PRJ-FIREWALL-AUDIT — FTD/FMC + ASA Configuration & Security Audit

Project Summary

Project

Firewall Configuration & Security Audit — FTD/FMC + ASA

Priority

P1

Status

Active — scoping

Owner

Evan Rosado

Stakeholders

InfoSec Management, Network Engineering

Requested By

Management

Deliverables

Configuration audit report, security findings, API management capability

Scope

Platforms

Platform Mode Management

Cisco FTD

Firepower Threat Defense (NGFW)

Managed by FMC (Firepower Management Center)

Cisco ASA

ASA mode (classic firewall)

Remote Access VPN terminators

Audit Areas

Area What to Assess

Rule base

Overly permissive rules, unused rules, shadowed rules, any-any entries

NAT policies

Translation consistency, overlap detection, orphaned NAT entries

VPN configuration

RA-VPN profiles, tunnel groups, group policies, crypto maps, IKEv2 settings

Access control

ACLs, object groups, network/service objects, hit counts

Platform security

Management access, SSH/HTTPS, logging, NTP, AAA, SNMP, banner

High availability

Failover state, interface monitoring, preemption settings

Compliance

CIS benchmarks, HHS regulatory alignment

API Strategy

Management wants API-driven operations where possible. Two API surfaces:

FMC REST API (manages FTD)

Capability Endpoint Pattern

Authentication

POST /api/fmc_platform/v1/auth/generatetoken

Access policies

GET /api/fmc_config/v1/domain//policy/accesspolicies

Access rules

GET /api/fmc_config/v1/domain//policy/accesspolicies/{id}/accessrules

Network objects

GET /api/fmc_config/v1/domain//object/networks

NAT policies

GET /api/fmc_config/v1/domain//policy/ftdnatpolicies

Device status

GET /api/fmc_config/v1/domain//devices/devicerecords

Deploy changes

POST /api/fmc_config/v1/domain//deployment/deploymentrequests

ASA REST API (direct to device)

Capability Endpoint Pattern

Authentication

Basic auth or token-based

Running config

GET /api/cli with show running-config

ACLs

GET /api/access/in//rules

NAT rules

GET /api/nat/

VPN sessions

GET /api/vpn-sessiondb/anyconnect

Interfaces

GET /api/interfaces/physical

Objects

GET /api/objects/networkobjects

Integration with netapi

Both APIs are candidates for netapi vendor modules:

  • netapi cisco fmc policies — list access policies and rules

  • netapi cisco fmc objects — network/service objects

  • netapi cisco fmc deploy — push pending changes

  • netapi cisco asa vpn sessions — active RA-VPN sessions

  • netapi cisco asa acl — access list audit

Until netapi modules are built, use curl + jq directly against the APIs. All patterns documented in codex/apis/.

Deliverables

  • FTD/FMC configuration export via API

  • ASA configuration export via API

  • Rule base analysis — unused, overly permissive, shadowed

  • VPN configuration audit — tunnel groups, group policies, crypto

  • Security posture report for management

  • API management runbook — common operations via curl/netapi

  • D2 diagrams: firewall zone topology, VPN architecture

Metadata

Field Value

PRJ ID

PRJ-2026-04-firewall-audit

Author

Evan Rosado

Created

2026-04-12

Updated

2026-04-16

Status

Active

Category

Network Security / Compliance

Priority

P1

Platforms

Cisco FTD (FMC-managed), Cisco ASA (RA-VPN)

APIs

FMC REST API, ASA REST API

Tools

netapi, curl + jq, D2 diagrams

Related

PRJ-DMZ-MIGRATION, PRJ-NETWORK-DIAGRAM-LIBRARY

Related