tid/source)
 31 |     where `e276abec-e0f2-11e3-8169-6d9ed49b625f` is the DOMAIN\_UUID obtained from the generate token step.
 32 | 
 33 | 3.  In the header add:
 34 |     - Key: `X-auth-access-token Value`. Paste the value obtained from the generate token step.
 35 | 
 36 |     - Key: `X-auth-refresh-token Value`. Paste the value obtained from the generate token step.
 37 | 
 38 |     - Body: Select raw text and paste the sample JSON into it.
 39 | 
 40 | 4.   *Important:* Change the name of the feed from `WannaCry` to something unique.  Then click send.
 41 | 
 42 | 5.  A successful post operation returns a 201 OK.
 43 | 
 44 | ![Figure: FMC REST API example setup](assets/images/Picture6.png)
 45 | 
 46 | ```JSON
 47 | {
 48 | "name": "WannaCry",
 49 | "uri": "https://cisco.box.com/shared/static/hxlc1d1r8u3naaj876mqwucuqjuywx01.txt",
 50 | 	"feedType": "stix",
 51 | 	"feedContent": "stix",
 52 | 	"delivery": "url",
 53 | 	"refresh": 1440,
 54 | 	"version": "1.0.0",
 55 | 	"downloadOn": true,
 56 | 	"params": {
 57 | 		"selfSignedServerCertificate": "false",
 58 | 		"hostnameVerifier": "allow_all"
 59 | 	},
 60 | 	"property": {
 61 | 		"ttl": 90,
 62 | 		"publish": true,
 63 | 		"action": "monitor"
 64 | 	}
 65 | }
 66 | 6. Optionally, to create a simple IP intelligence source located at:
 67 | https://cisco.box.com/shared/static/phef4u63td7bxcgkgyt1vk5vrm461jcf.txt
 68 | Follow the steps in 1, 2 and 3 but use the JSON text below
 69 | 7. Important: Change the name of the feed from TorIpList to something unique
 70 | 8. Important: Change the name of the feed from TorIpList to something unique
 71 | 9. Click send
 72 | 10.	A successful post operation returns a 201 OK.
 73 | 
 74 | {
 75 |     "name": "TorIpList",
 76 |     "uri":"https://cisco.box.com/shared/static/phef4u63td7bxcgkgyt1vk5vrm461jcf.txt",
 77 |     "feedType": "flatfile",
 78 |     "feedContent": "IPV_4_ADDR",
 79 |     "delivery": "url",
 80 |     "refresh": 1440,
 81 |     "version": "1.0.0",
 82 |     "downloadOn": true,
 83 |     "params": {
 84 |         "selfSignedServerCertificate": "false",
 85 |         "hostnameVerifier": "allow_all"
 86 |     },
 87 |     "property": {
 88 |         "ttl": 90,
 89 |         "publish": true,
 90 |         "action": "monitor"
 91 |     }
 92 | }
 93 | ```
 94 | 
 95 | 
 96 | ### View indicators of compromise
 97 | Indicators (also known as Indicators of Compromise) convey specific Observable patterns, combined with contextual information intended to represent artifacts and/or behaviors of interest within a cyber security context. They contain one or more Observables in simple or complex relationships.
 98 | 
 99 | 1.  To see all Indicators of Compromise downloaded by TID, a GET ALL operation can be performed as shown below:
100 | 
101 | ![Figure: FMC REST API example setup](assets/images/Picture7.png)
102 | 
103 | 
104 | 2.  To retrieve a specific indicator, an objectId needs to be provided for the Get operation. For ex: https://cisco-tid.cisco.com/api/fmc_tid/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/tid/indicator/objectId
105 | 
106 | 2.  More complex queries can be run on the data to get enhanced results. The screenshot below shows a query to get all indicators ingested in the last
107 |     one hour by specifying a filter, sorted by `updatedAt` time field. The first 40 results matching the criteria are to be returned, with all links expanded.
108 | 
109 |     Sample Get Request:
110 |     https://cisco-tid.cisco.com/api/fmc_tid/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/tid/indicator?filter=updatedAt:1496077717..1498419195&sort=-updatedAt&limit=40&expanded=true
111 | 
112 | 
113 | Following are the key/value pairs:
114 | 
115 | | KEY      | VALUE                            |
116 | |----------|----------------------------------|
117 | | filter   | updatedAt: 1496077717..1498419195 |
118 | | sort     | -updatedAt                        |
119 | | expanded | true                             |
120 | | limit    | 40                               |
121 | 
122 | 
123 | ### View Observables
124 | Observables represent stateful properties or measurable events pertinent to the operation of computers and networks. For example, IPs, Domains, URLs, File SHA’s, etc. Follow the steps described in the Indicators of Compromise section.
125 | 
126 | *Sample Get Request:*
127 | https://cisco-tid.cisco.com/api/fmc_tid/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/tid/observable?filter=updatedAt:1496077717..1498419195&sort=-updatedAt&limit=40&expanded=true
128 | 
129 | ### View Incidents
130 | 
131 | Incidents are discrete instances of indicators affecting an organization, along with information discovered or decided during an incident response investigation.
132 | 
133 | Follow the steps described in the Indicators of Compromise section.
134 | 
135 | *Sample Get Request:*
136 | https://cisco-tid.cisco.com/api/fmc_tid/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/tid/incident?filter=updatedAt: 1498077717..1498419195&sort=-updatedAt&limit=40&expanded=true
137 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-111/3.md:
--------------------------------------------------------------------------------
  1 | # Sample Perl script
  2 | ```Perl
  3 | #!/usr/bin/perl
  4 | 
  5 | use strict;
  6 | use warnings;
  7 | use Data::Dumper;
  8 | use Getopt::Long;
  9 | use Storable qw(dclone);
 10 | use Error qw(:try);
 11 | use 5.10.0;
 12 | 
 13 | my $hostname = '127.0.0.1';
 14 | my $username = 'admin';
 15 | my $password = undef;
 16 | 
 17 | GetOptions( "hostname=s" => \$hostname,
 18 |             "username=s" => \$username,
 19 |             "password=s" => \$password
 20 |           );
 21 | 
 22 | if (!defined( $password ))
 23 | {
 24 |     print <<EOL;
 25 | Missing required argument, supported arguments are:
 26 |     --hostname <string> (default: 127.0.0.1)
 27 |     --username <string> (default: admin)
 28 |     --password <string> (default: undef)
 29 | 
 30 | EOL
 31 |     exit 1;
 32 | }
 33 | my $ua = RESTful::UserAgent->new();
 34 | my $status = $ua->connect( $hostname, $username, $password );
 35 | if ( $status )
 36 | {
 37 |     print "Failed to login\n\n";
 38 |     exit 2;
 39 | }
 40 | 
 41 | my $SUPPORTED_URI = {
 42 |     'element'       => '/tid/element',
 43 |     'indicator'     => '/tid/indicator',
 44 |     'observable'    => '/tid/observable',
 45 |     'taxii-discovery'   => '/taxiiconfig/discoveryinfo',
 46 |     'taxii-collections' => '/taxiiconfig/collections',
 47 |     'taxii-subscribed-collections'  => '/taxiiconfig/subscribedcollections',
 48 |     'incident'     => '/tid/incident',
 49 |     'source'   => '/tid/source',
 50 |     'feedupload'    => '/tid/feedupload',
 51 | };
 52 | 
 53 | my $CREATE_DATA = {
 54 |     'element' => {"name" => "MOMO","description" => "Element One"},
 55 |     'feedupload' => {
 56 |         "id" => "SOME_VALID_FEED_ID",
 57 |         "host" => "127.0.0.1",
 58 |         "name" => "test_name",
 59 |         "payload_file_1" => {file => '/var/tmp/file_upload_test.txt'},
 60 |     },
 61 |     'observable' => {
 62 |       "id" => "url:yahoo.com",
 63 |       "version" => "1.2.3",
 64 |       "type"=> "observable",
 65 |       "dataType" => "url",
 66 |       "dataValue" => "yahoo.com",
 67 |       "dataAction" => "monitor",
 68 |       "dataWhitelist" => 'false',
 69 |       "description" => "__NO DESCRIPTION__"
 70 |     },
 71 |     'taxii-discovery' => {
 72 |         "type" => "source",
 73 |         "uri" => "http://hailataxii.com:80/taxii-discovery-service",
 74 |         "username" => "guest",
 75 |         "passwd" => "Z3Vlc3Q=",
 76 |         "clientCert" => "client_certificate_here",
 77 |         "clientPrivateKey" => "client_private_key_here",
 78 |     },
 79 |     'taxii-collections' => {
 80 |         "type" => "source",
 81 |         "uri" => "http://hailataxii.com:80/taxii-discovery-service",
 82 |         "username" => "guest",
 83 |         "passwd" => "Z3Vlc3Q=",
 84 |         "clientCert" => "client_certificate_here",
 85 |         "clientPrivateKey" => "client_private_key_here",
 86 |         "discoveryInfo" => [
 87 |             {
 88 |                 "collectionMessageBinding" => "[urn:taxii.mitre.org:message:xml:1.1]",
 89 |                 "collectionAddress" => "http://hailataxii.com:80/taxii-data",
 90 |                 "collectionPollIntervalInMinutes" => 0,
 91 |                 "collectionName" => "COLLECTION_MANAGEMENT",
 92 |                 "collectionContentBinding" => "[]",
 93 |                 "type" => "taxii_collections",
 94 |                 "collectionProtocolBinding" => "urn:taxii.mitre.org:protocol:https:1.0"
 95 |             }
 96 |         ]
 97 |     },
 98 |     'indicator' =>
 99 |     {
100 |         "id" => "01234567-0123-0123-0123-0123456789ab",
101 |         "version" => "1.2.3",
102 |         "type" => "indicator",
103 |         "complete" => "true",
104 |         "feedId" => "01234567-0123-0123-0123-0123456789ab",
105 |         "name" => "Sample Indicator",
106 |         "description" => "Test Indicator Description",
107 |         "updatedAt" => 1459468800,
108 |         "inheritedProp" => {
109 |             "ttl" => 300,
110 |             "publish" => "true",
111 |             "action" => "monitor",
112 |             "tags" => {
113 |                 "confidence" => "medium",
114 |                 "priority" => "medium"
115 |             }
116 |         },
117 |         "customProp" => {
118 |             "ttl" => 0,
119 |             "publish" => "true",
120 |             "action" => "monitor",
121 |             "tags" => {}
122 |         },
123 |         "rawData" => "Orginal Stix xml",
124 |         "containsUnsupported" => "false",
125 |         "containsInvalid" => "false",
126 |         "pending" => [
127 |             "bleh",
128 |             "blah",
129 |             "blicky"
130 |         ],
131 |         "observables" => [
132 |             {
133 |                 "id" => "obs123",
134 |                 "name" => "observable 123",
135 |                 "description" => "description 123",
136 |                 "data" => {
137 |                     "type" => "domain",
138 |                     "value" => "google.com",
139 |                     "whitelist" => "true",
