Code ExchangeSearchRepository

FMC Filtered Rules Extractor

A Python tool for extracting and analyzing Cisco FMC (Firewall Management Center) access control rules containing specific IP addresses. This tool connects to your FMC via REST API and generates detailed Excel reports of firewall rules.

Features

  • 🔍 IP-based Rule Filtering: Find all firewall rules containing a specific IP address (source or destination)
  • 🏢 HA Cluster Support: Automatically identifies active devices in high-availability pairs
  • 📊 Excel Reports: Generates comprehensive Excel reports with cleaned, readable data
  • 🔐 Secure Authentication: Token-based authentication with Cisco FMC
  • 📝 Comprehensive Logging: Detailed logging for troubleshooting and audit trails
  • 🔄 Pagination Handling: Automatically handles large rule sets with API pagination

Use Cases

  • Security Audits: Document all firewall rules affecting specific assets
  • Troubleshooting: Understand traffic flow for problematic hosts
  • Compliance: Generate reports for regulatory requirements
  • Change Management: Analyze impact before making firewall changes
  • Network Documentation: Create comprehensive rule inventories

Prerequisites

  • Python 3.7+
  • Access to Cisco FMC with API permissions
  • Network connectivity to your FMC appliance

Installation

  1. Clone this repository:
git clone <your-repo-url>
cd get_filtered
  1. Install required dependencies:
pip install -r requirements.txt
  1. Update the FMC IP address in the script:
fmcip = '192.168.1.100  # Replace with your FMC IP

Usage

python get_filtered_rules.py <ClusterName> <IP_Address> <OutputFile.xlsx>

Parameters

  • ClusterName: Name of the firewall cluster/device in FMC
  • IP_Address: IP address to search for in firewall rules
  • OutputFile.xlsx: Output Excel file name (must have .xlsx extension)

Example

python get_filtered_rules.py "DC-Firewall-Cluster" "192.168.1.100" "firewall_rules_report.xlsx"

Authentication

The script will prompt for FMC credentials:

  • Username: Your FMC username
  • Password: Your FMC password (input hidden)

Output

The tool generates:

  1. Excel Report (OutputFile.xlsx): Contains filtered rules with:

    • Rule index/order
    • Source networks
    • Destination networks
    • Destination ports/protocols
    • Source zones
    • Rule actions and metadata

  2. Log File (GetFilteredRules.log): Detailed execution log for troubleshooting

Excel Report Columns

Column Description
rule_index Order/index of the rule in the policy
name Rule name/identifier
action Rule action (ALLOW, BLOCK, etc.)
enabled Whether the rule is enabled
sourceNetworks Source IP addresses/networks
destinationNetworks Destination IP addresses/networks
destinationPorts Destination ports and protocols
sourceZones Source security zones

Configuration

FMC IP Address

Update the fmcip variable in the script:

fmcip = 'your.fmc.ip.address'

SSL Verification

The script disables SSL verification by default for lab environments. For production:

session.verify = True  # Enable SSL verification

Error Handling

The tool includes comprehensive error handling for:

  • Authentication failures
  • Network connectivity issues
  • API timeouts
  • Invalid cluster names
  • Missing IP addresses in rules

Logging

Detailed logs are written to GetFilteredRules.log including:

  • Authentication events
  • API requests and responses
  • Rule filtering operations
  • Error conditions
  • Execution timestamps

Security Considerations

  • Credentials are not stored or logged
  • API tokens are session-based and temporary
  • SSL warnings are suppressed (configurable)
  • All API communication uses HTTPS

Troubleshooting

Common Issues

  1. Authentication Error (401)

    • Verify username and password
    • Check user permissions in FMC

  2. Cluster Not Found

    • Verify cluster name spelling and case
    • Check if cluster exists in FMC

  3. No Rules Found

    • Verify IP address format
    • Check if IP exists in any rules
    • Ensure proper policy assignment

  4. Connection Errors

    • Verify FMC IP address and connectivity
    • Check firewall rules allowing API access
    • Verify FMC API service is running

Debug Mode

Enable verbose logging by modifying the logging level:

level=logging.DEBUG

Dependencies

  • requests: HTTP library for API calls
  • pandas: Data manipulation and analysis
  • openpyxl: Excel file creation
  • base64: Authentication encoding

See requirements.txt for specific versions.

Contributing

  1. Fork the repository
  2. Create a feature branch
  3. Make your changes
  4. Add tests if applicable
  5. Submit a pull request

Changelog

Version 1.0.0

  • Initial release
  • Basic IP filtering functionality
  • Excel report generation
  • HA cluster support

Author

Artur Pinto - arturj.pinto@gmail.com

License

This project is licensed under the MIT License - see the LICENSE file for details.

Disclaimer

This tool is provided as-is for educational and administrative purposes. Always test in a lab environment before using in production. The author is not responsible for any network disruptions or policy changes resulting from the use of this tool.

View code on GitHub
Related code repos

    Code Exchange Community

    Get help, share code, and collaborate with other developers in the Code Exchange community.View Community
    Disclaimer:
    Cisco provides Code Exchange for convenience and informational purposes only, with no support of any kind. This page contains information and links from third-party websites that are governed by their own separate terms. Reference to a project or contributor on this page does not imply any affiliation with or endorsement by Cisco.