my cheat sheet on Cisco Security APIs
1 Security APIs
Security comprises many different parts of an enterprise's infrastructure. Replacing human slow, and error prone corroboration of security incidents with a fast and automated API interaction can greatly increase the overall resilience and impenetrability of your defences.
2 Advanced Malware Protection, AMP
For details see Advanced Malware Protection
3 SecureX
For details see SecureX
4 Threat Grid
5 Umbrella
6 Firepower Management Centre & API Explorer
FMC offers an API Explorer
that is available on every Firepower Management
Center by browsing to:
https://<mgt-center-ip-or-name>:<https-port>/api/api-explorer
https://<mgt-center-ip-or-name>:<https-port>/api/api-explorer
As you can see, it is a REST API. The reserveable sandbox API is available: https://fmcrestapisandbox.cisco.com/api/api-explorer/ but you must reserve the sandbox to get the credentials for a 4 hour session. That sandbox is available here: https://devnetsandbox.cisco.com/RM/Topology (search for FMC)
The API Explorer will let you generate code snippets
for both Perl
and Python
Update: The Open API Spec is a standardized specification of a REST API. The Open API Spec for the Firepower Management Center REST API contains details about the endpoints, fields, parameters, and requirements of the API. You can use the API Spec to generate sample code as well as find specific information about API functionality.
6.1 FMC API Explorer Authentication
-H "X-auth-access-token: blah-blah-blha"
The credentials for the API explorer are the same for the FMC.
It can let you log in, then "try" a REST API Request and get back this
for example:
curl -X GET "https://fmcrestapisandbox.cisco.com/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/devices/devicerecords" -H "accept: application/json" -H "X-auth-access-token: d0073556-f465-4f99-ae74-4bd8d61673d7"
curl -X GET "https://fmcrestapisandbox.cisco.com/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/devices/devicerecords" -H "accept: application/json" -H "X-auth-access-token: d0073556-f465-4f99-ae74-4bd8d61673d7"
I used POSTMAN with the tokens I copied from my FMC API Explorer session and got success as shown in this screenshot:
Detailed steps are available from learning labs. Authentication to the API
Explorer FMC REST API uses token-based authentication
. You need a valid access
token to invoke a REST call, and every REST call must include a header in which
key is set to X-auth-access-token and the value contains the access token.
The API Explorer automates the access token process, and you can log into the API Explorer using any FMC account, but you will only be able to perform the functions for which the account has permissions.
7 FTD and Password Granted Access Token
Every REST API call must include an authentication token
to verify that the
caller is authorized to perform the requested action.
Initially, you need to obtain an access token
by supplying the admin
username/password
. This is called a password-granted access token
, that is,
grant_type = password
.
Steps:
- Create the JSON object for the password-granted access token grant. Specify the admin username and password
- Use POST https://server/api/fdm/v3/fdm/token to obtain the access token. Use curl, postman, python, whatever you want.
- Retrieve the access and refresh tokens from the response. A good response
has a
status code 200
.
8 FTD and Custom Access Token
You can use the password-granted access token as described above. However, you
can also request a
custom access token With a custom token, you can:
supply a
subject name
to help differentiate token usage (for own purposes).- You can also
request specific validity periods
if the default values returned for password tokens do not fit your requirements.
(Notice the difference to API keys that have no expiration time. You have to go to a web page and manually invalidate an API key.)
Before you can start, you need to first 1) get a password-granted access token.
- create the json object for custom access token grant
{ "grant_type": "custom_token", "access_token": "string", "desired_expires_in": 0, "desired_refresh_expires_in": 0, "desired_subject": "string", "desired_refresh_count": 0 }
Or realistically:
{ "grant_type": "custom_token", "access_token": "eyJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE1MDI4MzI2NjcsInN1YiI6ImFkbWluIiwianRpIjoiMGM3ZDBmNDgtODIwMS0xMWU3LWE4MWMtMDcwZmYzOWU3ZjQ0IiwibmJmIjoxNTAyODMyNjY3LCJleHAiOjE1MDI4MzQ0NjcsInJlZnJlc2hUb2tlbkV4cGlyZXNBdCI6MTUwMjgzNTA2NzQxOSwidG9rZW5UeXBlIjoiSldUX0FjY2VzcyIsIm9yaWdpbiI6InBhc3N3b3JkIn0.b2hI6fVA_GbmhCOPM-ZUx6IC8SgCk1AkHXI-llV0r7s", "desired_expires_in": 2400, "desired_refresh_expires_in": 3000, "desired_subject": "api-client", "desired_refresh_count": 3 }
The token can be
refreshed 3 times
, after that you need togenerate another token.
- POST that json to obtain the access token.
For example, if I was using curl, I would:
curl -X POST \ --header 'Content-Type: application/json' \ --header 'Accept: application/json' \ -d '{ "grant_type": "custom_token", "access_token": "eyJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE1MDI4MzU5NjgsInN1YiI6ImFkbWluIiwianRpIjoiYmMyNjM4N2EtODIwOC0xMWU3LWE4MWMtYzNlYTZkZjJjZThjIiwibmJmIjoxNTAyODM1OTY4LCJleHAiOjE1MDI4Mzc3NjgsInJlZnJlc2hUb2tlbkV4cGlyZXNBdCI6MTUwMjgzODM2ODYwNiwidG9rZW5UeXBlIjoiSldUX0FjY2VzcyIsIm9yaWdpbiI6InBhc3N3b3JkIn0.acOE_Y4SEds-NE4Qw99fQlUzdoSkhsjInaCh0a9WK38", "desired_expires_in": 2400, "desired_refresh_expires_in": 3000, "desired_subject": "api-client", "desired_refresh_count": 3 }' https://ftd.example.com/api/fdm/v3/fdm/token
- Retrieve the access tokens from the response, (if status is 200 ok)
For example this is a response to retrieve an access token.
{ "access_token": "eyJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE1MDI4MzU5OTEsInN1YiI6ImFwaS1jbGllbnQiLCJqdGkiOiJjOWIxYzdjYi04MjA4LTExZTctYTgxYy02YmY0NzY3ZmRmZGUiLCJuYmYiOjE1MDI4MzU5OTEsImV4cCI6MTUwMjgzODM5MSwicmVmcmVzaFRva2VuRXhwaXJlc0F0IjoxNTAyODM4OTkxMzMxLCJ0b2tlblR5cGUiOiJKV1RfQWNjZXNzIiwib3JpZ2luIjoiY3VzdG9tIn0.9IVzLjGffVQffHAWdrNkrYfvuO6TgpJ7Zi_z3RYubN8", "expires_in": 2400, "token_type": "Bearer", "refresh_token": "eyJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE1MDI4MzU5OTEsInN1YiI6ImFwaS1jbGllbnQiLCJqdGkiOiJjOWIxYzdjYi04MjA4LTExZTctYTgxYy02YmY0NzY3ZmRmZGUiLCJuYmYiOjE1MDI4MzU5OTEsImV4cCI6MTUwMjgzODk5MSwiYWNjZXNzVG9rZW5FeHBpcmVzQXQiOjE1MDI4MzgzOTEzMzEsInJlZnJlc2hDb3VudCI6MywidG9rZW5UeXBlIjoiSldUX1JlZnJlc2giLCJvcmlnaW4iOiJjdXN0b20ifQ.qseqjg3Uo183YvfN_77iJZELEqwpWw5AbKAqAnCIcSA", "refresh_expires_in": 3000 }
- Retrieve the access tokens from the response, (if status is 200 ok)
- POST that json to obtain the access token.
For example, if I was using curl, I would:
8.1 Refreshing an Access Token
After an access token expires
, you need to refresh it using the refresh token
that was supplied in the original grant. A refreshed access token is actually
different than the original access token. “Refreshing” actually supplies a
new pair of access token and refresh token
, it does not simply extend the
life of the old access token.
9 FTD Using access token on API calls
After you obtain either a password-granted
or custom access token
, you must
include it on each API call in the Authorization: Bearer header
to the HTTPS
request.
For example, a curl command to perform GET /object/networks might look like the following:
BASH
curl -k -X GET \
-H 'Accept: application/json' \
-H 'Authorization: Bearer
eyJhbGciOiJIUz… …vuO6TgpJ7Ziz3RYubN8' \
https://ftd.example.com/api/fdm/v3/object/networks
For more, including how to refresh an access token using json and calls see this developer.cisco.com link.
10 From journey2theccie.wordpress.com site:
10.1 Basic
Basic authentication transmits credentials as username/password pairs separated by a colon. It looks like this in the request:
Authorization: Basic <user>:<pass> These passwords are in plain text and are very insecure unless paired with HTTPS.
10.2 Custom Token
Token auth uses the Bearer HTTP authentication scheme. It is more secure than basic authentication and is used with OAuth and SSO. It uses a token generated by an authentication server. It looks like this in the request:
Authorization: Bearer <token>
It should also be used with HTTPS instead of HTTP.
10.3 API Keys
API keys are generated by a server and assigned to an individual user. To obtain the key, users log into the server using their credentials and get the assigned key. These keys are assigned once and are not regenerated. The user then has to use the key in every request.
Just like Basic & Bearer, it should be paired with HTTPS.
There are two types of API keys:
Public Private
A public key can be shared, but a private key must not be
shared since it is paired to a user’s credentials. For public keys, you can
provide it in a query:
GET https://localhost:8000/v1/devices?API_KEY=YOUR_KEY For private keys, there are a few options for putting them in the header:
Authorization: <APIKEY> #OR Authorization: APIKEY <APIKEY> #OR APIKEY: <APIKEY> You can also put keys in the body of the request:
{ APIKEY: <APIKEY> }
Lastly, you can use a cookie
:
Cookie: APIKEY = <APIKEY>