140 |                 },
141 |             },
142 |             {
143 |                 "id" => "obs456",
144 |                 "name" => "observable 456",
145 |                 "description" => "description 456",
146 |                 "data" => {
147 |                     "type" => "ip",
148 |                     "value" => "10.4.14.41",
149 |                     "whitelist" => "false",
150 |                 },
151 |             },
152 |         ],
153 |         "equation" => {
154 |               "op" => "AND",
155 |               "data" => [
156 |                  {
157 |                     "op" => "OR",
158 |                     "data" => [
159 |                        {
160 |                           "condition" => "EQUALS",
161 |                           "applyCondition" => "ANY",
162 |                           "data" => [
163 |                              {
164 |                                 "type" => "MD5",
165 |                                 "value" => "01234567890abcdef01234567890abcdef",
166 |                              }
167 |                           ]
168 |                        }
169 |                     ]
170 |                  },
171 |                  {
172 |                     "op" => "OR",
173 |                     "data" => [
174 |                        {
175 |                           "op" => "OR",
176 |                           "data" => [
177 |                              {
178 |                                 "condition" => "EQUALS",
179 |                                 "applyCondition" => "ANY",
180 |                                 "data" => [
181 |                                    {
182 |                                       "type" => "destinationSocketAddress",
183 |                                       "value" => "46.123.99.25",
184 |                                    }
185 |                                 ]
186 |                              }
187 |                           ]
188 |                        },
189 |                        {
190 |                           "op" => "OR",
191 |                           "data" => [
192 |                              {
193 |                                 "op" => "OR",
194 |                                 "data" => [
195 |                                    {
196 |                                       "condition" => "EQUALS",
197 |                                       "applyCondition" => "ANY",
198 |                                       "data" => [
199 |                                          {
200 |                                             "type" => "destinationSocketAddress",
201 |                                             "value" => "46.123.99.26",
202 |                                          }
203 |                                       ]
204 |                                    }
205 |                                 ]
206 |                              }
207 |                           ]
208 |                        }
209 |                     ]
210 |                  }
211 |               ]
212 |            },
213 | 
214 |     },
215 |     source => {
216 |         "id" => "ABC-TAXII-FEED-1",
217 |         "version" => "1",
218 |         "type" => "source",
219 |         "name" => "Automation TAXII Feed",
220 |         "description" => "Automation TAXII Feed Description",
221 |         "feedType" => "stix",
222 |         "feedContent" => "stix",
223 |         "delivery" => "taxii",
224 |         "refresh" => 5,
225 |         "username" => "guest",
226 |         "passwd" => "Z3Vlc3Q=",
227 |         "uri" => "http://hailataxii.com:80/taxii-discovery-service",
228 |         "clientCert" => "client_certificate_here",
229 |         "clientPrivateKey" => "client_private_key_here",
230 |         "discoveryInfo" => [],
231 |         "availableCollections" => [],
232 |         "subscribedCollections" => [
233 |             {
234 |                 "type" => "taxii_collections",
235 |                 "collectionName" => "guest.Abuse_ch",
236 |                 "collectionDescription" => "guest.Abuse_ch",
237 |                 "collectionProtocolBinding" => "urn:taxii.mitre.org:protocol:https:1.0",
238 |                 "collectionAddress" => "http://hailataxii.com:80/taxii-data",
239 |                 "collectionMessageBinding" => "urn:taxii.mitre.org:message:xml:1.1",
240 |                 "collectionPollIntervalInMinutes" => "60"
241 |             }
242 |         ],
243 |         "startHour" => 22,
244 |         "downloadOn" => "true",
245 |         "runNow" => "true",
246 |         "lastRun" => 0,
247 |         "nextRun" => 0,
248 |         "checksum" => "5FC4A666F2D171A976CDE8BB09193B6C07946E346F69FE3A54479C3A58FC7EC2",
249 |         "params" => {
250 |             "delimeter" => "##comma##",
251 |             "chunking" => "false"
252 |         },
253 |         "property" => {
254 |             "action" => "block",
255 |             "publish" => "true",
256 |             "ttl" => 50,
257 |             "tags" => {
258 |                 "score" => "50",
259 |                 "color" => "red",
260 |                 "confidence" => "medium",
