Starting from ASA 9.3(2) and onward the 5500-X hardware supports a RESTful API as an additional method for configuration/monitoring ASA hardware. Infrastructure as code as they call it, not anything new but I was reading a post that points out there are two types of styles when we are dealing with IaC, the data model or CRUD. When reading information about the ASA RESTful API it was interesting what the ASA falls into, CRUD is the method it uses and although this method works, I have similar feeling to what Ivan posted, it wonders me if this is really a step forward into IaC. In this post we’ll go through the steps to enable it and you can be the judge, does this RESTful API help?wrote and as he
So the first thing we need to grab the RESTful API application and by default is not included so we’ll need to go to cisco.com and download it. You need look for the Adaptive Security Appliance REST API Plugin and depending on your version of ASA there might be some gotchas on which versions to use so read the release notes. Once we you have the correct version downloaded you need to upload it to the ASA flash.
Once uploaded you have to specify the location of the REST API Plugin:
ASA-HA-1(config)# rest-api image flash:asa-restapi-132325-lfbff-k8.SPA Computed Hash SHA2: 2106d6ac8c4e3c181c4820fb46588b8c e104712e13fb783ad8f051e905c21330 0ad66d0e96a6f050805e1e7dc173f187 211c87db0c2d440da2e2d8614a210e4c Embedded Hash SHA2: 2106d6ac8c4e3c181c4820fb46588b8c e104712e13fb783ad8f051e905c21330 0ad66d0e96a6f050805e1e7dc173f187 211c87db0c2d440da2e2d8614a210e4c Digital signature validated successfully ASA-HA-1(config)#
After that you can enable the REST API:
ASA-HA-1(config)# rest-api agent
Once enabled if you have ASDM enabled then the HTTP service is running if not you have to enable the HTTP server as well as configure a management rule to tell what interface you will be connecting to.
http server enable http 0.0.0.0 0.0.0.0
After that you can browse to the following link:
You will get prompt to login with a username and password, so make sure the authentication is configured on the ASA.
If you have login successfully you will see a webpage like this:
From here you can explore the different HTTP requests that are available and you essentially have another way of configuring and monitoring your ASA. So back my question does this type of RESTful API help you? I have explored this and have used Postman for my poor mans “IaC” but does that count, I feel something is missing? In the end it’s still a process that runs and instead of running this via CLI its a CRUD API…