Policy Planner Automation for Cisco ASA

Customers may inquire about pushing policy automatically to their devices with the use of Policy Planner. Policy Planner does support this function for Cisco ASA (both context and standard) but does have several requirements.

1. The Cisco ASA must not be managed by a CSM or FMC.
2. For FireMon version 8.15 through 8.18, Cisco ASA must be running version 9.6 or higher.
3. For FireMon version 8.19 and newer, Cisco ASA must be running version 9.1 or higher.
4. Your FireMon license must allow automation.
5. The installed device pack must support automation.

Automation licensing should be handled through our Sales Department. For customers wanting to get in touch with them regarding this option, please engage their listed CSM or TAM. Once the licensing is available, customers can then navigate to Administration > Device > Devices and enable automation for their devices (it will be a check box like other licensing).

To determine if the device pack supports automation, use an API call (GET /domain/{domainId}/device/{id}). In the response body, scroll down to the "ExtendedSettingsJson" and look at the output. A sample has been provided below:

"extendedSettingsJson": {
    "port": 22,
    "password": "******",
    "protocol": "ssh",
    "username": "firemon",
    "enableLevel": "-1",
    "policyParser": "cisco",
    "enableRestApi": true,
    "loggingPlugin": "0f7bd58a-98c0-484b-98b0-3eab007ba9ab",
    "enablePassword": "******",
    "retrievalMethod": "FromDevice",
    "retrievalPlugin": "40243505-fe5a-4f74-a26d-766a0303992d",
    "csmNormalization": false,
    "monitoringPlugin": "66229973-455f-4c35-9e34-8e65c71e7476",
    "resetSSHKeyValue": false,
    "logUpdateInterval": 1,
    "logMonitoringMethod": "Syslog",
    "batchConfigRetrieval": false,
    "logMonitoringEnabled": true,
    "logRecordCacheTimeout": 5,
    "changeMonitoringEnabled": true,
    "syslogAlternateIpAddress": "",
    "retrievalTimeoutInSeconds": 120,
    "scheduledRetrievalEnabled": true,
    "scheduledRetrievalInterval": 1440,
    "trackUsageUsingHitCounters": false,
    "hitCounterRetrievalInterval": 10
  }

As you can see, "enableRestApi" is set to "true" which allows us the ability to push the policy to the selected device. If this is not "true" or is missing entirely, a new device pack will be necessary. Older versions of FireMon may support the ability to view this in Administration > Device > Devices > Selected Device > Device Pack Information

In this case, "Automation" is API and "Automation CLI" is the fallback of providing the CLI syntax needed to make the changes. If API automation fails, the system will always attempt to revert back to providing CLI syntax.