261 |                 "priority" => "high"
262 |             }
263 |         }
264 |     },
265 | 
266 | };
267 | 
268 | my $ID_TO_URI = {
269 |     1 => ['element', '1: Element'],
270 |     2 => ['indicator', '2: Indicator'],
271 |     3 => ['observable', '3: Observable'],
272 |     4 => ['taxii-discovery', '4: taxii- discoveryinfo'],
273 |     5 => ['taxii-collections', '5: taxii- collections'],
274 |     6 => ['taxii-subscribed-collections', '6: taxii- subscribed collections'],
275 |     7 => ['source', '7: source'],
276 |     8 => ['feedupload', '8: feedupload'],
277 |     9 => ['incident', '9: Incident'],
278 | };
279 | 
280 | sub showHelper
281 | {
282 |     print "\n\n";
283 |     print "Supported commands> (ga)getall  (g)get  (c)create  (e)edit  (d)delete  (do)domain (q)quit\n";
284 |     print "Supported URI(s)>\n". join ("\n", map { $ID_TO_URI->{$_}->[1] } sort { $a <=> $b } keys %{$ID_TO_URI} ) . "\n";
285 |     print "\n\n";
286 | }
287 | 
288 | my ($cmd, $id, $uriCode, $uri, $uuid, $reqURI);
289 | 
290 | $cmd ='0';
291 | while ($cmd ne 'q' )
292 | {
293 |     showHelper();
294 |     print "INPUT>> CMD URI UUID : ";
295 |     my $line = <STDIN>;
296 |     chomp $line;
297 |     ($cmd, $id, $uuid) =  split(' ', $line);
298 | 
299 | 
300 |     if ( $cmd eq 'D' ) { $ua->domain; next; }
301 |     if ( $cmd eq 'q' ) { print "Exiting\n"; next; }
302 |     if (!exists($ID_TO_URI->{$id})) { print "Unknown request\n"; next; }
303 | 
304 |     $uriCode = $ID_TO_URI->{$id}[0];
305 |     $uri = $SUPPORTED_URI->{$uriCode};
306 |     $uri = $uri .'/'. $uuid if ($uuid);
307 | 
308 |     given($cmd)
309 |     {
310 |         when('ga')  { $ua->showSummary( $ua->executeRequest( 'get', $uri )); }
311 |         when('g') { $ua->showData( $ua->executeRequest( 'get', $uri )); }
312 |         when('c') {
313 |             my $data = $ua->editData( dclone( $CREATE_DATA->{$uriCode} ));
314 |             $ua->showData( $ua->executeRequest( 'post', $uri, $data )) if ($data);
315 |         }
316 |         when('e') {
317 |             my $data = $ua->editData( $uri );
318 |             $ua->showData($ua->executeRequest( 'put', $uri, $data )) if ($data);
319 |         }
320 |         when('d') { $ua->showData( $ua->executeRequest( 'delete', $uri )); }
321 |         default { print "Unknown request\n"; }
322 |     }
323 | };
324 | 
325 | exit 1;
326 | 
327 | package RESTful::UserAgent;
328 | use Mojo::UserAgent;
329 | use Data::Dumper;
330 | use Error qw(:try);
331 | use Storable qw(dclone);
332 | use JSON;
333 | use Data::Dumper;
334 | use MIME::Base64 qw( encode_base64 );
335 | use 5.10.0;
336 | 
337 | sub new
338 | {
339 |     my ($class ) = @_;
340 |     my $app = Mojo::UserAgent->new();
341 |     my $self = {
342 |         app => $app,
343 |         _HEADER => { },
344 |         _DOMAIN => 'default',
345 |         _COUNT => 0,
346 |     };
347 |     return bless $self;
348 | }
349 | 
350 | sub app
351 | {
352 |     my ($self) = @_;
353 |     return $self->{app};
354 | }
355 | 
356 | sub header
357 | {
358 |     my ($self) = @_;
359 |     my $d = dclone( $self->{_HEADER} );
360 |     return $d;
361 | }
362 | 
363 | sub URL
364 | {
365 |     my ($self) = @_;
366 |     my $base = '/api/fmc_tid/v1/domain/'. $self->{_DOMAIN};
367 | 
368 | }
369 | 
370 | sub connect
371 | {
372 |     my ($self, $host, $user, $passwd) = @_;
373 |     $self->{baseURL} = 'https://'. $host;
374 | 
375 |     my ($resCode, $res);
376 |     my $username = $user;
377 |     my $password = $passwd;
378 | #    while ($resCode != 204)
379 |         {
380 |         my $plainText = $username .':'. $password;
381 |         my $encodeText = 'Basic '.encode_base64($plainText);
382 |         warn "$plainText    $encodeText";
383 |         my $url  = $self->{baseURL} .'/api/fmc_platform/v1/auth/generatetoken';
384 |         my $tx = $self->app->post( $url => { 'Authorization' => $encodeText } );
385 |         $res = $tx->res;
386 |         $resCode = $res->code;
387 |         return 1 if ($resCode != 204);
388 |     }
389 |     $self->{_HEADER}{'X-auth-access-token'} = $res->headers->header('X-auth-access-token');
390 |     $self->{_DOMAIN} = $res->headers->header('domain_uuid');
391 |     return 0;
392 | }
393 | 
394 | sub executeRequest
395 | {
396 |     my ($self, $cmd, $uri, $data) = @_;
397 |     my $url = $self->{baseURL} .$self->URL .$uri;
398 |     my $header = $self->header();
399 |     warn "REQUEST $url\n";
400 |     my $tx;
401 |     if($url =~ 'feedupload') {
402 |         $self->{_HEADER}{'enctype'} = 'multipart/form-data';
403 |         print Dumper([$self->{_HEADER}, $uri, $data]);
404 |         open(my $fh, '>', '/var/tmp/file_upload_test.txt');
405 |         print $fh "www.ign.com\npbskids.org\nwww.funbrain.com\n";
406 |         close $fh;
407 |         $tx = ($data)? $self->app->$cmd( $url => $header => form => $data) : $self->app->$cmd( $url => $header );
408 |     } else {
409 |         $tx = ($data)? $self->app->$cmd( $url => $header => json => $data ): $self->app->$cmd( $url => $header );
410 |     }
411 |     my $res;
412 |     try { $res = decode_json($tx->res->body); }
413 |     otherwise { my $e = shift; warn Dumper($tx); warn Dumper($e); $res = undef; };
414 | 
415 |     return ($res && exists($res->{dataList}))? $res->{dataList}:
416 |         ($res && exists($res->{data}))? $res->{data}: $res;
417 | }
418 | 
419 | sub exploreData
420 | {
421 |     my ($self, $data) = @_;
422 | 
423 |     $self->{_COUNT}++;
424 |     if (exists($data->{items}) && scalar($data->{items}))
425 |     {
426 |         my $spaces = join(' ', (' ') x $self->{_COUNT} );
427 |         foreach my $item ( @{$data->{items}} )
428 |         {
429 |             warn "$spaces ID ". $item->{id} ." TYPE ". $item->{type} ." NAME ". $item->{name} ."\n";
430 |             my $child = $self->execRequest($item->{links}{self});
431 |             $self->exploreData( $child );
432 |         }
433 |     }
434 |     else
435 |     {
436 |         my $spaces = join(' ', (' ') x $self->{_COUNT} );
437 |         warn "$spaces >>>> ID ". $data->{id} ." TYPE ". $data->{type} ." NAME ". $data->{name} ."\n";
438 |         my $json = to_json( $data, { ascii => 1, pretty => 1 });
439 |         warn $json ."<<<<<<<<<<<<<<<<< END >>>>>>>>>>>>>>>>>\n\n";
440 |     }
441 |     $self->{_COUNT}--;
442 | }
443 | 
444 | sub execRequest
445 | {
446 |     my ($self, $link) = @_;
447 | 
448 |     my $header = $self->header;
449 |     my $tx = $self->app->get( $link => $header );
450 | 
451 |     my $res;
452 |     try { $res = decode_json($tx->res->body); }
453 |     otherwise { my $e = shift; warn Dumper($tx); warn Dumper($e); $res = undef; };
454 | 
455 |     return ($res && exists($res->{dataList}))? $res->{dataList}:
456 |         ($res && exists($res->{data}))? $res->{data}: $res;
457 | }
458 | 
459 | sub domain
460 | {
461 |     my ($self) = @_;
462 | 
463 |     if (!exists($self->{SYSTEM}{ALL_DOMAIN}))
464 |     {
465 |         my $eos = SF::EOHandler::bulkLoad('Domain');
466 |         foreach my $d ( @{$eos})
467 |         {
468 |             $self->{SYSTEM}{ALL_DOMAIN}{$d->{uuid}} = $d->{data}{qualified_name};
469 |         }
470 |     }
471 |     $self->showData( $self->{SYSTEM}{ALL_DOMAIN} );
472 |     my $domain;
473 |     do
474 |     {
475 |         $domain = $self->{_HEADER}{DomainId};
476 |         print "Enter domain ($domain) ";
477 |         chomp($domain = <STDIN>);
478 |         if (!$domain)
479 |         {
480 |             print "You need to provide valid domain uuid\n";
481 |             $self->showData( $self->{SYSTEM}{ALL_DOMAIN} );
482 |         }
483 | 
484 |     } until (exists($self->{SYSTEM}{ALL_DOMAIN}{$domain}));
485 | 
486 |     $self->{_HEADER}{DomainId} = $domain;
487 | }
488 | 
489 | sub editData
490 | {
491 |     my ($self, $reqURI) = @_;
492 | 
493 |     my $eo;
494 |     if (ref($reqURI))
495 |     {
496 |     	$eo = $reqURI;
497 |     }
498 |     else
499 |     {
500 |     	my $eos = $self->executeRequest( 'get', $reqURI );
501 |     	$eo = ($eos && (ref($eos) eq 'ARRAY'))? $eos->[0] : ($eos && ref($eos))? $eos: {};
502 |     }
503 |     delete $eo->{links};
504 |     my $file = "/tmp/json_data.$$";
505 |     $self->writeJSON($file, $eo);
506 | 
507 |     my $editor = $ENV{VISUAL} || $ENV{EDITOR} || 'vi';
508 |     system("$editor /tmp/json_data.$$");
509 |     return $self->readJSON($file);
510 | }
511 | 
512 | sub writeJSON
513 | {
514 |     my ($self, $file, $eo) = @_;
515 |     open my $fh, ">", $file;
516 |     my $json = to_json( $eo, { ascii => 1, pretty => 1 });
517 |     print $fh $json;
518 |     close $fh;
519 | }
520 | 
521 | sub readJSON
522 | {
523 |     my ($self, $file) = @_;
524 |     local $/; #Enable 'slurp' mode
525 |     open my $fh, "<", $file;
526 |     my $json = <$fh>;
527 |     close $fh;
528 |     return decode_json($json);
529 | }
530 | 
531 | sub showData
532 | {
533 |     my ($self, $data) = @_;
534 | 
535 |     warn "================showData==============\n";
536 |     my $json = to_json( $data, { ascii => 1, pretty => 1 });
537 |     print $json ."\n";
538 |     warn "======================================\n";
539 | }
540 | 
541 | sub showSummary
542 | {
543 |     my ($self, $data) = @_;
544 |     warn "REF >>". ref($data) ."<<\n";
545 |     if ($data && (ref($data) eq 'ARRAY'))
546 |     {
547 |         warn "===========showSummary================\n";
548 |         foreach my $d ( @{$data} )
549 |         {
550 |             warn "id : $d->{id}, name => $d->{name}\n";
551 |         }
552 |         warn "======================================\n";
553 |     }
554 |     elsif ($data && (ref($data) eq 'HASH') && exists($data->{id}))
555 |     {
556 |         warn "===========showSummary================\n";
557 |         warn "id : $data->{id}, name => $data->{name}\n";
558 |         warn "======================================\n";
559 |     }
560 |     else
561 |     {
562 |         $self->showData($data);
563 |     }
564 | }
565 | 
566 | exit 0;
567 | ```
568 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-111/assets/images/Picture1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CiscoDevNet/fmc-rest-api/876a106eef0d936d404758e8ec9b024293eca0aa/labs/firepower-restapi-111/assets/images/Picture1.png


