On August 11, 2023, Cisco announced that Cisco SecureX will go end-of-life on July 31, 2024. The content in this Github repository will not be actively maintained following this announcement.

Get Expiring Rules (SSE)

Workflow #0074

This workflow searches up to 500 Cisco Secure Firewall Management Center policies for time-based rules that are set to expire within the configured expiry time. If expired or soon-to-expire rules are found, a message is posted in Webex with the rule details.

There are two different ways to integrate Secure Firewall with orchestration. For more information about these two methods and which to use, please see this page.
This workflow expects the new "SecureX Token" account key. For more information about this, please see this page.

GitHub

Change Log

Date Notes
Sep 7, 2022 - Initial release

See the Important Notes page for more information about updating workflows

Requirements

  • The following system atomics are used by this workflow:
    • SecureX - SSE Proxy - Send Request
    • Webex - Post Message to Room
    • Webex - Search for Room
  • The following atomic actions must be imported before you can import this workflow:
    • None
  • The targets and account keys listed below
  • Cisco Secure Firewall
  • Cisco Webex

Workflow Steps

  1. Validate required settings and fetch the Webex room ID
  2. Get time-range objects
  3. Get access policies
  4. For each policy:
    • Check each rule for time-based objects
    • If time-based objects are found in rule:
      • Calculate the expiry time and append to the workflow output as needed
  5. Finalize the output of the workflow based on what was found
  6. Post message to Webex

Configuration

  • Set the Check For Expired Rules local variable to true or false depending on whether you want to report on rules which already expired
  • Set the Expiring Soon Time Period local variable to the number of days you want to use as the threshold for considering a rule to be expiring soon. For example, if you set this to 7 days, any rule expiring within 7 days will be considered “expiring soon”
  • Set the Secure Firewall Management Center URL to the base URL of your FMC portal. For example: https://securefirewall.yourcompany.com
  • Set the Domain UUID to the UUID of the FMC domain you want the workflow to make changes to. If you’re using the default domain, you can leave the default value
  • Set the Device ID to the ID of the device to send the command to in SSE. This can be obtained from the device’s summary page in SSE, the Devices page in the Administration section of SecureX, or by using the “SecureX - SSE Proxy - List Devices” atomic
  • If you want the workflow to run on a schedule, you need to create a schedule and then add it as a trigger within the workflow
  • See this page for information on configuring the workflow for Webex

Targets

Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
CTR_API HTTP Endpoint Protocol: HTTPS
Host: visibility.amp.cisco.com
Path: /iroh		 CTR_Credentials Created by default
Webex Teams HTTP Endpoint Protocol: HTTPS
Host: webexapis.com
Path: None		 None  

Account Keys

Account Key Name Type Details Notes
CTR_Credentials SecureX Token   See this page