Cisco Firepower is your administrative nerve center for managing critical Cisco network security solutions. It provides a complete and unified management of firewalls, application control, intrusion prevention, URL filtering, and advanced malware protection.
This document provides information about the Cisco Firepower connector, which facilitates automated interactions with Cisco Firepower using FortiSOAR™ playbooks. Add the Cisco Firepower connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving a list currently blocked networks on a Firepower Network Group Object and blocking or unblocking an IP address on a Firepower Network Group Object.
Connector Version: 3.0.0
Authored By: Fortinet
Certified: No
Following enhancements have been made to the Cisco Firepower Connector in version 3.0.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:
yum install cyops-connector-cisco-firepower
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Cisco Firepower connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | URL of the Cisco Firepower server to which you will connect and perform the automated operations. |
| Username | Username to access the Cisco Firepower server to which you will connect and perform the automated operations. |
| Password | Password to access the Cisco Firepower server to which you will connect and perform the automated operations. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified. By default, this option is set as True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
| Function | Description | Annotation and Category |
|---|---|---|
| List Access Policy | Retrieves a list and details of all access control policies from the Cisco Firepower server. | get_policy Investigation |
| Block IP | Adds the IP addresses or networks that you have specified as blacklist items in the Network Group Object that you have specified on the Cisco Firepower server. | block_ip Containment |
| Unblock IP | Removes the IP addresses or networks that you have specified as blacklist items from the Network Group Object that you have specified on the Cisco Firepower server. | unblock_ip Remediation |
| List Device | Retrieves a list and details of all devices from the Cisco Firepower server. | list_device Investigation |
| Assign Policy To Device | Assign specified policy to device(s) that you have specified on the Cisco Firepower server. | assign_policy_to_device Containment |
| Delete Access Policy | Deletes an access control policy from the Cisco Firepower server based on the Policy ID specified. | delete_access_policy Investigation |
| Parameter | Description |
|---|---|
| Domain Name | (Optional) Specify the domain name for which to retrieve a list of policies from Cisco Firepower server.
NOTE: If you do not specify a domain, then by default this is set to |
| Limit | (Optional) Specify the maximum number of records to be retrieved per page from the Cisco Firepower server.
NOTE: By default, this is set to |
| Offset | (Optional) Specify the index of the first item to return from the search result, in the case of paginated results.
NOTE: By default, this is set to |
The output contains the following populated JSON schema:
{
"links": {
"self": ""
},
"items": [
{
"type": "",
"links": {
"self": ""
},
"name": "",
"id": ""
}
],
"paging": {
"offset": "",
"limit": "",
"count": "",
"pages": ""
}
}
| Parameter | Description |
|---|---|
| Domain Name | (Optional) Specify the domain name for which to block IP addresses or Networks on the Cisco Firepower server.
NOTE: If you do not specify a domain, then by default this is set to |
| Network Group Object | Specify the network group object in which to add the specified IP addresses or networks as blocked items on the Cisco Firepower server. |
| IP Address | Specify the IP Address or network to add to the blocked list in the specified Network Group Object on the Cisco Firepower server.
NOTE: You can specify multiple IP addresses or networks in the list format. For example, |
NOTE: If you have specified IP addresses or networks that already exist as blocked items in the Network Group Object that you have specified, then the Cisco Firepower connector does not perform any action, i.e., it skips adding the specified IP addresses or networks to the specified Network Group Object.
The output contains the following populated JSON schema:
{
"existing": [],
"newly_added": [],
"not_found": [],
"removed": []
}
| Parameter | Description |
|---|---|
| Domain Name | (Optional) Specify the domain name for which to unblock IP addresses or Networks on the Cisco Firepower server.
NOTE: If you do not specify a domain, then by default this is set to |
| Network Group Object | Specify the network group object from which to remove the specified IP addresses or networks as blocked items on the Cisco Firepower server. |
| IP Address | Specify the IP Address or network to remove from the blocked list in the specified Network Group Object on the Cisco Firepower server.
