FMC access & NAT policies
Cisco Secure Firewall (FMC/FTD) access control and NAT policies, searchable with one query language across the estate.
A self-hosted firewall analyzer for Cisco Secure Firewall.
SAMURAI reads Cisco Secure Firewall (FMC/FTD) and turns it into something searchable: access and NAT policies, network and port objects, and deployable devices, plus ACL visibility on the routers, switches, and ASA around it, with every configuration change detected from device state and attributed to the admin who made it. Self-hosted, air-gap friendly, and in the same dashboard as your Palo Alto and FortiGate firewalls.
Updated June 2026
What it reads from Cisco
Objects & deployable devices
Network and port objects (resolved), plus the deployable-devices view so you can see what is pending deployment.
ACL visibility everywhere
Beyond FMC: access lists on Cisco routers, switches, and ASA, with platform auto-detection across IOS, IOS-XE, NX-OS, and IOS-XR.
FTD as a router-class device
FTD via CLISH is modeled as a router-class device, so its routes, interfaces, and ACLs join the same searchable estate.
Change tracking with attribution
Every change diffed from device state. On IOS and IOS-XE, the "by <user>" clause in the running config attributes the change to its admin.
Path tracing across Cisco
Hop-by-hop path simulation with per-hop ACL evaluation across IOS, NX-OS, IOS-XR, and FTD, including reverse-path tracing.
SAMURAI vs FMC alone
Cisco FMC manages your Secure Firewall deployments, and only those. SAMURAI is read-only and multi-vendor: it reads FMC/FTD alongside your Palo Alto and FortiGate firewalls and the routers, switches, and ASA around them, with one search and one change timeline.
Scope
SAMURAI
Cisco FMC/FTD plus ASA, routers, switches, ACI, ISE, and vCenter, plus Palo Alto and FortiGate
Cisco FMC alone
Cisco Secure Firewall (FMC/FTD) only
Direction
SAMURAI
Read-only: observes and reports, never pushes configuration
Cisco FMC alone
Management plane: provisions and deploys policy
Search
SAMURAI
One query language across every device type, field-scoped and CIDR-aware
Cisco FMC alone
Per-policy search within FMC
Deployment
SAMURAI
Single self-hosted Docker container, serving data in about five minutes
Cisco FMC alone
FMC appliance or VM, Cisco-licensed
If you need to author and deploy Cisco firewall policy, FMC is the right tool. If you need to see and search your Cisco firewalls next to everything else on the network, and know who changed what, when, that is what SAMURAI is built for.
Frequently asked questions
Which Cisco firewalls does SAMURAI analyze?
Cisco Secure Firewall via FMC/FTD is first-class: access and NAT policies, objects, and deployable devices. ASA, plus router and switch ACLs, are covered through the SSH path with platform auto-detection.
How does SAMURAI connect to FMC?
Through the FMC REST API (authenticated, domain-aware), read-only. FTD is also read over CLISH as a router-class device, so its routes, interfaces, and ACLs are searchable.
Does it cover ASA?
Yes, at the ACL level over SSH (show commands only), alongside routers and switches. FMC/FTD policy and object visibility is the deeper, API-driven path.
How are Cisco changes attributed?
Changes are diffed from device state. On IOS and IOS-XE, SAMURAI parses the "Last configuration change by <user>" clause to attribute the change; NX-OS lacks a "by" clause, so attribution there is best-effort.
Can it run air-gapped?
Yes. One self-contained Docker image, an offline IEEE OUI database, and no telemetry. Nothing leaves your perimeter.
See your Cisco firewalls in one place.
Self-hosted, air-gap friendly, read-only. See it run against your own fleet.