About the connector
Cisco Firepower is your administrative nerve center for managing critical Cisco network security solutions. It provides a complete and unified management of firewalls, application control, intrusion prevention, URL filtering, and advanced malware protection.
This document provides information about the Cisco Firepower connector, which facilitates automated interactions with Cisco Firepower using FortiSOAR™ playbooks. Add the Cisco Firepower connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving a list currently blocked networks on a Firepower Network Group Object and blocking or unblocking an IP address on a Firepower Network Group Object.
Version information
Connector Version: 2.0.0
FortiSOAR™ Version Tested on: 4.11.0-1161
Cisco Firepower Version Tested on: 6.2.3
Authored By: Fortinet .
Certified: Yes
Installing the connector
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:
yum install cyops-connector-cisco-firepower
For the detailed procedure to install a connector, click here.
Prerequisites to configuring the connector
- You must have the URL of the Cisco Firepower server to which you will connect and perform automated operations, and the credentials (username-password pair) to access that server.
- To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.
Configuring the connector
For the procedure to configure a connector, click here.
Configuration parameters
In CyOPs™, on the Connectors page, click the Cisco Firepower connector row, and in the Configuration tab enter the required configuration details.
| Parameter |
Description |
| Server URL |
URL of the Cisco Firepower server to which you will connect and perform the automated operations. |
| Username |
Username to access the Cisco Firepower server to which you will connect and perform the automated operations. |
| Password |
Password to access the Cisco Firepower server to which you will connect and perform the automated operations. |
| Verify SSL |
Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True. |
Actions supported by the connector
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
| Function |
Description |
Annotation and Category |
| List Access Policy |
Retrieves a list and details of all access control policies from the Cisco Firepower server. |
list_block_ip
Investigation |
| Block IP |
Adds the IP addresses or networks that you have specified as blacklist items in the Network Group Object that you have specified on the Cisco Firepower server. |
block_ip
Containment |
| Unblock IP |
Removes the IP addresses or networks that you have specified as blacklist items from the Network Group Object that you have specified on the Cisco Firepower server. |
unblock_ip
Remediation |
operation: List Access Policy
Input parameters
| Parameter |
Description |
| Domain Name |
(Optional) Name of the domain for which you want to retrieve a list of policies or network groups from Cisco Firepower server.
Note: If you do not specify a domain, then by default this is set to Global. |
| Limit |
(Optional) Maximum number of records to be retrieved per page from the Cisco Firepower server.
Note: By default, this is set to 10. |
| Offset |
(Optional) Index of the first item to return from the search result, in the case of paginated results.
Note: By default, this is set to 0. |
Output
The output contains the following populated JSON schema, which contains a list and details of all access control policies retrieved from the Cisco Firepower server:
{
"links": {
"self": ""
},
"items": [
{
"type": "",
"links": {
"self": ""
},
"name": "",
"id": ""
}
],
"paging": {
"offset": "",
"limit": "",
"count": "",
"pages": ""
}
}
operation: Block IP
Input parameters
| Parameter |
Description |
| Domain Name |
(Optional) Name of the domain for which you want to block IP addresses or Network Group Objects on the Cisco Firepower server.
Note: If you do not specify a domain, then by default this is set to Global. |
| Network Group Object |
Network Group Object in which you want to add the specified IP addresses or networks as blacklisted items on the Cisco Firepower server. |
| IP Address |
IP Address or network that you want to add to the blacklist in the specified Network Group Object on the Cisco Firepower server.
Note: You can specify multiple IP addresses or networks in the list format. For example, [xx.xx.xx.1, xx.xx.xx.2, xx.xx.xx.3] |
Note: If you have specified IP addresses or networks that already exist as blacklisted items in the Network Group Object that you have specified, then the Cisco Firepower connector will not perform any action, i.e., it will skip adding the specified IP addresses or networks to the specified Network Group Object.
Output
The JSON output contains key-value pairs. Every key-value pair has its significance.
For example, Existing Key: Contains only those IPs or Networks that are present in the specified network group, when a user performs the block action.
The output contains the following populated JSON schema:
{
"existing": [],
"newly_added": [],
"not_found": [],
"removed": []
}
operation: Unblock IP
Input parameters
| Parameter |
Description |
| Domain Name |
(Optional) Name of the domain for which you want to unblock IP addresses or Network Group Objects on the Cisco Firepower server.
Note: If you do not specify a domain, then by default this is set to Global. |
| Network Group Object |
Network Group Object from which you want to remove the specified IP addresses or networks as blacklisted items on the Cisco Firepower server. |
| IP Address |
IP Address or network that you want to remove from the blacklist in the specified Network Group Object on the Cisco Firepower server.
Note: You can specify multiple IP addresses or networks in the list format. For example, [xx.xx.xx.1, xx.xx.xx.2, xx.xx.xx.3] |
Note: If you have specified IP addresses or networks that do not exist as blacklisted items in the Network Group Object that you have specified, then the Cisco Firepower connector will not perform any action, i.e., it will skip removing the specified IP addresses or networks from the specified Network Group Object.
Output
The JSON output contains key-value pairs. Every key-value pair has its significance.
For example, Not Found Key: Contains only those IPs or Networks that are not present in the specified network group, when a user performs the unblock action.
The output contains the following populated JSON schema:
{
"existing": [],
"newly_added": [],
"not_found": [],
"removed": []
}
Included playbooks
The Sample - Cisco Firepower - 2.0.0 playbook collection comes bundled with the Cisco Firepower connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Cisco Firepower connector.
- Block IP
- List Access Policy
- Unblock IP
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
