Skip to main content

Cisco ASA

This Integration is part of the Cisco ASA Pack.#

Use the Cisco Adaptive Security Appliance Software integration to manage interfaces, rules, and network objects. This integration was integrated and tested with version 9.16(3)23 of Cisco ASA

Configure Cisco ASA in Cortex#

ParameterRequired
Server URL (e.g., https://192.168.0.1)True
CredentialsTrue
PasswordTrue
Use system proxy settingsFalse
Trust any certificate (not secure)False
Is ASAvFalse

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

cisco-asa-list-network-object-group#


Retrieve information about network object groups. Network object groups can contain multiple network objects as well as inline networks or hosts. Network object groups can include a mix of both IPv4 and IPv6 addresses/network.

Base Command#

cisco-asa-list-network-object-group

Input#

Argument NameDescriptionRequired
object_idThe object ID of the network group to retrieve. This can't be used with pagination arguments.Optional
pagePage number of paginated results. Minimum of 1; default 1.Optional
page_sizeThe number of items per page. Maximum of 100; default 50.Optional
limitThe maximum number of records to retrieve. Maximum of 100; default 50.Optional

Context Output#

PathTypeDescription
CiscoASA.NetworkObjectGroup.object_idStringThe object ID of the network object group.
CiscoASA.NetworkObjectGroup.nameStringThe name of the network object group.
CiscoASA.NetworkObjectGroup.descriptionStringThe description of the network object group.
CiscoASA.NetworkObjectGroup.members.kindStringThe type of the network item. The viable types are IPv4Address, IPv4Network, IPv6Address, IPv6Network and objectRef#NetworkObj.
CiscoASA.NetworkObjectGroup.members.object_idStringThe object ID of the network object.
CiscoASA.NetworkObjectGroup.members.valueStringThe value of IPv4Address, IPv4Network, IPv6Address or IPv6Network.

Command example#

!cisco-asa-list-network-object-group limit=1

Context Example#

{
"CiscoASA": {
"NetworkObjectGroup": {
"description": "This is a test",
"members": [
{
"kind": "objectRef#NetworkObj",
"object_id": "Test_Lior"
},
{
"kind": "objectRef#NetworkObj",
"object_id": "Test_Lior1"
},
{
"kind": "objectRef#NetworkObj",
"object_id": "Test_Lior2"
}
],
"name": "TEST_GROUP1",
"object_id": "TEST_GROUP1"
}
}
}

Human Readable Output#

Network Object Groups#

Object IdNameDescriptionMembers
TEST_GROUP1TEST_GROUP1This is a test{'kind': 'objectRef#NetworkObj', 'object_id': 'Test_Lior'},
{'kind': 'objectRef#NetworkObj', 'object_id': 'Test_Lior1'},
{'kind': 'objectRef#NetworkObj', 'object_id': 'Test_Lior2'}

cisco-asa-list-local-user-group#


Retrieve information about local user groups, which are collections of user accounts, either from the local database or imported from Active Directory, that manage access to network resources not defined globally.

Base Command#

cisco-asa-list-local-user-group

Input#

Argument NameDescriptionRequired
object_idThe object ID of the local user group to retrieve. This can't be used with pagination arguments.Optional
pagePage number of paginated results. Minimum of 1; default 1.Optional
page_sizeThe number of items per page. Maximum of 100; default 50.Optional
limitThe maximum number of records to retrieve. Maximum of 100; default 50.Optional

Context Output#

PathTypeDescription
CiscoASA.LocalUserGroup.object_idStringThe object ID of the local user group.
CiscoASA.LocalUserGroup.nameStringThe name of the local user group.
CiscoASA.LocalUserGroup.descriptionStringThe description of the local user group.
CiscoASA.LocalUserGroup.members.kindStringThe type of the user.
CiscoASA.LocalUserGroup.members.object_idStringThe ID of the user.

Command example#

!cisco-asa-list-local-user-group limit=1

Context Example#

{
"CiscoASA": {
"LocalUserGroup": {
"members": [
{
"kind": "objectRef#UserObj",
"object_id": "api"
},
{
"kind": "objectRef#UserObj",
"object_id": "restapi"
}
],
"name": "LIOR_GROUP",
"object_id": "LIOR_GROUP"
}
}
}

Human Readable Output#

Local User Groups#

Object IdNameMembers
LIOR_GROUPLIOR_GROUP{'kind': 'objectRef#UserObj', 'object_id': 'api'},
{'kind': 'objectRef#UserObj', 'object_id': 'restapi'}

cisco-asa-list-local-user#


Retrieve information about individual local user accounts within a network system. These local users can be part of local user groups and groups imported from Active Directory.

Base Command#

cisco-asa-list-local-user

Input#

Argument NameDescriptionRequired
object_idThe object ID of the local user to retrieve. This can't be used with pagination arguments.Optional
pagePage number of paginated results. Minimum of 1; default 1.Optional
page_sizeThe number of items per page. Maximum of 100; default 50.Optional
limitThe maximum number of records to retrieve. Maximum of 100; default 50.Optional

Context Output#

PathTypeDescription
CiscoASA.LocalUser.object_idStringThe object ID of the local user.
CiscoASA.LocalUser.nameStringThe name of the local user.
CiscoASA.LocalUser.mschap_authenticatedBooleanWhether Extensible Authentication Protocol-Microsoft Challenge Handshake Authentication Protocol is authenticated.
CiscoASA.LocalUser.privilege_levelNumberThe user's privilege level.
CiscoASA.LocalUser.asdm_cli_access_typeStringASDM and CLI access type. Can be one of "Full", "None", "Cli".

Command example#

!cisco-asa-list-local-user limit=1

Context Example#

{
"CiscoASA": {
"LocalUser": {
"asdm_cli_access_type": "Full",
"mschap_authenticated": false,
"name": "admin",
"object_id": "admin",
"privilege_level": 15
}
}
}

Human Readable Output#

Local Users#

Object IdNamePrivilege LevelAsdm Cli Access Type
adminadmin15Full

cisco-asa-list-time-range#


Retrieve information about time range objects. A time range object defines a specific time consisting of a start time, an end time, and optional recurring entries. You use these objects on ACL rules to provide time-based access to certain features or assets. For example, you could create an access rule that allows access to a particular server during working hours only.

Base Command#

cisco-asa-list-time-range

Input#

Argument NameDescriptionRequired
object_idThe object ID of the time range to retrieve. This can't be used with pagination arguments.Optional
pagePage number of paginated results. Minimum of 1; default 1.Optional
page_sizeThe number of items per page. Maximum of 100; default 50.Optional
limitThe maximum number of records to retrieve. Maximum of 100; default 50.Optional

Context Output#

PathTypeDescription
CiscoASA.TimeRange.object_idStringThe object ID of the time range.
CiscoASA.TimeRange.nameStringThe name of the time range.
CiscoASA.TimeRange.startStringTime at which this time range starts.
CiscoASA.TimeRange.endStringTime at which this time range ends.
CiscoASA.TimeRange.periodic.frequencyStringThe days of the week at which this time range will run periodically.
CiscoASA.TimeRange.periodic.start_hourNumberThe hour at which this time range will start periodically.
CiscoASA.TimeRange.periodic.start_minuteNumberThe minute at which this time range will start periodically.
CiscoASA.TimeRange.periodic.end_hourNumberThe hour at which this time range will end periodically.
CiscoASA.TimeRange.periodic.end_minuteNumberThe minute at which this time range will end periodically.

Command example#

!cisco-asa-list-time-range page=1 page_size=1

Context Example#

{
"CiscoASA": {
"TimeRange": {
"end": "03:47 May 14 2014",
"name": "trUserTest",
"object_id": "trUserTest",
"periodic": [
{
"end_hour": 23,
"end_minute": 59,
"frequency": "Wednesday to Thursday",
"start_hour": 4,
"start_minute": 3
}
],
"start": "now"
}
}
}

Human Readable Output#

Time Ranges#

Object IdNameStartEndPeriodic
trUserTesttrUserTestnow03:47 May 14 2014{'frequency': 'Wednesday to Thursday', 'start_hour': 4, 'start_minute': 3, 'end_hour': 23, 'end_minute': 59}

cisco-asa-list-security-object-group#


Retrieve information about security groups, which are collections of security groups or identifiers that manage access and permissions to network resources. These groups can be used in features like Cisco TrustSec and are often part of extended access control lists, enabling centralized and localized security policy management.

Base Command#

cisco-asa-list-security-object-group

Input#

Argument NameDescriptionRequired
object_idThe object ID of the security object group to retrieve. This can't be used with pagination arguments.Optional
pagePage number of paginated results. Minimum of 1; default 1.Optional
page_sizeThe number of items per page. Maximum of 100; default 50.Optional
limitThe maximum number of records to retrieve. Maximum of 100; default 50.Optional

Context Output#

PathTypeDescription
CiscoASA.SecurityObjectGroup.object_idStringThe object ID of the security object group.
CiscoASA.SecurityObjectGroup.nameStringThe name of the security object group.
CiscoASA.SecurityObjectGroup.descriptionStringThe description of the security object group.
CiscoASA.SecurityObjectGroup.members.kindStringThe type of the security object group; SecurityName, SecurityTag, objectRef#SecurityObjGroup.
CiscoASA.SecurityObjectGroup.members.valueStringThe value of the SecurityName or SecurityTag.
CiscoASA.SecurityObjectGroup.members.object_idStringThe object ID of objectRef#SecurityObjGroup.