NOTE: You can specify multiple IP addresses or networks in the list format. For example, |
NOTE: If you have specified IP addresses or networks that do not exist as blocked items in the Network Group Object that you have specified, then the Cisco Firepower connector does not perform any action, i.e., it skips removing the specified IP addresses or networks from the specified Network Group Object.
The output contains the following populated JSON schema:
{
"existing": [],
"newly_added": [],
"not_found": [],
"removed": []
}
| Parameter | Description |
|---|---|
| Domain Name | (Optional) Specify the domain name from which to delete the policy on the Cisco Firepower server.
NOTE: If you do not specify a domain, then by default this is set to |
| Policy ID | Specify the policy ID to delete from the Cisco Firepower server. |
The output contains the following populated JSON schema:
{
"links": {
"self": ""
},
"items": [
{
"type": "",
"links": {
"self": ""
},
"name": "",
"id": ""
}
],
"paging": {
"offset": "",
"limit": "",
"count": "",
"pages": ""
}
}
| Parameter | Description |
|---|---|
| Domain Name | (Optional) Specify the domain name for which to retrieve the list of devices from the Cisco Firepower server.
NOTE: If you do not specify a domain, then by default this is set to |
| Limit | (Optional) Specify the maximum number of records to be retrieved per page from the Cisco Firepower server.
NOTE: By default, this is set to |
| Offset | (Optional) Specify the index of the first item to return from the search result, in the case of paginated results.
NOTE: By default, this is set to |
The output contains the following populated JSON schema:
{
"items": [],
"links": {},
"paging": {
"pages": "",
"count": "",
"offset": "",
"limit": ""
}
}
| Parameter | Description |
|---|---|
| Domain Name | (Optional) Specify the domain name for which you want to assign the policy to specified device.
NOTE: If you do not specify a domain, then by default this is set to |
| Policy Name | Specify the policy name to assign to the device. |
| Policy ID | Specify the policy ID to assign to the device. |
| Device ID | Specify the device ID to which you want to assign the policy. |
The output contains a non-dictionary value.
The Sample - Cisco Firepower - 3.0.0 playbook collection comes bundled with the Cisco Firepower connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Cisco Firepower connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Cisco Firepower is your administrative nerve center for managing critical Cisco network security solutions. It provides a complete and unified management of firewalls, application control, intrusion prevention, URL filtering, and advanced malware protection.
This document provides information about the Cisco Firepower connector, which facilitates automated interactions with Cisco Firepower using FortiSOAR™ playbooks. Add the Cisco Firepower connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving a list currently blocked networks on a Firepower Network Group Object and blocking or unblocking an IP address on a Firepower Network Group Object.
Connector Version: 3.0.0
Authored By: Fortinet
Certified: No
Following enhancements have been made to the Cisco Firepower Connector in version 3.0.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:
yum install cyops-connector-cisco-firepower
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Cisco Firepower connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | URL of the Cisco Firepower server to which you will connect and perform the automated operations. |
| Username | Username to access the Cisco Firepower server to which you will connect and perform the automated operations. |
| Password | Password to access the Cisco Firepower server to which you will connect and perform the automated operations. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified. By default, this option is set as True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
| Function | Description | Annotation and Category |
|---|---|---|
| List Access Policy | Retrieves a list and details of all access control policies from the Cisco Firepower server. | get_policy Investigation |
| Block IP | Adds the IP addresses or networks that you have specified as blacklist items in the Network Group Object that you have specified on the Cisco Firepower server. | block_ip Containment |
| Unblock IP | Removes the IP addresses or networks that you have specified as blacklist items from the Network Group Object that you have specified on the Cisco Firepower server. | unblock_ip Remediation |
| List Device | Retrieves a list and details of all devices from the Cisco Firepower server. | list_device Investigation |
| Assign Policy To Device | Assign specified policy to device(s) that you have specified on the Cisco Firepower server. | assign_policy_to_device Containment |
| Delete Access Policy | Deletes an access control policy from the Cisco Firepower server based on the Policy ID specified. | delete_access_policy Investigation |
| Parameter | Description |
|---|---|
| Domain Name | (Optional) Specify the domain name for which to retrieve a list of policies from Cisco Firepower server.
