If you are reading this blog then you most likely understand that APIs allow inter-working among products. In the context of Firepower Management Center, the REST APIs allow programming of the Firepower devices to allow one to automatically provision devices, deploy policies and controls, and monitor device health. In this blog I will try to explain how you can get started on using these APIs to derive value from them.
The FMC APIs were introduced in recent Firepower 6.1 release. As shown in the picture below, FMC APIs allow you to program all the types of devices that FMC can manage.
Before we get into how to use APIs, let me quickly summarize what is available in the first release. FMC 6.1 APIs allow you to address most common Firepower programmability use cases where you want to be able to
- Register/de-register Firepower and Firepower Threat Defense devices
- Program & deploy standardized Access Control Objects & Rules on Firepower and Firepower Threat Defense devices
- Monitor Firepower and Firepower Threat Defense Device health & interface statuses
These FMC APIs are prepackaged with FMC software and you don’t need any license to enable them. All you have to do is go to your FMC settings and enable the APIs. Once you enable these APIs, any FMC user can be provided with access with a click of a button. These FMC APIs are completely secure and they use Token Based Authentication mechanism for API users.
The easiest way to figure out specific operations available on any version is by using “FMC API Explorer.” You can launch the API explorer by using the URL
https://fmc_url/api/api-explorer/
Insert your FMC’s domain name or an IP address in <fmc_url> and you will see API Explorer like the one below
As you can see in the picture, Firepower API Explorer not only provides you information about possible API operations but also gives you code, which you can use. To generate the code all you have to do is click on the left hand side functions, select the REST operation, and use the code from right hand side panel by clicking on “Export operation in…” pull-down menu.
In order to execute any of these operations using REST clients, you will need to use “X-auth-access-token” required for authentication of the API requests. You can obtain the token using “generate token” request with “authorization” parameters i.e. username and password. Once you have “X-auth-access-token” you can use that in the API requests.
Now you can use the code available in FMC API Explorer to program Firepower devices using custom scripts, third party policy orchestrating solutions or even other Cisco solutions. By the way, have a look at the short FMC 6.1 API video tutorial to understand how you can do all of this.
If you need more details on how to get started don’t forget to check out our Firepower REST API Quick Start Guide
And, one more thing…
Along with these FMC APIs, we have also made the ACI devices packages for Firepower and Firepower Threat Defense available. So if you are Cisco APIC customer, who wants to dynamically instantiate virtual Firepower and Firepower Threat Defense devices, and program them through FMC APIs you will be able to do that. Please check out Using Firepower device package in ACI to learn more on that front.
Informative
Sure shows the increasingly software defined path that networking is taking
these API are certainly making the control of Cisco devices a lot easier.
Are there any near-future plans to provide feature parity with FMC UI? Since the API has been an afterthought it still lacks > 95% of the functionality of FMC making it nearly impossible to use for automation. Being able to edit ALL policies and not just the Access Control Policy and change ALL device parameters (not just interfaces) would be a real game changer. At the moment it is not very useful and stable…
Michael,
One reason for releasing APIs was to improve automation possibilities. There are plans to improve scope of the FMC APIs in upcoming releases, which will expand the scope for automation. Stay tuned for more updates.
Jayant