Command example#

!cisco-asa-list-security-object-group page=1 page_size=1

Context Example#

{
"CiscoASA": {
"SecurityObjectGroup": {
"description": "test12",
"members": [
{
"kind": "SecurityName",
"value": "zeno1"
},
{
"kind": "SecurityTag",
"value": "71"
}
],
"name": "oneSecurityGroup",
"object_id": "oneSecurityGroup"
}
}
}

Human Readable Output#

Security Object Groups#

Object IdNameDescriptionMembers
oneSecurityGrouponeSecurityGrouptest12{'kind': 'SecurityName', 'value': 'zeno1'},
{'kind': 'SecurityTag', 'value': '71'}

cisco-asa-list-user-object#


Retrieve information about user definitions within the system. This helps in managing and configuring user access and permissions in a network security context.

Base Command#

cisco-asa-list-user-object

Input#

Argument NameDescriptionRequired
object_idThe object ID of the user object to retrieve. This can't be used with pagination arguments.Optional
pagePage number of paginated results. Minimum of 1; default 1.Optional
page_sizeThe number of items per page. Maximum of 100; default 50.Optional
limitThe maximum number of records to retrieve. Maximum of 100; default 50.Optional

Context Output#

PathTypeDescription
CiscoASA.UserObject.object_idStringThe object ID of the user object.
CiscoASA.UserObject.user_nameStringThe user's user name.
CiscoASA.UserObject.local_user_object_idStringThe object ID of the local user.
CiscoASA.UserObject.valueStringThe value of the local user.

Command example#

!cisco-asa-list-user-object page=1 page_size=1

Context Example#

{
"CiscoASA": {
"UserObject": {
"local_user_object_id": "api",
"object_id": "api",
"user_name": "api"
}
}
}

Human Readable Output#

User Objects#

Object IdUser Name
apiapi

cisco-asa-write-memory#


Saves the running configuration to the default location for the startup configuration.

Base Command#

cisco-asa-write-memory

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
CiscoASA.WriteMemory.responseStringShows a successful 'write memory' command execution on a Cisco ASA device, building the configuration and generating a cryptochecksum for integrity. The process is completed with an "[OK]" message.

Command example#

!cisco-asa-write-memory

Context Example#

{
"CiscoASA": {
"WriteMemory": {
"response": [
"Building configuration...\nCryptochecksum: fa399474 22b66df0 6e2a7619 b37adea3 \n\n20838 bytes copied in 0.50 secs\n[OK]\n"
]
}
}
}

Human Readable Output#

Results#

response
Building configuration...
Cryptochecksum: fa399474 22b66df0 6e2a7619 b37adea3

20838 bytes copied in 0.50 secs
[OK]

cisco-asa-list-rules#


Gets a list all rules for the supplied interface.

Base Command#

cisco-asa-list-rules

Input#

Argument NameDescriptionRequired
interface_nameThe name of the interface from which to get rules.Optional
interface_typeThe interface type. Possible values are: In, Out, Global.Optional

Context Output#

PathTypeDescription
CiscoASA.Rules.SourceStringThe rule's source.
CiscoASA.Rules.DestStringThe rule's destination.
CiscoASA.Rules.InterfaceTypeStringThe interface type. Can be "In", "Out", or "Global".
CiscoASA.Rules.IsActiveBooleanWhether the rule is active.
CiscoASA.Rules.InterfaceStringThe name of the interface.
CiscoASA.Rules.PositionNumberThe position of the rule.
CiscoASA.Rules.IDStringThe rule ID.
CiscoASA.Rules.RemarksUnknownA list of all rule remarks.
CiscoASA.Rules.PermitBooleanWhether the rule permits traffic from source to destination.
CiscoASA.Rules.DestServiceStringThe destination service.
CiscoASA.Rules.SourceServiceStringThe source service.
CiscoASA.Rules.SourceKindStringOne of AnyIPAddress, IPv4Address, IPv4FQDN, IPv4Network, IPv4Range, IPv6Address, IPv6FQDN, IPv6Network, IPv6Range, SecurityName, SecurityTag, interfaceIP, objectRef#NetworkObj, objectRef#NetworkObjGroup.
CiscoASA.Rules.DestKindStringOne of AnyIPAddress, IPv4Address, IPv4FQDN, IPv4Network, IPv4Range, IPv6Address, IPv6FQDN, IPv6Network, IPv6Range, SecurityName, SecurityTag, interfaceIP, objectRef#NetworkObj, objectRef#NetworkObjGroup.
CiscoASA.Rules.SourceSecurity.kindStringThe type of the security group; SecurityName, SecurityTag, objectRef#SecurityObjGroup.
CiscoASA.Rules.SourceSecurity.valueStringThe value of the SecurityName or SecurityTag.
CiscoASA.Rules.SourceSecurity.objectIdStringThe object ID of objectRef#SecurityObjGroup.
CiscoASA.Rules.DestinationSecurity.kindStringThe type of the security group; SecurityName, SecurityTag, objectRef#SecurityObjGroup.
CiscoASA.Rules.DestinationSecurity.valueStringThe value of the SecurityName or SecurityTag
CiscoASA.Rules.DestinationSecurity.objectIdStringThe object ID of objectRef#SecurityObjGroup.
CiscoASA.Rules.User.kindStringOne of AnyUser, NoneUser, objectRef#LocalUserObjGroup, objectRef#UserGroupObj, objectRef#UserObj
CiscoASA.Rules.User.valueStringThe user value.
CiscoASA.Rules.User.objectIdStringThe object ID of the user.
CiscoASA.Rules.TimeRange.kindStringThe object reference type or the actual TimeRange value.
CiscoASA.Rules.TimeRange.valueStringThe value of the time range.
CiscoASA.Rules.TimeRange.objectIdStringThe object ID of the time range.

