Firepower Management Center Commands

Overview

The netapi fmc command group provides comprehensive CLI access to Cisco Firepower Management Center (FMC) for managing Firepower Threat Defense (FTD) devices, access policies, NAT rules, network objects, and deployments.

Prerequisites

Load secrets before using FMC commands:

dsource d000 dev/network

Required environment variables:

Variable Description

FMC_IP

FMC IP or hostname

FMC_USER

API username

FMC_PASS

API password
The FMC user must have API access. Configure in FMC: System > Users > Edit User > REST API User.

Commands Reference

Command Description

Device Management

get-devices

List managed FTD devices

get-device

Get device details by UUID

get-interfaces

List device interfaces

get-deployable

List devices with pending deployments

Policy Management

get-policies

List access control policies

get-policy

Get policy details

get-rules

List rules in an access policy

create-rule

Create an access control rule

delete-rule

Delete an access control rule

toggle-rule

Enable/disable a rule

get-nat-policies

List NAT policies

get-intrusion-policies

List intrusion policies

Object Management

get-networks

List network objects

create-network

Create a network object

get-hosts

List host objects

create-host

Create a host object

get-ports

List port objects

create-port

Create a port object

get-network-groups

List network groups

create-network-group

Create a network group

delete-object

Delete any object

get-zones

List security zones

Deployment

deploy

Deploy pending changes to devices

deploy-status

Get deployment job status

System

health

Check FMC connectivity

get-audit

Get audit log entries

Device Management

get-devices

List all managed FTD devices:

netapi fmc get-devices
Example Output
              FMC Managed Devices (3)
┏━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━┳━━━━━━━━━━━━━┓
┃ Name          ┃ Model         ┃ Version ┃ Status ┃ ID          ┃
┡━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━╇━━━━━━━━━━━━━┩
│ FTD-EDGE-01   │ Firepower 2110│ 7.2.0   │ green  │ a1b2c3d4... │
│ FTD-EDGE-02   │ Firepower 2110│ 7.2.0   │ green  │ e5f6g7h8... │
│ FTD-DC-01     │ FTDv          │ 7.2.0   │ yellow │ i9j0k1l2... │
└───────────────┴───────────────┴─────────┴────────┴─────────────┘

get-interfaces

List physical interfaces for a device:

netapi fmc get-interfaces <device-uuid>
Example Output
           Device Interfaces (4)
┏━━━━━━━━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━┳━━━━━━━━━━━━┓
┃ Name          ┃ Mode     ┃ Enabled ┃ Zone       ┃ ID         ┃
┡━━━━━━━━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━╇━━━━━━━━━━━━┩
│ GigabitEth0/0 │ ROUTED   │ Yes     │ OUTSIDE    │ abc123...  │
│ GigabitEth0/1 │ ROUTED   │ Yes     │ INSIDE     │ def456...  │
│ GigabitEth0/2 │ ROUTED   │ Yes     │ DMZ        │ ghi789...  │
│ Management0/0 │ PASSIVE  │ Yes     │ -          │ jkl012...  │
└───────────────┴──────────┴─────────┴────────────┴────────────┘

Policy Management

get-policies

List all access control policies:

netapi fmc get-policies

get-rules

List rules in an access control policy:

netapi fmc get-rules <policy-uuid>
Example Output
                   Access Rules (5)
┏━━━━┳━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━┓
┃ #  ┃ Name                  ┃ Action ┃ Enabled ┃ ID         ┃
┡━━━━╇━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━┩
│ 1  │ Allow-DNS             │ ALLOW  │ Yes     │ r1a2b3c4...│
│ 2  │ Allow-HTTPS-Out       │ ALLOW  │ Yes     │ r5d6e7f8...│
│ 3  │ Allow-Internal        │ TRUST  │ Yes     │ r9g0h1i2...│
│ 4  │ Block-Malware-IPs     │ BLOCK  │ Yes     │ rj3k4l5m...│
│ 5  │ Monitor-Unknown       │ ALLOW  │ No      │ rn6o7p8q...│
└────┴───────────────────────┴────────┴─────────┴────────────┘

create-rule

Create an access control rule:

# Simple allow rule
netapi fmc create-rule <policy-uuid> "Allow-Web-Traffic" --action ALLOW

# Block rule with logging
netapi fmc create-rule <policy-uuid> "Block-Bad-IPs" --action BLOCK --log

# Disabled rule with comment
netapi fmc create-rule <policy-uuid> "Test-Rule" --disabled --comment "Testing"

Options:

Option Default Description

--action

ALLOW

ALLOW, BLOCK, TRUST, MONITOR

--enabled/--disabled

enabled

Enable or disable rule

--log

false

Log connections

--comment

Rule comment

delete-rule

Delete an access control rule:

netapi fmc delete-rule <policy-uuid> <rule-uuid>

# Skip confirmation
netapi fmc delete-rule <policy-uuid> <rule-uuid> --yes

toggle-rule

Enable or disable a rule without deleting:

# Disable a rule
netapi fmc toggle-rule <policy-uuid> <rule-uuid> --disable

# Enable a rule
netapi fmc toggle-rule <policy-uuid> <rule-uuid> --enable

Object Management

create-network

Create a network object:

netapi fmc create-network "Internal-LAN" "10.50.0.0/16" -d "Internal network"

create-host

Create a host object:

netapi fmc create-host "DC-01" "10.50.1.50" -d "Domain Controller"

create-port

Create a port object:

# Single port
netapi fmc create-port "HTTPS" "443" -p TCP

# Port range
netapi fmc create-port "HighPorts" "49152-65535" -p TCP

create-network-group

Create a network group with multiple networks:

netapi fmc create-network-group "RFC1918" \
  -n "10.0.0.0/8" \
  -n "172.16.0.0/12" \
  -n "192.168.0.0/16" \
  -d "Private address space"

delete-object

Delete any object type:

# Delete network object
netapi fmc delete-object networks <uuid> --yes

# Delete host object
netapi fmc delete-object hosts <uuid> --yes

# Delete port object
netapi fmc delete-object protocolportobjects <uuid> --yes

get-zones

List security zones:

netapi fmc get-zones
Example Output
           Security Zones (4)
┏━━━━━━━━━━━━━━━┳━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━┓
┃ Name          ┃ Type       ┃ ID             ┃
┡━━━━━━━━━━━━━━━╇━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━┩
│ INSIDE        │ ROUTED     │ zone123abc...  │
│ OUTSIDE       │ ROUTED     │ zone456def...  │
│ DMZ           │ ROUTED     │ zone789ghi...  │
│ MANAGEMENT    │ PASSIVE    │ zonejkl012...  │
└───────────────┴────────────┴────────────────┘

Deployment

deploy

Deploy pending changes to FTD devices:

# Deploy to specific device
netapi fmc deploy <device-uuid>

# Deploy to multiple devices
netapi fmc deploy <uuid1> <uuid2> <uuid3>

# Force deploy (even if no changes detected)
netapi fmc deploy <device-uuid> --force

deploy-status

Check deployment job status:

netapi fmc deploy-status <job-id>
Example Output
Job ID: abc123-456-789
Status: SUCCESS
Start: 2026-02-21T10:30:00
End: 2026-02-21T10:32:45

Deployment Workflow

# 1. Check for pending deployments
netapi fmc get-deployable

# 2. Deploy to listed devices
DEVICE_ID="abc123..."
netapi fmc deploy "$DEVICE_ID"

# 3. Monitor deployment
JOB_ID="..."
netapi fmc deploy-status "$JOB_ID"

System

health

Check FMC connectivity:

netapi fmc health

get-audit

Get recent audit log entries:

# Last 25 entries (default)
netapi fmc get-audit

# Last 100 entries
netapi fmc get-audit -n 100

# JSON for parsing
netapi fmc get-audit --format json
Example Output
              Audit Log (last 25)
┏━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━┳━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━┓
┃ Time                ┃ User       ┃ Action       ┃ Object           ┃
┡━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━╇━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━┩
│ 2026-02-21T10:30:00 │ admin      │ PolicyDeploy │ Enterprise-ACP   │
│ 2026-02-21T10:25:00 │ netapi     │ ObjectCreate │ Server-DMZ       │
│ 2026-02-21T10:20:00 │ admin      │ RuleModify   │ Allow-HTTPS      │
└─────────────────────┴────────────┴──────────────┴──────────────────┘

Workflows

Create Objects and Rule

#!/bin/bash
# Workflow: Create objects and firewall rule

dsource d000 dev/network

# Create network object for new server
netapi fmc create-host "NewServer" "10.50.1.100" -d "New application server"

# Create port object
netapi fmc create-port "AppPort" "8443" -p TCP -d "Application HTTPS"

# Get policy ID
POLICY_ID=$(netapi fmc get-policies --format json | jq -r '.[] | select(.name=="Enterprise-ACP") | .id')

# Create rule (note: for source/dest, use FMC GUI or expand CLI)
netapi fmc create-rule "$POLICY_ID" "Allow-NewServer-App" --action ALLOW --log

# Deploy
DEVICE_ID=$(netapi fmc get-deployable --format json | jq -r '.[0].id')
netapi fmc deploy "$DEVICE_ID"

Audit Object Usage

#!/bin/bash
# Export all objects for documentation

DATE=$(date +%Y%m%d)
mkdir -p /backup/fmc/$DATE

netapi fmc get-networks --format json > /backup/fmc/$DATE/networks.json
netapi fmc get-hosts --format json > /backup/fmc/$DATE/hosts.json
netapi fmc get-ports --format json > /backup/fmc/$DATE/ports.json
netapi fmc get-network-groups --format json > /backup/fmc/$DATE/network-groups.json
netapi fmc get-zones --format json > /backup/fmc/$DATE/zones.json
netapi fmc get-policies --format json > /backup/fmc/$DATE/policies.json

# Export rules for each policy
for pid in $(jq -r '.[].id' /backup/fmc/$DATE/policies.json); do
    name=$(jq -r ".[] | select(.id==\"$pid\") | .name" /backup/fmc/$DATE/policies.json)
    netapi fmc get-rules "$pid" --format json > "/backup/fmc/$DATE/rules-${name}.json"
done

echo "FMC objects backed up to /backup/fmc/$DATE"

Bulk Object Creation

#!/bin/bash
# Create multiple host objects from CSV

# hosts.csv format:
# name,ip,description
# Server-01,10.50.1.10,Web Server
# Server-02,10.50.1.11,App Server

while IFS=, read -r name ip desc; do
    netapi fmc create-host "$name" "$ip" -d "$desc"
done < hosts.csv

Troubleshooting

Authentication Failed

# Verify environment variables
echo $FMC_IP $FMC_USER

# Test connectivity
netapi fmc health

Check FMC user permissions: 1. System > Users 2. Edit user 3. Enable "REST API User" 4. Assign appropriate roles

Object Already Exists

The API returns an error if you try to create an object with a name that already exists. Use --format json to search:

netapi fmc get-networks --format json | jq '.[] | select(.name | contains("Internal"))'

Deployment Stuck

# Check deployment status
netapi fmc deploy-status <job-id>

# Force new deployment
netapi fmc deploy <device-id> --force