Firepower Management Center generate access-list report

Started by matgar, July 06, 2022, 07:30:59 AM

Previous topic - Next topic

matgar

Greetings all.

Any FMC/firepower gurus here?
I'm trying to find a convenient way to create a report of all access list/policy rules in FMC going toward some specific subnets.
So far I've been unable to find a way to do so, short of simply taking the output from a CLI "show access-list xxxxx" and then manually go through it and filter out all rules that don't have any of the interesting subnets as destination.

The reverse direction was much easier since I could simply filter on input interface, but no such luck on the traffic going into that interface/vrf. (and we don't use destination zone in most of our rules.)

Sure I can do searches in the GUI, but I don't find those particularly helpful since I can't find an easy way to export the results to do further processing. And honestly the GUI filter for only showing matching filter doesn't always work so good.

So I thought I would check with you guys if you have any  suggestions/tips about how to get/generate such a list.

//matgar

deanwebb

:smug:

There are about a dozen products built to answer that very question. Tufin, Firemon, and Algosec are some leaders in the firewall rule sanitation biz, well worth looking into. The thing here is that you have this one question today, but a tool would answer similar questions tomorrow and do so in an automated way that will help deal with configuration drift issues and compliance/governance audits.

I've used Tufin a good deal back when I worked at Global Megacorporation and it was so much easier to search on rules with that tool than with the native GUI/CLI for the firewalls. Even with the version I had 5-6 years ago, I could make reports like you're asking for easily and then take actions based on those reports.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Dieselboy

There is a tool out there that will allow you to export it to a CSV. I had a brief look and it needed further understanding. I wasnt sure how much time would be required and I didnt want to waste time unnecessarily.

So instead, what I did as a one-off was log into the FMC with a browser and copy the tables from the browser and paste directly into MS Excel. Once I had all the rules copied into Excel, I simply used Excel to figure out all of the rules needing to be replicated across. Some rules were there that were no longer required or were there because of a previous ASA migration tool that messed up the config etc etc. I used colours and added additional lines in excel to expand on the ACL groups and other groups etc.

Another huge benefit to me by doing it this way is that by the time I got to installing rules for the new firewall, I had learnt most of the config and understood routes and rules placement and reasoning.

matgar

Quote from: deanwebb on July 06, 2022, 09:45:35 AM
:smug:

There are about a dozen products built to answer that very question. Tufin, Firemon, and Algosec are some leaders in the firewall rule sanitation biz, well worth looking into. The thing here is that you have this one question today, but a tool would answer similar questions tomorrow and do so in an automated way that will help deal with configuration drift issues and compliance/governance audits.

I've used Tufin a good deal back when I worked at Global Megacorporation and it was so much easier to search on rules with that tool than with the native GUI/CLI for the firewalls. Even with the version I had 5-6 years ago, I could make reports like you're asking for easily and then take actions based on those reports.
Thanks Dean, will have to a talk internally about looking into those tools. Still I think it's sad that Cisco couldn't have a function for this builtin. But I guess I'm asking for to much.
As a side-note I had totally forgotten about making this post. The information turned out not to be needed at the time, then I got distracted with other things and totally forgot about it.

matgar

Quote from: Dieselboy on July 07, 2022, 03:55:44 AM
There is a tool out there that will allow you to export it to a CSV. I had a brief look and it needed further understanding. I wasnt sure how much time would be required and I didnt want to waste time unnecessarily.

So instead, what I did as a one-off was log into the FMC with a browser and copy the tables from the browser and paste directly into MS Excel. Once I had all the rules copied into Excel, I simply used Excel to figure out all of the rules needing to be replicated across. Some rules were there that were no longer required or were there because of a previous ASA migration tool that messed up the config etc etc. I used colours and added additional lines in excel to expand on the ACL groups and other groups etc.

Another huge benefit to me by doing it this way is that by the time I got to installing rules for the new firewall, I had learnt most of the config and understood routes and rules placement and reasoning.
Thanks for the tip.
Not sure exactly how you would copy the tables from the browser. I must be missing something.
But even if I could I't doesn't seem more useful/feasible than getting it from the cli and then manipulating it out to a usable format.
Did you do this in a for a smallish environment?

Dieselboy

Quote from: matgar on August 03, 2022, 03:18:03 AM
Quote from: Dieselboy on July 07, 2022, 03:55:44 AM
There is a tool out there that will allow you to export it to a CSV. I had a brief look and it needed further understanding. I wasnt sure how much time would be required and I didnt want to waste time unnecessarily.

So instead, what I did as a one-off was log into the FMC with a browser and copy the tables from the browser and paste directly into MS Excel. Once I had all the rules copied into Excel, I simply used Excel to figure out all of the rules needing to be replicated across. Some rules were there that were no longer required or were there because of a previous ASA migration tool that messed up the config etc etc. I used colours and added additional lines in excel to expand on the ACL groups and other groups etc.

Another huge benefit to me by doing it this way is that by the time I got to installing rules for the new firewall, I had learnt most of the config and understood routes and rules placement and reasoning.
Thanks for the tip.
Not sure exactly how you would copy the tables from the browser. I must be missing something.
But even if I could I't doesn't seem more useful/feasible than getting it from the cli and then manipulating it out to a usable format.
Did you do this in a for a smallish environment?

No wasnt really small but was just one large FTD migration from an old site to a new FTD at a new location. I was brand new to the environment so needed to spend time deep-diving anyway.

You can copy stuff from web browsers and paste the contents elsewhere in most cases. Sometimes websites restrict this but firepower doesnt. Even if website restrict this I think on Android you can use the AI to pull out some data...

I dont really use the CLI much in firepower but I suppose you could do it that way. Even if you paste it into a .txt file you can then import that data into excel and use markers to limit the tables. I could see it taking longer but if you're more comfortable that way and it works.