Command example#

!cisco-asa-list-rules interface_type=Global

Context Example#

{
"CiscoASA": {
"Rules": [
{
"Dest": "TEST_GROUP2",
"DestKind": "objectRef#NetworkObjGroup",
"DestService": "ip",
"DestinationSecurity": {
"kind": "SecurityTag",
"value": "71"
},
"ID": "3583139358",
"Interface": null,
"InterfaceType": "Global",
"IsActive": true,
"Permit": false,
"Position": 1,
"Remarks": [],
"Source": "TEST_GROUP1",
"SourceKind": "objectRef#NetworkObjGroup",
"SourceSecurity": {
"kind": "objectRef#SecurityObjGroup",
"objectId": "oneSecurityGroup"
},
"SourceService": "ip",
"TimeRange": {
"kind": "objectRef#TimeRange",
"objectId": "trUserTest"
},
"User": {
"kind": "objectRef#UserObj",
"objectId": "api"
}
},
{
"Dest": "TEST_GROUP2",
"DestKind": "objectRef#NetworkObjGroup",
"DestService": "ip",
"ID": "3194110035",
"Interface": null,
"InterfaceType": "Global",
"IsActive": true,
"Permit": false,
"Position": 2,
"Remarks": [],
"Source": "TEST_GROUP1",
"SourceKind": "objectRef#NetworkObjGroup",
"SourceService": "ip",
"TimeRange": {
"kind": "objectRef#TimeRange",
"objectId": "trUserTest"
},
"User": {
"kind": "objectRef#UserObj",
"objectId": "api"
}
}
]
}
}

Human Readable Output#

Rules:#

IDSourceDestPermitInterfaceInterfaceTypeIsActivePositionSourceServiceDestService
3583139358TEST_GROUP1TEST_GROUP2falseGlobaltrue1ipip
3194110035TEST_GROUP1TEST_GROUP2falseGlobaltrue2ipip

cisco-asa-backup#


Creates a backup of the current settings (i.e., the backup.cfg file).

Base Command#

cisco-asa-backup

Input#

Argument NameDescriptionRequired
backup_nameThe name of the backup.Required
passphraseThe passphrase for the backup.Optional

Context Output#

There is no context output for this command.

Command example#

!cisco-asa-backup backup_name=Lior

Human Readable Output#

Created backup successfully in: Location: disk0:/Lior Passphrase: None

cisco-asa-get-rule-by-id#


Gets a specific rule by rule ID.

Base Command#

cisco-asa-get-rule-by-id

Input#

Argument NameDescriptionRequired
rule_idThe rule ID.Required
interface_nameThe name of the interface.Optional
interface_typeThe interface type. Possible values are: In, Out, Global.Required

Context Output#

PathTypeDescription
CiscoASA.Rules.InterfaceStringThe name of the interface.
CiscoASA.Rules.SourceStringThe rule's source.
CiscoASA.Rules.DestStringThe rule's destination.
CiscoASA.Rules.InterfaceTypeStringThe interface type. Can be "In", "Out", or "Global".
CiscoASA.Rules.IsActiveBooleanWhether the rule is active.
CiscoASA.Rules.PositionNumberThe position of the rule.
CiscoASA.Rules.IDStringThe rule ID.
CiscoASA.Rules.RemarksUnknownA list of all rule remarks.
CiscoASA.Rules.PermitBooleanWhether the rule permits traffic from source to destination.
CiscoASA.Rules.DestServiceStringThe destination service.
CiscoASA.Rules.SourceServiceStringThe source service.
CiscoASA.Rules.SourceKindStringOne of AnyIPAddress, IPv4Address, IPv4FQDN, IPv4Network, IPv4Range, IPv6Address, IPv6FQDN, IPv6Network, IPv6Range, SecurityName, SecurityTag, interfaceIP, objectRef#NetworkObj, objectRef#NetworkObjGroup.
CiscoASA.Rules.DestKindStringOne of AnyIPAddress, IPv4Address, IPv4FQDN, IPv4Network, IPv4Range, IPv6Address, IPv6FQDN, IPv6Network, IPv6Range, SecurityName, SecurityTag, interfaceIP, objectRef#NetworkObj, objectRef#NetworkObjGroup.
CiscoASA.Rules.SourceSecurity.kindStringThe type of the security group; SecurityName, SecurityTag, objectRef#SecurityObjGroup.
CiscoASA.Rules.SourceSecurity.valueStringThe value of the SecurityName or SecurityTag.
CiscoASA.Rules.SourceSecurity.objectIdStringThe object ID of objectRef#SecurityObjGroup.
CiscoASA.Rules.DestinationSecurity.kindStringThe type of the security group; SecurityName, SecurityTag, objectRef#SecurityObjGroup.
CiscoASA.Rules.DestinationSecurity.valueStringThe value of the SecurityName or SecurityTag
CiscoASA.Rules.DestinationSecurity.objectIdStringThe object ID of objectRef#SecurityObjGroup.
CiscoASA.Rules.User.kindStringOne of AnyUser, NoneUser, objectRef#LocalUserObjGroup, objectRef#UserGroupObj, objectRef#UserObj
CiscoASA.Rules.User.valueStringThe user value.
CiscoASA.Rules.User.objectIdStringThe object ID of the user.
CiscoASA.Rules.TimeRange.kindStringThe object reference type or the actual TimeRange value.
CiscoASA.Rules.TimeRange.valueStringThe value of the time range.
CiscoASA.Rules.TimeRange.objectIdStringThe object ID of the time range.

