Run Commands (Automata Workflows)

Overview

The netapi run command group provides access to automata workflows - multi-vendor orchestration routines for common operational tasks.

Prerequisites

Load secrets before running workflows:

dsource d000 dev/network

Available Workflows

# List all available workflows
netapi run list

Emergency Response

emergency-block

Block an endpoint across ISE, switch, and firewall for immediate threat containment. Uses ANC (Adaptive Network Control) policy by default for proper quarantine handling.

# Dry run - show what would be done
netapi run emergency-block --mac 00:14:D1:B0:50:D4 --dry-run

# Block using ANC policy (default - recommended)
netapi run emergency-block --mac 00:14:D1:B0:50:D4 --anc-policy Quarantine

# Use custom ANC policy
netapi run emergency-block --mac 00:14:D1:B0:50:D4 -a ANC-Malware-Quarantine

# Fall back to group assignment (no ANC)
netapi run emergency-block --mac 00:14:D1:B0:50:D4 --no-anc --group Blacklist

# Full multi-vendor block (ISE + switch + firewall)
netapi run emergency-block --mac 00:14:D1:B0:50:D4 --switch --firewall --ip 10.1.1.100

Options:

Option Description Default

--mac, -m

MAC address to block (required)

-

--anc-policy, -a

ANC policy name

Quarantine

--anc/--no-anc

Use ANC policy (recommended)

True

--group, -g

ISE group if not using ANC

Blacklist

--switch, -s

Also block on switch

False

--firewall, -f

Also block on firewall

False

--ip, -i

IP address for firewall block

-

--dry-run, -n

Show what would be done

False

emergency-unblock

Remove an endpoint from quarantine. Clears ANC policy by default.

# Dry run
netapi run emergency-unblock --mac 00:14:D1:B0:50:D4 --dry-run

# Clear ANC policy (default - recommended)
netapi run emergency-unblock --mac 00:14:D1:B0:50:D4

# Fall back to group assignment (no ANC clear)
netapi run emergency-unblock --mac 00:14:D1:B0:50:D4 --no-anc --group Profiled

Options:

Option Description Default

--mac, -m

MAC address to unblock (required)

-

--anc/--no-anc

Clear ANC policy (recommended)

True

--group, -g

ISE group if not using ANC

Profiled

--dry-run, -n

Show what would be done

False

Health Checks

morning-checks

Daily infrastructure health verification routine.

# Run ISE checks only (default)
netapi run morning-checks

# Include all checks
netapi run morning-checks --ise --switches --firewalls --dns

# Verbose output with details
netapi run morning-checks --verbose

Options:

Option Description Default

--ise/--no-ise

Include ISE checks

True

--switches/--no-switches

Include switch checks

False

--firewalls/--no-firewalls

Include firewall checks

False

--dns/--no-dns

Include DNS/IPAM checks

False

--verbose, -v

Show detailed output

False

Checks Performed:

  • ISE MnT API connectivity and version

  • ISE active session count

  • ISE ERS API connectivity

  • (Planned) Core switch status

  • (Planned) Firewall status

  • (Planned) DNS/IPAM status

Workflow Architecture

The automata module follows a multi-vendor orchestration pattern:

netapi/automata/
├── __init__.py
└── workflows/
    ├── __init__.py
    ├── emergency.py    # Incident response workflows
    └── health.py       # Health check workflows

Extending Workflows

Workflows can be used programmatically:

from netapi.automata.workflows import emergency, health

# Run emergency block with ANC (recommended)
result = emergency.block_endpoint(
    mac="00:14:D1:B0:50:D4",
    anc_policy="ANC-Malware-Quarantine",
    use_anc=True,
    dry_run=True
)

# Run emergency block with group assignment (fallback)
result = emergency.block_endpoint(
    mac="00:14:D1:B0:50:D4",
    use_anc=False,
    fallback_group="Blacklist",
    dry_run=True
)

# Run health checks
results = health.morning_checks(
    include_ise=True,
    include_switches=True,
    verbose=True
)
print(f"Passed: {results.total_passed}, Failed: {results.total_failed}")