On August 11, 2023, Cisco announced that Cisco SecureX will go end-of-life on July 31, 2024. The content in this Github repository will not be actively maintained following this announcement.

Block Observable (Remote)

Workflow #0065

Response Workflow

This workflow takes a URL, domain, IP, or IPv6 observable as input and blocks it on the Secure Firewall Management Center. The observable is added to a new object and the new object is added to an existing object group. A confirmation is sent via Webex. Supported observables: url, ip, ipv6, domain

This workflow is similar to workflow 0015B but works differently. Workflow 0015B adds observables to feeds in SecureX which Secure Firewall then consumes. This workflow makes API calls directly to Secure Firewall, typically through an orchestration remote.
There are two different ways to integrate Secure Firewall with orchestration. For more information about these two methods and which to use, please see this page.

GitHub

Change Log

Date Notes
May 4, 2022 - Initial release
Sep 7, 2022 - Name modified to reflect this workflow using orchestration remote

See the Important Notes page for more information about updating workflows

Requirements

  • The following system atomics are used by this workflow:
    • Secure Firewall - Add Network Object to Network Group
    • Secure Firewall - Add URL Object to URL Group
    • Secure Firewall - Create Object
    • Secure Firewall - Get Access Token
    • Secure Firewall - Get Network Group by Name
    • Secure Firewall - Get URL Group by Name
    • Secure Firewall - Search Object by Value
    • Webex - Post Message to Room
    • Webex - Search for Room
  • The targets and account keys listed at the bottom of the page
  • Cisco Secure Firewall
  • Cisco Webex

Workflow Steps

  1. Fetch global variables
  2. Set the workflow run URL based on region
  3. Search for the Webex room provided
  4. Validate required variables are provided
  5. Set the object types based on the observable type
  6. Search for existing objects for this observable
  7. Check if an object already exists:
    • If it does, use the existing object
    • If it doesn’t, create a new object
  8. Check if we’re working with network or URL objects:
    • If network objects:
      • Get the network group and check if the object is already in it (if so, end the workflow)
      • Add the object to the group and send a confirmation
    • If URL objects:
      • Get the URL group and check if the object is already in it (if so, end the workflow)
      • Add the object to the group and send a confirmation

Configuration

  • Configure the following local variables with the options you want for your Secure Firewall Management Center:
    • Access Control Policy
    • Access Rule
    • Object Name Prefix
    • URL Group
    • Network Group
  • If you want to change the name of this workflow in the pivot menu, change its display name
  • See this page for information on configuring the workflow for Webex

Targets

Target Group: Default TargetGroup

Note: If your FMC is on-premises and not accessible from the internet, you will need a SecureX orchestration remote to use FMC with orchestration.

Target Name Type Details Account Keys Notes
FMC Target HTTP Endpoint Protocol: HTTPS
Host: your-firewall-management-center
Path: api/		 FMC API Credentials  
Webex Teams HTTP Endpoint Protocol: HTTPS
Host: webexapis.com
Path: None		 None  

Account Keys

Account Key Name Type Details Notes
FMC API Credentials HTTP Basic Authentication Username: FMC Username
Password: FMC Password		 Account must have API permissions