Command example#

!cisco-asa-get-rule-by-id interface_type=Global rule_id=3371063501

Context Example#

{
"CiscoASA": {
"Rules": {
"Dest": "5.5.5.5",
"DestKind": "IPv4Address",
"DestService": "tcp/citrix-ica",
"DestinationSecurity": {
"kind": "SecurityTag",
"value": "1"
},
"ID": "3371063501",
"Interface": "",
"InterfaceType": "Global",
"IsActive": true,
"Permit": false,
"Position": 30,
"Remarks": [],
"Source": "0.0.0.0/24",
"SourceKind": "IPv4Network",
"SourceSecurity": {
"kind": "SecurityTag",
"value": "2"
},
"SourceService": "tcp/cifs",
"User": {
"kind": "objectRef#UserObj",
"objectId": "api"
}
}
}
}

Human Readable Output#

Rule 3371063501:#

IDSourceDestPermitInterfaceInterfaceTypeIsActivePositionSourceServiceDestService
33710635010.0.0.0/245.5.5.5falseGlobaltrue30tcp/cifstcp/citrix-ica

cisco-asa-create-rule#


Creates a rule.

Base Command#

cisco-asa-create-rule

Input#

Argument NameDescriptionRequired
sourceThe source. Can be the value of an IPv4, an address block, or the name of a network object.Required
destinationThe destination. Can be the value of an IPv4, an address block, or the name of a network object.Required
permitWhether the rule is a permit. If True, the rule is a permit. Possible values are: True, False.Required
remarksA list of remarks for the rule.Optional
positionThe position in which to create the rule.Optional
log_levelThe log level of the rule. Possible values are: Default, Emergencies, Alerts, Critical, Errors, Warnings, Notifications, Informational, Debugging.Optional
activeWhether the rule will be active. If True, the rule will be active. Possible values are: True, False.Optional
interface_typeThe interface type. Possible values are: In, Out, Global.Required
interface_nameThe interface name.Optional
serviceThe service of the rule.Optional
destination_kindThe destination address kind in the ace. Possible values are: AnyIPAddress, IPv4Address, IPv4FQDN, IPv4Network, IPv4Range, IPv6Address, IPv6FQDN, IPv6Network, IPv6Range, SecurityName, SecurityTag, interfaceIP, NetworkObj, NetworkObjGroup.Optional
source_kindThe source address kind in the ace. Possible values are: AnyIPAddress, IPv4Address, IPv4FQDN, IPv4Network, IPv4Range, IPv6Address, IPv6FQDN, IPv6Network, IPv6Range, SecurityName, SecurityTag, interfaceIP, NetworkObj, NetworkObjGroup.Optional
service_kindThe source service kind. Possible values are: AnyService, ICMP6Service, ICMPService, NetworkProtocol, NetworkServiceGroups, NetworkServiceObjects, TcpUdpService.Optional
destination_serviceThe destination service value.Optional
destination_service_kindThe destination service kind. Possible values are: AnyService, ICMP6Service, ICMPService, NetworkProtocol, NetworkServiceGroups, NetworkServiceObjects, TcpUdpService.Optional
time_rangeObject ID of for the time range object. Can be received with the command cisco-asa-list-time-range.Optional
userThe object ID to the user. Can be one of LocalUserObjGroup, UserGroupObj, UserObj. Can be received with existing commands; cisco-asa-list-local-user-group, cisco-asa-list-local-user, cisco-asa-list-user-object.Optional
user_kindThe type of the user. Possible values are: LocalUserObjGroup, UserGroupObj, UserObj.Optional
source_securitySource security group in the ace. Possible values are SecurityName, SecurityTag and SecurityObjGroup. Can be received with the existing command cisco-asa-list-security-object-group.Optional
source_security_kindThe source security type. Possible values are: SecurityName, SecurityTag, SecurityObjGroup.Optional
destination_securityDestination security group in the ace. Possible values are SecurityName, SecurityTag and SecurityObjGroup. Can be received with the existing command cisco-asa-list-security-object-group.Optional
destination_security_kindThe destination security type. Possible values are: SecurityName, SecurityTag, SecurityObjGroup.Optional

