Cisco Firepower is your administrative nerve center for managing critical Cisco network security solutions. It provides a complete and unified management of firewalls, application control, intrusion prevention, URL filtering, and advanced malware protection.
This document provides information about the Cisco Firepower connector, which facilitates automated interactions with Cisco Firepower using FortiSOAR™ playbooks. Add the Cisco Firepower connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving a list currently blocked networks on a Firepower Network Group Object and blocking or unblocking an IP address on a Firepower Network Group Object.
Connector Version: 2.0.0
FortiSOAR™ Version Tested on: 4.11.0-1161
Cisco Firepower Version Tested on: 6.2.3
Authored By: Fortinet .
Certified: Yes
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum
command to install connectors:
yum install cyops-connector-cisco-firepower
For the detailed procedure to install a connector, click here.
For the procedure to configure a connector, click here.
In CyOPs™, on the Connectors page, click the Cisco Firepower connector row, and in the Configuration tab enter the required configuration details.
Parameter | Description |
---|---|
Server URL | URL of the Cisco Firepower server to which you will connect and perform the automated operations. |
Username | Username to access the Cisco Firepower server to which you will connect and perform the automated operations. |
Password | Password to access the Cisco Firepower server to which you will connect and perform the automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True . |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
List Access Policy | Retrieves a list and details of all access control policies from the Cisco Firepower server. | list_block_ip Investigation |
Block IP | Adds the IP addresses or networks that you have specified as blacklist items in the Network Group Object that you have specified on the Cisco Firepower server. | block_ip Containment |
Unblock IP | Removes the IP addresses or networks that you have specified as blacklist items from the Network Group Object that you have specified on the Cisco Firepower server. | unblock_ip Remediation |
Parameter | Description |
---|---|
Domain Name | (Optional) Name of the domain for which you want to retrieve a list of policies or network groups from Cisco Firepower server. Note: If you do not specify a domain, then by default this is set to Global . |
Limit | (Optional) Maximum number of records to be retrieved per page from the Cisco Firepower server. Note: By default, this is set to 10 . |
Offset | (Optional) Index of the first item to return from the search result, in the case of paginated results. Note: By default, this is set to 0 . |
The output contains the following populated JSON schema, which contains a list and details of all access control policies retrieved from the Cisco Firepower server:
{
"links": {
"self": ""
},
"items": [
{
"type": "",
"links": {
"self": ""
},
"name": "",
"id": ""
}
],
"paging": {
"offset": "",
"limit": "",
"count": "",
"pages": ""
}
}
Parameter | Description |
---|---|
Domain Name | (Optional) Name of the domain for which you want to block IP addresses or Network Group Objects on the Cisco Firepower server. Note: If you do not specify a domain, then by default this is set to Global . |
Network Group Object | Network Group Object in which you want to add the specified IP addresses or networks as blacklisted items on the Cisco Firepower server. |
IP Address | IP Address or network that you want to add to the blacklist in the specified Network Group Object on the Cisco Firepower server. Note: You can specify multiple IP addresses or networks in the list format. For example, [xx.xx.xx.1, xx.xx.xx.2, xx.xx.xx.3] |
Note: If you have specified IP addresses or networks that already exist as blacklisted items in the Network Group Object that you have specified, then the Cisco Firepower connector will not perform any action, i.e., it will skip adding the specified IP addresses or networks to the specified Network Group Object.
The JSON output contains key-value pairs. Every key-value pair has its significance.
For example, Existing Key: Contains only those IPs or Networks that are present in the specified network group, when a user performs the block action.
The output contains the following populated JSON schema:
{
"existing": [],
"newly_added": [],
"not_found": [],
"removed": []
}
Parameter | Description |
---|---|
Domain Name | (Optional) Name of the domain for which you want to unblock IP addresses or Network Group Objects on the Cisco Firepower server. Note: If you do not specify a domain, then by default this is set to Global . |
Network Group Object | Network Group Object from which you want to remove the specified IP addresses or networks as blacklisted items on the Cisco Firepower server. |
IP Address | IP Address or network that you want to remove from the blacklist in the specified Network Group Object on the Cisco Firepower server. Note: You can specify multiple IP addresses or networks in the list format. For example, [xx.xx.xx.1, xx.xx.xx.2, xx.xx.xx.3] |
Note: If you have specified IP addresses or networks that do not exist as blacklisted items in the Network Group Object that you have specified, then the Cisco Firepower connector will not perform any action, i.e., it will skip removing the specified IP addresses or networks from the specified Network Group Object.
The JSON output contains key-value pairs. Every key-value pair has its significance.
For example, Not Found Key: Contains only those IPs or Networks that are not present in the specified network group, when a user performs the unblock action.
The output contains the following populated JSON schema:
{
"existing": [],
"newly_added": [],
"not_found": [],
"removed": []
}
The Sample - Cisco Firepower - 2.0.0
playbook collection comes bundled with the Cisco Firepower connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Cisco Firepower connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Cisco Firepower is your administrative nerve center for managing critical Cisco network security solutions. It provides a complete and unified management of firewalls, application control, intrusion prevention, URL filtering, and advanced malware protection.