--------------------------------------------------------------------------------
/labs/firepower-restapi-111/assets/images/Picture2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CiscoDevNet/fmc-rest-api/876a106eef0d936d404758e8ec9b024293eca0aa/labs/firepower-restapi-111/assets/images/Picture2.png


--------------------------------------------------------------------------------
/labs/firepower-restapi-111/assets/images/Picture3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CiscoDevNet/fmc-rest-api/876a106eef0d936d404758e8ec9b024293eca0aa/labs/firepower-restapi-111/assets/images/Picture3.png


--------------------------------------------------------------------------------
/labs/firepower-restapi-111/assets/images/Picture4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CiscoDevNet/fmc-rest-api/876a106eef0d936d404758e8ec9b024293eca0aa/labs/firepower-restapi-111/assets/images/Picture4.png


--------------------------------------------------------------------------------
/labs/firepower-restapi-111/assets/images/Picture5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CiscoDevNet/fmc-rest-api/876a106eef0d936d404758e8ec9b024293eca0aa/labs/firepower-restapi-111/assets/images/Picture5.png


--------------------------------------------------------------------------------
/labs/firepower-restapi-111/assets/images/Picture6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CiscoDevNet/fmc-rest-api/876a106eef0d936d404758e8ec9b024293eca0aa/labs/firepower-restapi-111/assets/images/Picture6.png


--------------------------------------------------------------------------------
/labs/firepower-restapi-111/assets/images/Picture7.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CiscoDevNet/fmc-rest-api/876a106eef0d936d404758e8ec9b024293eca0aa/labs/firepower-restapi-111/assets/images/Picture7.png


