A Devops, API Driven Approach to NGFW

So, I have been kicking the tires on the FTD-API on the Cisco NGFW Firepower Threat Defense (FTD) 6.3 software. The FTD-APIs allow one to completely control the platform without the use of SSH or a GUI.

yaml config file
yaml config file

I’m a bit of a code hacker, so I thought I would stretch my coding legs a little and I hacked together a library to consume the FTD APIs. As a proof of concept, I thought it would be an interesting exercise to provision a freshly unboxed (or freshly kicked virtual image) FTD using only APIs. I have created a few videos demonstrating this proof of concept at work. 

When the FTD software is initially booted on a Firepower box or virtual image, the management interface defaults to with a password of ‘Admin123’. And, the first time we SSH into the box, we are presented with an End User License Agreement (EULA) that must be accepted before we can access the cli of the FTD software. If we log into the FDM GUI, we are additionally presented with a wizard that auto-configures for some specific use-cases. I would prefer to skips all of these steps and configure the device for each specific use-case in a hands-free approach.

In the first video, we take an FTD device that has never seen the light of day, and we use the script provision.py to configure:

  1. a static IP address on the management interface
  2. change the factory default password to one of our choosing
  3. accept the EULA
  4. set the device in routing mode
  5. set the device to be managed by the onboard GUI manager Firepower Device Manager (FDM)

Note that all of the settings for the configuration are controlled through the yaml file, EXCEPT for our desired, new password. We don’t want to hard code non-default passwords into github repos, so we will instead pass the new password to the script via a bash environment variable.

export FTDPASS="my_Secret_password"


In the second video, we take two FTD devices that have been run through the provision.py script and are ready to be configured with user specific configurations and we use that same yaml file to configure all of the interfaces and set the two devices up an an Active/Standby high availability pair. Again, we do this completely hands free with no need to interact with any SSH session or GUI; the yaml file controls everything. 

The script will use the FTD-API to:

  1. Set the hostname on both appliances
  2. Disable the default-configured dhcp servers
  3. Configure each interface defined in the yaml file with
    1. interface name (e.g. inside, outside, dmz, uat, prod, etc)
    2. interface mode: static (vs. dhcp)
    3. primary ip address and subnet mask
    4. standby ip address
    5. enabled: true
    6. interface ‘monitored’: true
  4. failover and state interface enabled: true
  5. HA configuration
    1. primary and standby ip/netmask
    2. pre-shared-key for failover link
    3. stateful interface same as as failover interface
    4. define the stateful and failover interface
  6. Deploy all configurations to both devices

Don’t forget to supply your custom password with the bash environment variable

export FTDPASS="my_Secret_password"

I hope this code and these videos are useful to anyone considering a devops, api driven approach to ngfw. I will be creating subsequent videos where we configure the rest of the platform settings like dns, ntp, access-policies, nat policies, and so on.

Subscribe to my youtube channel to be updated automatically as I add more videos on the Cisco FTD and FDM software.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: