Cisco Firewall APIs — FMC + ASA
FMC REST API (manages FTD)
Authentication
Generate auth token (valid 30 minutes, refresh up to 3 times)
FMC_TOKEN=$(curl -sk -X POST \
-H "Content-Type: application/json" \
-u "${FMC_USER}:${FMC_PASS}" \
"https://${FMC_HOST}/api/fmc_platform/v1/auth/generatetoken" \
-D - 2>/dev/null | awk '/X-auth-access-token/{print $2}' | tr -d '\r')
DOMAIN_UUID=$(curl -sk -X POST \
-H "Content-Type: application/json" \
-u "${FMC_USER}:${FMC_PASS}" \
"https://${FMC_HOST}/api/fmc_platform/v1/auth/generatetoken" \
-D - 2>/dev/null | awk '/DOMAIN_UUID/{print $2}' | tr -d '\r')
echo "Token: ${FMC_TOKEN:0:12}... Domain: ${DOMAIN_UUID:0:12}..."
FMC uses self-signed certs in most deployments — -k skips verification. The token comes back in the response header, not the body.
|
Device Inventory
List all managed devices
curl -sk -H "X-auth-access-token: ${FMC_TOKEN}" \
"https://${FMC_HOST}/api/fmc_config/v1/domain/${DOMAIN_UUID}/devices/devicerecords" \
| jq '[.items[] | {name, type, model: .model, sw: .sw_version, healthStatus}]'Access Policies
List all access control policies
curl -sk -H "X-auth-access-token: ${FMC_TOKEN}" \
"https://${FMC_HOST}/api/fmc_config/v1/domain/${DOMAIN_UUID}/policy/accesspolicies" \
| jq '[.items[] | {name, id: .id[:12]}]'Get rules from a specific policy
POLICY_ID="<policy-id>"
curl -sk -H "X-auth-access-token: ${FMC_TOKEN}" \
"https://${FMC_HOST}/api/fmc_config/v1/domain/${DOMAIN_UUID}/policy/accesspolicies/${POLICY_ID}/accessrules?expanded=true&limit=100" \
| jq '[.items[] | {name, action, enabled, sourceNetworks: .sourceNetworks.literals, destinationNetworks: .destinationNetworks.literals}]'Count rules per policy — audit scope sizing
curl -sk -H "X-auth-access-token: ${FMC_TOKEN}" \
"https://${FMC_HOST}/api/fmc_config/v1/domain/${DOMAIN_UUID}/policy/accesspolicies" \
| jq -r '.items[] | .id' | while read pid; do
name=$(curl -sk -H "X-auth-access-token: ${FMC_TOKEN}" \
"https://${FMC_HOST}/api/fmc_config/v1/domain/${DOMAIN_UUID}/policy/accesspolicies/${pid}" \
| jq -r '.name')
count=$(curl -sk -H "X-auth-access-token: ${FMC_TOKEN}" \
"https://${FMC_HOST}/api/fmc_config/v1/domain/${DOMAIN_UUID}/policy/accesspolicies/${pid}/accessrules" \
| jq '.paging.count')
printf "%-40s %s rules\n" "$name" "$count"
doneObjects
List network objects
curl -sk -H "X-auth-access-token: ${FMC_TOKEN}" \
"https://${FMC_HOST}/api/fmc_config/v1/domain/${DOMAIN_UUID}/object/networks?limit=200" \
| jq '[.items[] | {name, value, type}]'List network groups
curl -sk -H "X-auth-access-token: ${FMC_TOKEN}" \
"https://${FMC_HOST}/api/fmc_config/v1/domain/${DOMAIN_UUID}/object/networkgroups?expanded=true&limit=100" \
| jq '[.items[] | {name, objects: [.objects[]?.name], literals: [.literals[]?.value]}]'NAT Policies
List NAT policies and rule counts
curl -sk -H "X-auth-access-token: ${FMC_TOKEN}" \
"https://${FMC_HOST}/api/fmc_config/v1/domain/${DOMAIN_UUID}/policy/ftdnatpolicies" \
| jq '[.items[] | {name, id: .id[:12]}]'Deployment
Check pending changes
curl -sk -H "X-auth-access-token: ${FMC_TOKEN}" \
"https://${FMC_HOST}/api/fmc_config/v1/domain/${DOMAIN_UUID}/deployment/deployabledevices" \
| jq '[.items[] | {name, canBeDeployed, upToDate: .upToDate}]'ASA REST API (direct to device)
Authentication
Enable ASA REST API (if not already)
! On the ASA CLI: rest-api image disk0:/asa-restapi-*.lfbff rest-api agent
Test connectivity
curl -sk -u "${ASA_USER}:${ASA_PASS}" \
"https://${ASA_HOST}/api/monitoring/serialnumber" \
| jq '.serialNumber'Configuration Export
Get running config via CLI API
curl -sk -X POST -u "${ASA_USER}:${ASA_PASS}" \
-H "Content-Type: application/json" \
-d '{"commands": ["show running-config"]}' \
"https://${ASA_HOST}/api/cli" \
| jq -r '.response[]'Get specific config section
curl -sk -X POST -u "${ASA_USER}:${ASA_PASS}" \
-H "Content-Type: application/json" \
-d '{"commands": ["show running-config access-list"]}' \
"https://${ASA_HOST}/api/cli" \
| jq -r '.response[]'VPN Sessions
List active AnyConnect sessions
curl -sk -X POST -u "${ASA_USER}:${ASA_PASS}" \
-H "Content-Type: application/json" \
-d '{"commands": ["show vpn-sessiondb anyconnect"]}' \
"https://${ASA_HOST}/api/cli" \
| jq -r '.response[]'Count active sessions
curl -sk -X POST -u "${ASA_USER}:${ASA_PASS}" \
-H "Content-Type: application/json" \
-d '{"commands": ["show vpn-sessiondb summary"]}' \
"https://${ASA_HOST}/api/cli" \
| jq -r '.response[]'Interfaces & Routing
List interfaces
curl -sk -u "${ASA_USER}:${ASA_PASS}" \
"https://${ASA_HOST}/api/interfaces/physical" \
| jq '[.items[] | {name: .hardwareID, nameif: .name, ip: .ipAddress, secLevel: .securityLevel}]'Routing table
curl -sk -X POST -u "${ASA_USER}:${ASA_PASS}" \
-H "Content-Type: application/json" \
-d '{"commands": ["show route"]}' \
"https://${ASA_HOST}/api/cli" \
| jq -r '.response[]'netapi Equivalents (planned)
# Future netapi commands (not yet implemented)
netapi cisco fmc devices # List managed FTD devices
netapi cisco fmc policies # Access control policies
netapi cisco fmc rules <policy> # Rules in a policy
netapi cisco fmc objects # Network/service objects
netapi cisco fmc deploy # Trigger deployment
netapi cisco asa vpn sessions # Active RA-VPN sessions
netapi cisco asa acl # Access list dump
netapi cisco asa config <section> # Config section exportUntil netapi modules exist, use curl + jq patterns above. All copy-paste-runnable.