NOTE: If you do not specify a domain, then by default this is set to |
| Limit | (Optional) Specify the maximum number of records to be retrieved per page from the Cisco Firepower server.
NOTE: By default, this is set to |
| Offset | (Optional) Specify the index of the first item to return from the search result, in the case of paginated results.
NOTE: By default, this is set to |
The output contains the following populated JSON schema:
{
"links": {
"self": ""
},
"items": [
{
"type": "",
"links": {
"self": ""
},
"name": "",
"id": ""
}
],
"paging": {
"offset": "",
"limit": "",
"count": "",
"pages": ""
}
}
| Parameter | Description |
|---|---|
| Domain Name | (Optional) Specify the domain name for which to block IP addresses or Networks on the Cisco Firepower server.
NOTE: If you do not specify a domain, then by default this is set to |
| Network Group Object | Specify the network group object in which to add the specified IP addresses or networks as blocked items on the Cisco Firepower server. |
| IP Address | Specify the IP Address or network to add to the blocked list in the specified Network Group Object on the Cisco Firepower server.
NOTE: You can specify multiple IP addresses or networks in the list format. For example, |
NOTE: If you have specified IP addresses or networks that already exist as blocked items in the Network Group Object that you have specified, then the Cisco Firepower connector does not perform any action, i.e., it skips adding the specified IP addresses or networks to the specified Network Group Object.
The output contains the following populated JSON schema:
{
"existing": [],
"newly_added": [],
"not_found": [],
"removed": []
}
| Parameter | Description |
|---|---|
| Domain Name | (Optional) Specify the domain name for which to unblock IP addresses or Networks on the Cisco Firepower server.
NOTE: If you do not specify a domain, then by default this is set to |
| Network Group Object | Specify the network group object from which to remove the specified IP addresses or networks as blocked items on the Cisco Firepower server. |
| IP Address | Specify the IP Address or network to remove from the blocked list in the specified Network Group Object on the Cisco Firepower server.
NOTE: You can specify multiple IP addresses or networks in the list format. For example, |
NOTE: If you have specified IP addresses or networks that do not exist as blocked items in the Network Group Object that you have specified, then the Cisco Firepower connector does not perform any action, i.e., it skips removing the specified IP addresses or networks from the specified Network Group Object.
The output contains the following populated JSON schema:
{
"existing": [],
"newly_added": [],
"not_found": [],
"removed": []
}
| Parameter | Description |
|---|---|
| Domain Name | (Optional) Specify the domain name from which to delete the policy on the Cisco Firepower server.
NOTE: If you do not specify a domain, then by default this is set to |
| Policy ID | Specify the policy ID to delete from the Cisco Firepower server. |
The output contains the following populated JSON schema:
{
"links": {
"self": ""
},
"items": [
{
"type": "",
"links": {
"self": ""
},
"name": "",
"id": ""
}
],
"paging": {
"offset": "",
"limit": "",
"count": "",
"pages": ""
}
}
| Parameter | Description |
|---|---|
| Domain Name | (Optional) Specify the domain name for which to retrieve the list of devices from the Cisco Firepower server.
NOTE: If you do not specify a domain, then by default this is set to |
| Limit | (Optional) Specify the maximum number of records to be retrieved per page from the Cisco Firepower server.
NOTE: By default, this is set to |
| Offset | (Optional) Specify the index of the first item to return from the search result, in the case of paginated results.
NOTE: By default, this is set to |
The output contains the following populated JSON schema:
{
"items": [],
"links": {},
"paging": {
"pages": "",
"count": "",
"offset": "",
"limit": ""
}
}
| Parameter | Description |
|---|---|
| Domain Name | (Optional) Specify the domain name for which you want to assign the policy to specified device.
NOTE: If you do not specify a domain, then by default this is set to |
| Policy Name | Specify the policy name to assign to the device. |
| Policy ID | Specify the policy ID to assign to the device. |
| Device ID | Specify the device ID to which you want to assign the policy. |
The output contains a non-dictionary value.
The Sample - Cisco Firepower - 3.0.0 playbook collection comes bundled with the Cisco Firepower connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Cisco Firepower connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.