Forum Discussion

Matt_M_'s avatar
Matt_M_
5 years ago

FirePower Config Source

The current Cisco IOS config source does not work for firepower.  I tried my own hand at writing a config source for the FirePower series of Cisco Firewalls but ran into a snag and could never get it working.  My only other option is have the device export its config to a FTP server and injest the config that way.  That is not something I really want to do because its not able to scale for us.

I imagine it will become more common to need to back these up in the future as the market share for these devices go up.  

Is this something we could potentially see added?  I opened a support ticket and confirmed this was not presently possible.  I would be willing to provide access to a device for a developer if need be, but this would big win for our clients if we could get this implemented.

  • Anonymous's avatar
    Anonymous
    5 years ago

    What was the snag you ran into? Could you post your progress on the script here as a script block?

  • Matt_M_'s avatar
    Matt_M_
    5 years ago

    I am not an coder by any means so excuse the terrible coding, but I had this template from another script that I tried to re-use here.  I've never written a groovy script before so I am not sure really how well this existing template really works to be honest.

    You do not need to set term length because firepowers always send everything at once regardless of length.  You also need to issue complete commands as it does not accept sh run for example.  You would need to do show running-config.

     

    import com.santaba.agent.groovyapi.expect.Expect;
    // get the hostname and credentials from the device property table
    hostname = hostProps.get("system.hostname");
    userid = hostProps.get("ssh.user");
    passwd = hostProps.get("ssh.pass");
    // initiate an ssh connection to the host using the provided credentials
    ssh_connection = Expect.open(hostname, userid, passwd);
    // wait for the cli prompt, which indicates we've connected
    //ssh_connection.expect("> ");
    sleep(1000);
    // send a command
    ssh_connection.send('show running-config\n');
    sleep(20000);
    output= ssh_connection.stdout();
    // Logout
    ssh_connection.send('exit\n')
    // close the ssh connection handle then print the config
    ssh_connection.expectClose();
    printline=1
    output.eachLine { String line ->
     
    if (line.contains("")){printline=1}
    }
    return 0;

     

    When I assign this to a device the config check goes through but when I download the config its empty.  I think it has to do with my output segment but im not entirely sure -- is there a way to get logging or would I have to build that into the script?  Thanks for any help you can share.

  • Anonymous's avatar
    Anonymous
    5 years ago

    Hey, you have comments. Your coding is better than 80% of the code out there. ?

    Take a look at https://github.com/sweenig/monitoring-recipes/blob/master/DataSources/Groovy/Expect/Groovy_Expect_Example.groovy

    You've got "ssh_connection.expect("> ");" commented out, but I would look to see if you can use that as it helps your script gain landmarks to know where it is at any point (and avoids guessing that 20 seconds is long enough to get the output). You should then be able to use the .before() method to grab everything between .expect() calls.

    Yes, your output should just be printed ("println(output)") instead of just setting the value of the printline variable to 1.

  • Matt_M_'s avatar
    Matt_M_
    5 years ago

    Thanks for your help Stuart.  I adjusted my script to the excerpt below and its working as intended.  Just need to build in some logic to remove things that are variable like the dates but otherwise its accomplished what I needed.  Appreciate your help!

     

    import com.santaba.agent.groovyapi.expect.Expect;
    // get the hostname and credentials from the device property table
    hostname = hostProps.get("system.hostname");
    userid = hostProps.get("ssh.user");
    passwd = hostProps.get("ssh.pass");
    // initiate an ssh connection to the host using the provided credentials
    ssh_connection = Expect.open(hostname, userid, passwd);
    // wait for the cli prompt, which indicates we've connected
    ssh_connection.expect("> ");
    // send a command
    ssh_connection.send('show running-config\n');
    sleep(20000);
    output= ssh_connection.stdout();
    // Logout
    ssh_connection.send('exit\n')
    // close the ssh connection handle then print the config
    ssh_connection.expectClose();
    printline=1
    println(output)
  • Anonymous's avatar
    Anonymous
    5 years ago
    9 minutes ago, Matt M. said:

    sleep(20000);

    You could avoid this too by putting an ssh_connection.expect("> ") instead. Then your output could be output=ssh_connection.before(). It should make is so that the script returns as soon as possible instead of at least 20 seconds (where 17-18s of that could be waiting for more output that won't come because it's already back at the prompt.

    Also, fun tip: groovy doesn't require the semicolons at the end of lines. You don't know the excitement I felt when I discovered that.