Silver Torch is a Python application designed to streamline and automate the creation and administration of large ruleset within Cisco Firepower Management Center.
- Located within the templates Directory, There are two primary files to for rule creation
- You can use these files as a example on how to stage and/or manage rules unto the Firewall.
Below explains how some of the workflow work.
- import CSV file
- extract src,dst,ports,protocols(UDP/TCP),proposed Port name, comment or ticket number
- Get zone and Fastpath (CEF equivalent) from sensor
- get ports,protocols,IPs and their respective groups from FMC
- Create the FMC object name for the relevant artifacts if needed or get the object if its already in FMC
- Check if a duplicate policy exist in the ACP if it does drop that rule
- Insert rule in a rule_prepend_name_comment_sequence_number" format with the rule info
- Check if all rules in the original IPPP match what was staged on the fmc
- if ANY rules from the IPPP is not present in the ACP then roll back the ACP to the pre-installed state.
- the rule_prepend_name argument will be used to find what subset of rules to looks for in the ACP
- a comment must be assigned to show to practice proper rule auditing implementations
- if a match is found then it will try to optimize the ruleset by the zone information as much as possible
- follow steps 7 & 8 from Deploy Rules
- import CSV file
- extract src,dst,ports,protocols(UDP/TCP),proposed Port name, ticket number
- basically step 8 from Deploy Rules
- it more than likely possible to pull the zone info by looking up the logical interface name but for now please name the logical interface the same as the security zone.
- To support backward compatibility of the FMC API (<=7.0), only TCP or UDP can be used in the protocols section of ACL injest CSV you create.
- any IP that doesn't have a fastpath match can have a zone assigned to it using the zone_of_last_resort argument
user@machine:~/SilverTorch$ python3 terminal_entry.py -config_file firepower_configs.yaml- Q. Well how does this deal with rule deduplication????
A. it scans the ACP and if a rule has the same Source and Destination Zone AND IPs and port it will drop the potential rule from getting staged. - Q. Thats fancy what about rules with nested objects???? hmmmm!
A. It also scans recrusively to find potential duplicate IP or port objects. - Q.what is template_cred.json used for??? A. that is for testing temporary purposes only. IT SHOULD not be used permanently as it holds your credentials in the clear!!