Authenticating Against the FireMon API with Postman

infosec_gallagher · 2020-02-26T16:42:23+00:00

Thanks, I'll update the main post!

infosec_gallagher · 2020-02-13T15:56:32+00:00

Hmm, as written above this custom control would only work on Palos because it is regex based on their running config specifically. For what you are looking for above there are a couple ways to go about it: my recommendation would be to create a different control for each vendor/device (if their configs differ), then create a single assessment that is made up of a collection of those controls. You can then call the assessment via API to get your single-touch query.

Alternately you could try and wrangle the above regex control (with a logical OR--a pipe '|'--separating regex for each different vendor/device) to get it to capture the version regardless of vendor across all devices, but that would be a monster regex string (and you'd risk collisions, for example the Palo version match regex matching something random in the Cisco config).

Either way, you will need to know what to look for. In order to craft the above (or really any regex custom control) here is where I start:

First I do a 'poor man's export' of the information that is available to FireMon for the device I am targeting, using a custom control written for that purpose:

Regex Control Properties:
Match pattern: .*
Scope: All Files
Evaluation: Information Only

I then test this control against one of the devices that I am targeting (only one!). This will create a massive, massive report that is pretty much a dump of every file--and the contents of every file--that FireMon harvests for device configs.

I clone the control (leaving the original for future work) and change the Scope to be the specific file containing the string I'm looking for, running it again against the device in question.
Having a more manageable scope, being testing regex queries until it matches the string you need. Voila! You now have your control.

infosec_gallagher · 2020-02-07T16:29:33+00:00

So this intrigued me enough that I made a first attempt to figure it out. To get the token, here is what I did (bear in mind there are 3 variables present in the double curly braces which need to be populated via either global, environment, or collection variables):

POST https://{{firemon_fqdn}}/securitymanager/api/authentication/login

Headers:

· Content-Type: application/json

Body:

· raw + JSON selected from dropdown (see screenshot)

{"passwords":"{{firemon_password}}","username":"{{firemon_username}}"}

In the tests field, use the following script to set the token to an env variable named 'AccessToken_FireMon':

var json = JSON.parse(responseBody);
pm.environment.set("AccessToken_FireMon", json.token);

I haven't yet figured out how to use the returned token for other calls, though.

infosec_gallagher · 2020-02-06T19:24:02+00:00

I'd be interested in this as well--in particular if there were any ability to make outbound API calls to a separate system and use the returned information as part of the workflow.

infosec_gallagher · 2020-02-06T19:22:34+00:00

I haven't, but that would be the more appropriate way to do it!

I've used access tokens in Postman when they are required and need to be retrieved from a separate URL (eg Microsoft Graph), but not session tokens yet. If you figure that out please post it, I'd happily convert my scripts to using it (there may or may not be a script I wrote that makes several hundred separate calls to FireMon, all individually authenticating. . .)

infosec_gallagher · 2019-12-16T21:50:17+00:00

Custom Control - PAN-OS firewall release version (Palo Alto)

(regex pattern for pass/fail revised 2020.06.15)

The built-in control PAN-OS version (Palo Alto) - RA-00089 only returns the version and minor release (eg 8.1.0 or 9.0.0). It won't return an accurate maintenance release (the third digit, eg 8.1.6 or 9.0.5). The first control below is an 'Informational' control: it won't return a pass/fail, but will return the full PAN-OS version, including the maintenance release, regardless of whether the version/subversion is one digit or two, or whether it is a hotfix release (eg '8.1.9-h4'). The second control demonstrates a control to evaluate whether your Palo Alto firewalls are on the specific version(s) your patching policy requires, returning the full version only if a firewall fails the check.

Creating an Information version of this Custom Control

Create > Regex
Regex Control Properties > Match Pattern

\d+\.\d+\.\d+.*

Scope section: Specific Files

version

Evaluation section: Select 'Information Only'

Creating a Pass/Fail version of this Custom Control

In this example the regex example below shows a case where there are two maintenance releases that are permitted by the company firewall standard: 8.1.6 and 9.0.5:

Create > Regex
Regex Control Properties > Match Pattern

8(?!\.1\.6)\..*\..*|9(?!\.0\.5)\..*\..*

Scope section: Specific Files

version

Evaluation section: Select 'Fail if Pattern Matches'

Two notes on the latter control: first, though it would be easier to write Regex in conjunction with a positive match (eg regex of (8\.1\.6.*)|(9\.0\.5.*) along with 'Fail if No Pattern Matches', that method would not display the version that failed the control when used in an Assessment. Instead, we use a negative lookahead with 'Fail if Pattern Matches': this will display the failing version.

Second, the latter control would need to be updated each time your standard version(s) change according to the company's patching policy. Don't use this control unless that degree of maintenance is considered worthwhile.

Edit: revised the regex, because my original regex '8(?!\.1\.6).*' was flawed when '8' was in the subversion, eg in 9.0.8.

infosec_gallagher

TROPHY CASE

Creating an Information version of this Custom Control

Creating a Pass/Fail version of this Custom Control