Context Output#

PathTypeDescription
CiscoASA.Rules.SourceStringThe rule's source.
CiscoASA.Rules.DestStringThe rule's destination.
CiscoASA.Rules.InterfaceTypeStringThe interface type. Can be "In", "Out", or "Global".
CiscoASA.Rules.IsActiveBooleanWhether the rule is active.
CiscoASA.Rules.InterfaceStringThe name of the interface.
CiscoASA.Rules.PositionNumberThe position of the rule.
CiscoASA.Rules.IDStringThe rule ID.
CiscoASA.Rules.RemarksUnknownA list of all rule remarks.
CiscoASA.Rules.PermitBooleanWhether the rule permits traffic from source to destination.
CiscoASA.Rules.DestServiceStringThe destination service.
CiscoASA.Rules.SourceServiceStringThe source service.
CiscoASA.Rules.SourceKindStringOne of AnyIPAddress, IPv4Address, IPv4FQDN, IPv4Network, IPv4Range, IPv6Address, IPv6FQDN, IPv6Network, IPv6Range, SecurityName, SecurityTag, interfaceIP, objectRef#NetworkObj, objectRef#NetworkObjGroup.
CiscoASA.Rules.DestKindStringOne of AnyIPAddress, IPv4Address, IPv4FQDN, IPv4Network, IPv4Range, IPv6Address, IPv6FQDN, IPv6Network, IPv6Range, SecurityName, SecurityTag, interfaceIP, objectRef#NetworkObj, objectRef#NetworkObjGroup.
CiscoASA.Rules.SourceSecurity.kindStringThe type of the security group; SecurityName, SecurityTag, objectRef#SecurityObjGroup.
CiscoASA.Rules.SourceSecurity.valueStringThe value of the SecurityName or SecurityTag
CiscoASA.Rules.SourceSecurity.objectIdStringThe object ID of objectRef#SecurityObjGroup.
CiscoASA.Rules.DestinationSecurity.kindStringThe type of the security group; SecurityName, SecurityTag, objectRef#SecurityObjGroup.
CiscoASA.Rules.DestinationSecurity.valueStringThe value of the SecurityName or SecurityTag
CiscoASA.Rules.DestinationSecurity.objectIdStringThe object ID of objectRef#SecurityObjGroup.
CiscoASA.Rules.User.kindStringOne of AnyUser, NoneUser, objectRef#LocalUserObjGroup, objectRef#UserGroupObj, objectRef#UserObj
CiscoASA.Rules.User.valueStringThe user value.
CiscoASA.Rules.User.objectIdStringThe object ID of the user.
CiscoASA.Rules.TimeRange.kindStringThe object reference type or the actual TimeRange value.
CiscoASA.Rules.TimeRange.valueStringThe value of the time range.
CiscoASA.Rules.TimeRange.objectIdStringThe object ID of the time range.

Command example#

!cisco-asa-create-rule destination=1.1.1.1 source=0.0.0.0/24 interface_type=Global permit=False destination_kind=IPv4Address source_kind=IPv4Network active=False service_kind=TcpUdpService service=tcp/cifs destination_service=tcp/citrix-ica destination_service_kind=TcpUdpService destination_security_kind=SecurityTag destination_security=1 source_security_kind=SecurityTag source_security=2 timerange=trUserTest user_kind=UserObj user=api

Context Example#

{
"CiscoASA": {
"Rules": {
"Dest": "1.1.1.1",
"DestKind": "IPv4Address",
"DestService": "tcp/citrix-ica",
"DestinationSecurity": {
"kind": "SecurityTag",
"value": "1"
},
"ID": "3152305802",
"Interface": "",
"InterfaceType": "Global",
"IsActive": false,
"Permit": false,
"Position": 37,
"Remarks": [],
"Source": "0.0.0.0/24",
"SourceKind": "IPv4Network",
"SourceSecurity": {
"kind": "SecurityTag",
"value": "2"
},
"SourceService": "tcp/cifs",
"User": {
"kind": "objectRef#UserObj",
"objectId": "api"
}
}
}
}

Human Readable Output#

Created new rule. ID: 3152305802#

IDSourceDestPermitInterfaceInterfaceTypeIsActivePositionSourceServiceDestService
31523058020.0.0.0/241.1.1.1falseGlobalfalse37tcp/cifstcp/citrix-ica

cisco-asa-delete-rule#


Deletes a rule.

Base Command#

cisco-asa-delete-rule

Input#

Argument NameDescriptionRequired
rule_idThe rule ID.Required
interface_nameThe name of the interface.Optional
interface_typeThe interface type. Possible values are: In, Out, Global.Required

Context Output#

There is no context output for this command.

Command example#

!cisco-asa-delete-rule rule_id=2152246838 interface_type=Global

Human Readable Output#

Rule 2152246838 deleted successfully.

cisco-asa-edit-rule#


Updates an existing rule.

Base Command#

cisco-asa-edit-rule

Input#

Argument NameDescriptionRequired
interface_typeThe interface type. Possible values are: In, Out, Global.Required
interface_nameThe interface name.Optional
rule_idThe rule ID.Required
activeWhether the rule will be active. If True, will be active. Possible values are: True, False.Optional
log_levelThe log level of the rule.Optional
positionThe position the rule will be in. .Optional
remarksA list of remarks for the rule.Optional
permitTrue if the rule is a permit. Possible values are: True, False.Optional
destinationThe destination. Can be the value of an IPv4, an address block, or the name of a network object.Optional
sourceThe source. Can be the value of an IPv4, an address block, or the name of a network object.Optional
serviceThe service of the rule.Optional
destination_kindThe destination address kind in the ace. Possible values are: AnyIPAddress, IPv4Address, IPv4FQDN, IPv4Network, IPv4Range, IPv6Address, IPv6FQDN, IPv6Network, IPv6Range, SecurityName, SecurityTag, interfaceIP, NetworkObj, NetworkObjGroup.Optional
source_kindThe source address kind in the ace. Possible values are: AnyIPAddress, IPv4Address, IPv4FQDN, IPv4Network, IPv4Range, IPv6Address, IPv6FQDN, IPv6Network, IPv6Range, SecurityName, SecurityTag, interfaceIP, NetworkObj, NetworkObjGroup.Optional
service_kindThe source service kind. Possible values are: AnyService, ICMP6Service, ICMPService, NetworkProtocol, NetworkServiceGroups, NetworkServiceObjects, TcpUdpService.Optional
destination_serviceThe destination service value.Optional
destination_service_kindThe destination service kind. Possible values are: AnyService, ICMP6Service, ICMPService, NetworkProtocol, NetworkServiceGroups, NetworkServiceObjects, TcpUdpService.Optional
time_rangeObject ID of for the time range object. Can be received with the command cisco-asa-list-time-range.Optional
userThe object ID to the user. Can be one of LocalUserObjGroup, UserGroupObj, UserObj. Can be received with existing commands; cisco-asa-list-local-user-group, cisco-asa-list-local-user, cisco-asa-list-user-object.Optional
user_kindThe type of the user. Possible values are: LocalUserObjGroup, UserGroupObj, UserObj.Optional
source_securitySource security group in the ace. Possible values are SecurityName, SecurityTag and SecurityObjGroup. Can be received with the existing command cisco-asa-list-security-object-group.Optional
source_security_kindThe source security type. Possible values are: SecurityName, SecurityTag, SecurityObjGroup.Optional
destination_securityDestination security group in the ace. Possible values are SecurityName, SecurityTag and SecurityObjGroup. Can be received with the existing command cisco-asa-list-security-object-group.Optional
destination_security_kindThe destination security type. Possible values are: SecurityName, SecurityTag, SecurityObjGroup.Optional

Context Output#

PathTypeDescription
CiscoASA.Rules.SourceStringThe rule's source.
CiscoASA.Rules.DestStringThe rule's destination.
CiscoASA.Rules.InterfaceTypeStringThe interface type. Can be "In", "Out", or "Global".
CiscoASA.Rules.IsActiveBooleanWhether the rule is active.
CiscoASA.Rules.InterfaceStringThe name of the interface.
CiscoASA.Rules.PositionNumberThe position of the rule.
CiscoASA.Rules.IDStringThe rule ID.
CiscoASA.Rules.RemarksUnknownA list of all rule remarks.
CiscoASA.Rules.PermitBooleanWhether the rule permits traffic from source to destination.
CiscoASA.Rules.DestServiceStringThe destination service.
CiscoASA.Rules.SourceServiceStringThe source service.
CiscoASA.Rules.SourceKindStringOne of AnyIPAddress, IPv4Address, IPv4FQDN, IPv4Network, IPv4Range, IPv6Address, IPv6FQDN, IPv6Network, IPv6Range, SecurityName, SecurityTag, interfaceIP, objectRef#NetworkObj, objectRef#NetworkObjGroup.
CiscoASA.Rules.DestKindStringOne of AnyIPAddress, IPv4Address, IPv4FQDN, IPv4Network, IPv4Range, IPv6Address, IPv6FQDN, IPv6Network, IPv6Range, SecurityName, SecurityTag, interfaceIP, objectRef#NetworkObj, objectRef#NetworkObjGroup.
CiscoASA.Rules.SourceSecurity.kindStringThe type of the security group; SecurityName, SecurityTag, objectRef#SecurityObjGroup.
CiscoASA.Rules.SourceSecurity.valueStringThe value of the SecurityName or SecurityTag
CiscoASA.Rules.SourceSecurity.objectIdStringThe object ID of objectRef#SecurityObjGroup.
CiscoASA.Rules.DestinationSecurity.kindStringThe type of the security group; SecurityName, SecurityTag, objectRef#SecurityObjGroup.
CiscoASA.Rules.DestinationSecurity.valueStringThe value of the SecurityName or SecurityTag
CiscoASA.Rules.DestinationSecurity.objectIdStringThe object ID of objectRef#SecurityObjGroup.
CiscoASA.Rules.User.kindStringOne of AnyUser, NoneUser, objectRef#LocalUserObjGroup, objectRef#UserGroupObj, objectRef#UserObj
CiscoASA.Rules.User.valueStringThe user value.
CiscoASA.Rules.User.objectIdStringThe object ID of the user.
CiscoASA.Rules.TimeRange.kindStringThe object reference type or the actual TimeRange value.
CiscoASA.Rules.TimeRange.valueStringThe value of the time range.
CiscoASA.Rules.TimeRange.objectIdStringThe object ID of the time range.

Command example#

!cisco-asa-edit-rule rule_id=3371063501 interface_type=Global active=True

Context Example#

{
"CiscoASA": {
"Rules": {
"Dest": "5.5.5.5",
"DestKind": "IPv4Address",
"DestService": "tcp/citrix-ica",
"DestinationSecurity": {
"kind": "SecurityTag",
"value": "1"
},
"ID": "3371063501",
"Interface": "",
"InterfaceType": "Global",
"IsActive": true,
"Permit": false,
"Position": 30,
"Remarks": [],
"Source": "0.0.0.0/24",
"SourceKind": "IPv4Network",
"SourceSecurity": {
"kind": "SecurityTag",
"value": "2"
},
"SourceService": "tcp/cifs",
"User": {
"kind": "objectRef#UserObj",
"objectId": "api"
}
}
}
}

Human Readable Output#

Edited rule 3371063501#

IDSourceDestPermitInterfaceInterfaceTypeIsActivePositionSourceServiceDestService
33710635010.0.0.0/245.5.5.5falseGlobaltrue30tcp/cifstcp/citrix-ica

cisco-asa-list-network-objects#


Gets a list all configured network objects.

Base Command#

cisco-asa-list-network-objects

Input#

Argument NameDescriptionRequired
object_nameA comma-separated list of network object names for which to get the network.Optional
object_idA comma-separated list of object IDs for which to get the network object.Optional

Context Output#

PathTypeDescription
CiscoASA.NetworkObject.IDStringThe ID of the network object.
CiscoASA.NetworkObject.HostStringThe host information of the network object.
CiscoASA.NetworkObject.DescriptionStringA description of the network object.
CiscoASA.NetworkObject.NameStringThe name of the network object.

Command example#

!cisco-asa-list-network-objects object_name=Test_Lior

Context Example#

{
"CiscoASA": {
"NetworkObject": {
"Host": {
"kind": "IPv4Address",
"value": "0.0.0.0"
},
"ID": "Test_Lior",
"Name": "Test_Lior"
}
}
}

Human Readable Output#

Network Objects#

IDNameHostDescription
Test_LiorTest_Liorkind: IPv4Address
value: 0.0.0.0

cisco-asa-create-network-object#


Creates a network object.

Base Command#

cisco-asa-create-network-object

Input#

Argument NameDescriptionRequired
object_typeThe type of network object to create. Possible values are: IPv4, IP-Network.Required
object_nameThe name of the object to create.Required
object_valueThe value of the network object to create.Required

Context Output#

PathTypeDescription
CiscoASA.NetworkObject.IDStringThe ID of the network object.
CiscoASA.NetworkObject.HostStringThe host information of the network object.
CiscoASA.NetworkObject.DescriptionStringA description of the network object, if exists.
CiscoASA.NetworkObject.NameStringThe name of the network object.

Command example#

!cisco-asa-create-network-object object_name=HelloThereLiorSB object_type=IPv4 object_value=1.1.1.1

Context Example#

{
"CiscoASA": {
"NetworkObject": {
"Host": {
"kind": "IPv4Address",
"value": "1.1.1.1"
},
"ID": "HelloThereLiorSB",
"Name": "HelloThereLiorSB"
}
}
}

Human Readable Output#

Network Objects#

IDNameHostDescription
HelloThereLiorSBHelloThereLiorSBkind: IPv4Address
value: 1.1.1.1

cisco-asa-list-interfaces#


Gets a list of all interfaces.

Base Command#

cisco-asa-list-interfaces

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
CiscoASA.Interface.IDStringThe interface ID.
CiscoASA.Interface.NameStringThe interface name.
CiscoASA.Interface.TypeStringThe type of interface.

Command example#

!cisco-asa-list-interfaces

Context Example#

{
"CiscoASA": {
"Interface": [
{
"ID": "-1",
"Name": null,
"Type": "Global"
},
{
"ID": "GigabitEthernet0_API_SLASH_0",
"Name": "outside",
"Type": "In"
},
{
"ID": "Management0_API_SLASH_0",
"Name": "inside",
"Type": "Out"
}
]
}
}

Human Readable Output#

Interfaces#

TypeIDName
Global-1
InGigabitEthernet0_API_SLASH_0outside
OutManagement0_API_SLASH_0inside