--------------------------------------------------------------------------------
/labs/firepower-restapi-111/byod.html:
--------------------------------------------------------------------------------
1 | <div style="color:#0000FF">
2 |     <p> You need one of these popular web browsers [chrome, firefox, safari or IE].</p>
3 |     <p>  You either use your own FMC setup or you can use our <a href="https://fmcrestapisandbox.cisco.com/api/api-explorer/"> FMC REST API Sandbox</a></p>
4 | </div>
5 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-111/firepower-restapi-111.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "labId": "firepower-restapi-111",
 3 |     "title": "Cisco Threat Intelligence Director (TID) APIs and their usage via API Explorer and Postman",
 4 |     "slug": "This Lab offers a basic understanding of the available FMC TID APIs and their usage.",
 5 |     "time": "30",
 6 |     "tags": [{
 7 |         "title": "Firepower Management Center"
 8 |     }, {
 9 |         "title": "Firepower"
10 |     },
11 |     {
12 |         "title": "FMC"
13 |     },
14 |     {
15 |         "title": "TID"
16 |     },
17 |     {
18 |         "title": "Threat Intelligence Director"
19 |     },
20 |     {
21 |         "title": "Security"
22 |     },
23 |     {
24 |         "title": "Firewalls"
25 |     },{
26 |         "title": "FTD"
27 |     }, {
28 |         "title": "NGFW"
29 |     }, {
30 |         "title": "NGIPS"
31 |     }, {
32 |         "title": "ASA with FP services"
33 |     }, {
34 |         "title": "Firepower Threat Defence"
35 |     }, {
36 |         "title": "Cisco Security REST API"
37 |     }],
38 |     "files": [{
39 |         "title": "Cisco Threat Intelligence Director (TID) APIs and their usage via API Explorer and Postman",
40 |         "file": "1.md"
41 |     }, {
42 |         "title": "Use Postman",
43 |         "file": "2.md"
44 |     }, {
45 |         "title": "Sample Perl script",
46 |         "file": "3.md"
47 |     }],
48 |    "related": [{
49 |         "labId": "firepower-restapi-102",
50 |         "title": "FMC rest api Lab 2"
51 |     }],
52 |     "authors": [{
53 |         "name": "Krishan Veer",
54 |         "email": "veer@cisco.com"
55 |     }],
56 |     "byod": true
57 | }
58 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-112/1.md:
--------------------------------------------------------------------------------
 1 | # Introduction to Firepower Management Center (FMC) API CRUD operations
 2 | 
 3 | ## Objectives
 4 | 
 5 | This lab teaches you the basic understanding of Firepower Management Center (FMC) REST based APIs CRUD operations.   
 6 | 
 7 | ## Prerequisites
 8 | Basic understanding of REST principles and firewalls.
 9 | 
10 | ## Read operation GET
11 | If you are using the [DevNet Sandbox](https://fmcrestapisandbox.cisco.com/api/api-explorer/), for this workshop session the username and password is provided to you. These credentials are only valid for this session.
12 | 
13 | If you are learning at home or in an office please follow instructions below:
14 | 
15 | **Note on obtaining username/password for FMC sandbox:**
16 | 
17 | The API Explorer URL is publicly available. However, in order to login to the FMC, users must first be allocated credentials. This is done by reserving the lab for however long you require access, i.e. click the "RESERVE" button in the upper right of the Firepower Management Center sandbox page which can be accessed with this URL: https://developer.cisco.com/site/devnet/sandbox/docs/index.gsp#security/overview
18 | 
19 |   Select Firepower Management Center from the above page.
20 | 
21 |   You will require cisco.com credentials to access the reservation page from the above URL.
22 | 
23 |   Once reserved, a username/password will be sent to you via email and also displayed in the output window on this page. These credentials are valid for the duration of your reservation. You will not be able to login to the API Explorer once the reservation has ended.
24 | 
25 |   If further access is required, just reserve the lab again and new credentials will be sent.
26 | 
27 |   As this is an always on lab and resources are shared, users are allocated read-only rights.
28 | 
29 | 
30 | Click Objects. Then scroll and find Network object. Click GET.
31 | 
32 | ![Figure: FMC API Explorer UI ](assets/images/pic1.PNG)
33 | 
34 | 
35 | 
36 | Since this is a READ operation you can press *GET* on the *API CONSOLE* pane to get all of the network objects from FMC.
37 | 
38 | ![Figure: FMC API Explorer UI](assets/images/pic2.PNG)
39 | 
40 | 
41 | ## Write operation POST
42 | 
43 | This time you need to click on the POST operation, and click Examples to get JSON.
44 | 
45 | ![Figure: FMC API Explorer UI](assets/images/pic3.PNG)
46 | 
47 | 
48 | Alternatively, you can copy JSON from here.
49 | 
50 | *You need to modify name to avoid conflicts with other API users*
51 | 
52 | ```JSON
53 | {
54 |   "name": "Clus-17",
55 |   "value": "1.0.0.0/24",
56 |   "overridable": false,
57 |   "description": "Test REST API Object",
58 |   "type": "Network"
59 | }
60 | ```
61 | 
62 | 
63 | 
64 | Copy and paste the JSON in the API CONSOLE *Body* section, and click POST.
65 | 
66 | 
67 | ![Figure: FMC API Explorer UI](assets/images/pic4.PNG)
68 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-112/2.md:
--------------------------------------------------------------------------------
 1 | ## Update operation PUT
 2 | 
 3 | The PUT operation requires you to do a GET operation first, as you need to find the Network object you are interested in modifying.
 4 | 
 5 | Do the GET as explained in the previous page; locate the network object you are interested in modifying in the API CONSOLE. Once you locate the object, *copy* its UUID and keep it for the PUT operation.
 6 | ![Figure: FMC API Explorer UI](assets/images/pic5.PNG)
 7 | 
 8 | Click **PUT**.
 9 | 
10 | You paste the object UUID in the API CONSOLE *Object ID* window. You also need to copy and paste the JSON for the modified network object.
11 | 
12 | You have to provide the following required field based on your GET operation above:
13 | 1. *id* - The UUID you saved during your GET operation.
14 | 2. *name*  - Name can be the same as your GET operation, or you can modify it.
15 | 
16 | ```JSON
17 | {
18 |   "type": "Network",
19 |   "value": "1.2.3.0/24",
20 |   "overridable": false,
21 |   "description": "Test Description",
22 |   "id": "networkObjectUUID",         
23 |   "name": "network_obj_name"
24 | }
25 | ```
26 | 
27 | Once you have the JSON modified and pasted in the API CONSOLE window, click **PUT**.
28 | 
29 | ![Figure: FMC API Explorer UI](assets/images/pic6.PNG)
30 | 
31 | 
32 | ## DELETE operation
33 | 
34 | The DELETE operation requires you to do a GET operation first, as you need to find the Network object you are interested in deleting.
35 | 
36 | Do the GET as explained in the previous page; locate the network object you are interested in deleting in API CONSOLE.
37 | ![Figure: FMC API Explorer UI](assets/images/pic5.PNG)
38 | 
39 | Copy and paste only the UUID in the API CONSOLE *Object ID*  window.
40 | 
41 | Click **DELETE**.
42 | 
43 | ![Figure: FMC API Explorer UI](assets/images/pic7.PNG)
44 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-112/assets/images/pic1.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CiscoDevNet/fmc-rest-api/876a106eef0d936d404758e8ec9b024293eca0aa/labs/firepower-restapi-112/assets/images/pic1.PNG


