Publisher: Splunk
Connector Version: 2.0.0
Product Vendor: Cisco Systems
Product Name: Cisco Firepower
Product Version Supported (regex): ".*"
Minimum Product Version: 5.2.0
This app interfaces with Cisco Firepower devices to add or remove IPs or networks to a Firepower Network Group Object, which is configured with an ACL
Following is the explanation of asset configuration parameters.
- Device IP/Hostname: The IP/Hostname of the Firepower Management Center instance.
- Verify server certificate: Validate server certificate.
- User with access to the Firepower node: Username of the user with access to the Firepower node.
- Password: Password for the above mentioned username.
- Firepower Domain: The Firepower domain you want to run the actions on.
- Network Group Object: The network group object you want to run the actions on.
The app uses token-based authentication. The 'test connectivity' action fetches a new token in exchange for the provided username and password. The app uses this token for authentication. The newly fetched token is encrypted and stored in the state file for future use. If the stored token expires or gets corrupted, the app automatically generates a new one.
The app uses HTTP/HTTPS protocol for communicating with the Cisco Firepower Server. Below are the default ports used by Splunk SOAR.
Service Name | Transport Protocol | Port |
---|---|---|
http | tcp | 80 |
https | tcp | 443 |
The below configuration variables are required for this Connector to operate. These variables are specified when configuring a Cisco Firepower asset in SOAR.
VARIABLE | REQUIRED | TYPE | DESCRIPTION |
---|---|---|---|
firepower_host | required | string | Device IP/Hostname |
verify_server_cert | optional | boolean | Verify server certificate |
username | required | string | User with access to the Firepower node |
password | required | password | Password |
domain_name | required | string | Firepower Domain |
network_group_object | required | string | Network Group Object |
test connectivity - Validate the asset configuration for connectivity
list networks - Lists currently blocked networks
block ip - Blocks an IP network
unblock ip - Unblocks an IP network
Validate the asset configuration for connectivity
Type: test
Read only: True
No parameters are required for this action
No Output
Lists currently blocked networks
Type: investigate
Read only: True
No parameters are required for this action
DATA PATH | TYPE | CONTAINS |
---|---|---|
action_result.status | string | |
action_result.data.*.network | string | ip ip network |
action_result.summary.total_routes | numeric | |
action_result.message | string | |
summary.total_objects | numeric | |
summary.total_objects_successful | numeric |
Blocks an IP network
Type: contain
Read only: False
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
ip | required | IP/network to block (X.X.X.X/NM) | string | ip ip network |
DATA PATH | TYPE | CONTAINS |
---|---|---|
action_result.status | string | |
action_result.parameter.ip | string | ip ip network |
action_result.data | string | |
action_result.summary | string | |
action_result.message | string | |
summary.total_objects | numeric | |
summary.total_objects_successful | numeric |
Unblocks an IP network
Type: correct
Read only: False
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
ip | required | IP/network to unBlock (X.X.X.X/NM) | string | ip ip network |
DATA PATH | TYPE | CONTAINS |
---|---|---|
action_result.status | string | |
action_result.parameter.ip | string | ip ip network |
action_result.data | string | |
action_result.summary | string | |
action_result.message | string | |
summary.total_objects | numeric | |
summary.total_objects_successful | numeric |