This document provides information about the Cisco Firepower connector, which facilitates automated interactions with Cisco Firepower using FortiSOAR™ playbooks. Add the Cisco Firepower connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving a list currently blocked networks on a Firepower Network Group Object and blocking or unblocking an IP address on a Firepower Network Group Object.
Connector Version: 2.0.0
FortiSOAR™ Version Tested on: 4.11.0-1161
Cisco Firepower Version Tested on: 6.2.3
Authored By: Fortinet .
Certified: Yes
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum
command to install connectors:
yum install cyops-connector-cisco-firepower
For the detailed procedure to install a connector, click here.
For the procedure to configure a connector, click here.
In CyOPs™, on the Connectors page, click the Cisco Firepower connector row, and in the Configuration tab enter the required configuration details.
Parameter | Description |
---|---|
Server URL | URL of the Cisco Firepower server to which you will connect and perform the automated operations. |
Username | Username to access the Cisco Firepower server to which you will connect and perform the automated operations. |
Password | Password to access the Cisco Firepower server to which you will connect and perform the automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True . |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
List Access Policy | Retrieves a list and details of all access control policies from the Cisco Firepower server. | list_block_ip Investigation |
Block IP | Adds the IP addresses or networks that you have specified as blacklist items in the Network Group Object that you have specified on the Cisco Firepower server. | block_ip Containment |
Unblock IP | Removes the IP addresses or networks that you have specified as blacklist items from the Network Group Object that you have specified on the Cisco Firepower server. | unblock_ip Remediation |
Parameter | Description |
---|---|
Domain Name | (Optional) Name of the domain for which you want to retrieve a list of policies or network groups from Cisco Firepower server. Note: If you do not specify a domain, then by default this is set to Global . |
Limit | (Optional) Maximum number of records to be retrieved per page from the Cisco Firepower server. Note: By default, this is set to 10 . |
Offset | (Optional) Index of the first item to return from the search result, in the case of paginated results. Note: By default, this is set to 0 . |
The output contains the following populated JSON schema, which contains a list and details of all access control policies retrieved from the Cisco Firepower server:
{
"links": {
"self": ""
},
"items": [
{
"type": "",
"links": {
"self": ""
},
"name": "",
"id": ""
}
],
"paging": {
"offset": "",
"limit": "",
"count": "",
"pages": ""
}
}
Parameter | Description |
---|---|
Domain Name | (Optional) Name of the domain for which you want to block IP addresses or Network Group Objects on the Cisco Firepower server. Note: If you do not specify a domain, then by default this is set to Global . |
Network Group Object | Network Group Object in which you want to add the specified IP addresses or networks as blacklisted items on the Cisco Firepower server. |
IP Address | IP Address or network that you want to add to the blacklist in the specified Network Group Object on the Cisco Firepower server. Note: You can specify multiple IP addresses or networks in the list format. For example, [xx.xx.xx.1, xx.xx.xx.2, xx.xx.xx.3] |
Note: If you have specified IP addresses or networks that already exist as blacklisted items in the Network Group Object that you have specified, then the Cisco Firepower connector will not perform any action, i.e., it will skip adding the specified IP addresses or networks to the specified Network Group Object.
The JSON output contains key-value pairs. Every key-value pair has its significance.
For example, Existing Key: Contains only those IPs or Networks that are present in the specified network group, when a user performs the block action.
The output contains the following populated JSON schema:
{
"existing": [],
"newly_added": [],
"not_found": [],
"removed": []
}
Parameter | Description |
---|---|
Domain Name | (Optional) Name of the domain for which you want to unblock IP addresses or Network Group Objects on the Cisco Firepower server. Note: If you do not specify a domain, then by default this is set to Global . |
Network Group Object | Network Group Object from which you want to remove the specified IP addresses or networks as blacklisted items on the Cisco Firepower server. |
IP Address | IP Address or network that you want to remove from the blacklist in the specified Network Group Object on the Cisco Firepower server. Note: You can specify multiple IP addresses or networks in the list format. For example, [xx.xx.xx.1, xx.xx.xx.2, xx.xx.xx.3] |
Note: If you have specified IP addresses or networks that do not exist as blacklisted items in the Network Group Object that you have specified, then the Cisco Firepower connector will not perform any action, i.e., it will skip removing the specified IP addresses or networks from the specified Network Group Object.
The JSON output contains key-value pairs. Every key-value pair has its significance.
For example, Not Found Key: Contains only those IPs or Networks that are not present in the specified network group, when a user performs the unblock action.
The output contains the following populated JSON schema:
{
"existing": [],
"newly_added": [],
"not_found": [],
"removed": []
}
The Sample - Cisco Firepower - 2.0.0
playbook collection comes bundled with the Cisco Firepower connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Cisco Firepower connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.