--------------------------------------------------------------------------------
/labs/firepower-restapi-112/assets/images/pic2.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CiscoDevNet/fmc-rest-api/876a106eef0d936d404758e8ec9b024293eca0aa/labs/firepower-restapi-112/assets/images/pic2.PNG


--------------------------------------------------------------------------------
/labs/firepower-restapi-112/assets/images/pic3.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CiscoDevNet/fmc-rest-api/876a106eef0d936d404758e8ec9b024293eca0aa/labs/firepower-restapi-112/assets/images/pic3.PNG


--------------------------------------------------------------------------------
/labs/firepower-restapi-112/assets/images/pic4.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CiscoDevNet/fmc-rest-api/876a106eef0d936d404758e8ec9b024293eca0aa/labs/firepower-restapi-112/assets/images/pic4.PNG


--------------------------------------------------------------------------------
/labs/firepower-restapi-112/assets/images/pic5.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CiscoDevNet/fmc-rest-api/876a106eef0d936d404758e8ec9b024293eca0aa/labs/firepower-restapi-112/assets/images/pic5.PNG


--------------------------------------------------------------------------------
/labs/firepower-restapi-112/assets/images/pic6.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CiscoDevNet/fmc-rest-api/876a106eef0d936d404758e8ec9b024293eca0aa/labs/firepower-restapi-112/assets/images/pic6.PNG


--------------------------------------------------------------------------------
/labs/firepower-restapi-112/assets/images/pic7.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CiscoDevNet/fmc-rest-api/876a106eef0d936d404758e8ec9b024293eca0aa/labs/firepower-restapi-112/assets/images/pic7.PNG


--------------------------------------------------------------------------------
/labs/firepower-restapi-112/byod.html:
--------------------------------------------------------------------------------
1 | <div style="color:#0000FF">
2 |     <p> You need one of these popular web browsers [chrome, firefox, safari or IE].</p>
3 |     <p>  You either use your own FMC setup or you can use our <a href="https://fmcrestapisandbox.cisco.com/api/api-explorer/"> FMC REST API Sandbox</a></p>
4 | </div>
5 | 


--------------------------------------------------------------------------------
/labs/firepower-restapi-112/firepower-restapi-112.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "labId": "firepower-restapi-112",
 3 |     "title": "Introduction to Firepower Management Center (FMC) API CRUD operations",
 4 |     "slug": "This Lab gives an introduction to Firepower Management Center (FMC) REST APIs. These APIs automates the management of Firepower Threat Defense (FTD) and Legacy Firepower devices via FMC.",
 5 |     "time": "25",
 6 |     "tags": [{
 7 |         "title": "Firepower Management Center"
 8 |     }, {
 9 |         "title": "Firepower"
10 |     },
11 |     {
12 |         "title": "FMC"
13 |     },
14 |     {
15 |         "title": "Security"
16 |     },
17 |     {
18 |         "title": "Firewalls"
19 |     },{
20 |         "title": "FTD"
21 |     }, {
22 |         "title": "NGFW"
23 |     }, {
24 |         "title": "NGIPS"
25 |     }, {
26 |         "title": "ASA with FP services"
27 |     }, {
28 |         "title": "Firepower Threat Defence"
29 |     }, {
30 |         "title": "Cisco Security REST API"
31 |     }],
32 |     "files": [{
33 |         "title": "Introduction to Firepower Management Center (FMC) API CRUD operations",
34 |         "file": "1.md"
35 |     }, {
36 |         "title": "Update operation PUT",
37 |         "file": "2.md"
38 |     }],
39 |    "related": [{
40 |         "labId": "firepower-restapi-102",
41 |         "title": "FMC rest api Lab 2"
42 |     }],
43 |     "authors": [{
44 |         "name": "Krishan Veer",
45 |         "email": "veer@cisco.com"
46 |     }],
47 |     "byod": true
48 | }
49 | 


--------------------------------------------------------------------------------