Access Policy
Location in GUI:
Policies » Access Control
This resource covers Access Control Policy, Access Control Policy Rules and Access Control Policy Categories.
Diagram
Classes
policies (fmc.domains)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| access_policies | List | [access_policies] | No |
access_policies (fmc.domains.policies)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | Regex: ^[a-zA-Z0-9_ -]{1,64}$ | Yes | |
| default_action | Choice | BLOCK, TRUST, PERMIT, NETWORK_DISCOVERY, INHERIT_FROM_PARENT | Yes | |
| prefilter_policy | String | No | ||
| base_intrusion_policy | String | No | ||
| log_begin | Boolean | true, false | No | |
| log_end | Boolean | true, false | No | |
| send_events_to_fmc | Boolean | true, false | No | |
| enable_syslog | Boolean | true, false | No | |
| snmp_alert | String | No | ||
| syslog_alert | String | No | ||
| syslog_severity | Choice | ALERT, CRIT, DEBUG, EMERG, ERR, INFO, NOTICE, WARNING | No | |
| description | String | max: 255 | No | |
| categories | List | [categories] | No | |
| access_rules | List | [access_rules] | No |
categories (fmc.domains.policies.access_policies)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | Regex: ^[a-zA-Z0-9_ -]{1,50}$ | Yes | |
| section | Choice | mandatory, default | No |
access_rules (fmc.domains.policies.access_policies)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | Regex: ^[a-zA-Z0-9_ -]{1,50}$ | Yes | |
| action | Choice | ALLOW, TRUST, BLOCK, MONITOR, BLOCK_RESET, BLOCK_INTERACTIVE, BLOCK_RESET_INTERACTIVE | Yes | |
| category | String | No | ||
| description | String | max: 255 | No | |
| destination_dynamic_objects | List | String | No | |
| destination_network_literals | List | String | No | |
| destination_network_objects | List | String | No | |
| destination_port_literals | List | [destination_port_literals] | No | |
| destination_port_objects | List | String | No | |
| destination_zones | List | String | No | |
| enabled | Boolean | true, false | No | |
| file_policy | String | No | ||
| intrusion_policy | String | No | ||
| log_connection_begin | Boolean | true, false | No | |
| log_connection_end | Boolean | true, false | No | |
| log_files | Boolean | true, false | No | |
| section | Choice | mandatory, default | No | |
| send_events_to_fmc | Boolean | true, false | No | |
| enable_syslog | Boolean | true, false | No | |
| snmp_alert | String | No | ||
| source_dynamic_objects | List | String | No | |
| source_network_literals | List | String | No | |
| source_network_objects | List | String | No | |
| source_port_literals | List | [source_port_literals] | No | |
| source_port_objects | List | String | No | |
| source_sgts | List | String | No | |
| source_zones | List | String | No | |
| syslog_alert | String | No | ||
| syslog_severity | Choice | ALERT, CRIT, DEBUG, EMERG, ERR, INFO, NOTICE, WARNING | No | |
| url_categories | List | [url_categories] | No | |
| url_objects | List | String | No | |
| url_literals | List | String | No | |
| variable_set | String | No | ||
| time_range | String | No | ||
| vlan_tag_objects | List | String | No | |
| vlan_tag_literals | List | Integer[min: 1, max: 4095] | No |
destination_port_literals (fmc.domains.policies.access_policies.access_rules)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| protocol | Choice | TCP, UDP, ICMP | Yes | |
| port | Integer | min: 1, max: 65535 | No | |
| icmp_type | Integer | min: 0, max: 255 | No | |
| icmp_code | Integer | min: 0, max: 255 | No |
url_categories (fmc.domains.policies.access_policies.access_rules)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| category | Choice | Name of categories | No | |
| reputation | Choice | ANY_EXCEPT_UNKNOWN, TRUSTED, FAVORABLE, NEUTRAL, QUESTIONABLE, UNTRUSTED, ANY_AND_UNKNOWN, TRUSTED_AND_UNKNOWN, FAVORABLE_AND_UNKNOWN, NEUTRAL_AND_UNKNOWN, QUESTIONABLE_AND_UNKNOWN, UNTRUSTED_AND_UNKNOWN | No |
Examples
Prerequisites:
existing:
fmc:
domains:
- name: Global
objects:
file_types:
- name: PDF
file_categories:
- name: PDF files
policies:
intrusion_policies:
- name: Balanced Security and Connectivity
fmc:
domains:
- name: Global
objects:
hosts:
- name: MyHostName1
ip: 10.10.10.10
networks:
- name: MyNetworkName1
prefix: 10.10.10.0/24
ranges:
- name: MyRangeName1
ip_range: 1.1.1.1-1.1.1.2
network_groups:
- name: MyNetworkGroupName1
objects:
- MyNetworkName1
- MyHostName1
- MyRangeName1
ports:
- name: MyPortName1
port: 8080
protocol: TCP
icmpv4s:
- name: MyICMPv4Name1
icmp_type: 8
port_groups:
- name: MyPortGroupName1
objects:
- MyPortName1
- MyICMPv4Name1
security_zones:
- name: MySecurityZoneName1
- name: MySecurityZoneName2
time_ranges:
- name: MyTimeRangeName1
start_time: "2025-02-13T10:00"
end_time: "2025-02-21T20:00"
recurrences:
- recurrence_type: DAILY_INTERVAL
daily_days: [ "MON", "THU" ]
daily_start_time: "11:00"
daily_end_time: "13:00"
policies:
file_policies:
- name: MyFilePolicyName1
file_rules:
- default_action: DETECT
application_protocol: HTTP
direction_of_transfer: DOWNLOAD
file_categories:
- PDF files
- default_action: DETECT
application_protocol: HTTP
direction_of_transfer: UPLOAD
file_types:
- PDF
intrusion_policies:
- name: MyIntrusionPolicyName1
inspection_mode: DETECTION
base_policy: Balanced Security and Connectivity
Access Policy:
fmc:
domains:
- name: Global
policies:
- name: MyAccessPolicyName1
default_action: BLOCK
prefilter_policy: MyPrefilterPolicyName1
categories:
- name: MyCategoryName1
section: mandatory
access_rules:
- name: MyAccessRuleName1
action: ALLOW
category: MyCategoryName1
source_zones:
- MySecurityZoneName1
destination_zones:
- MySecurityZoneName2
source_network_objects:
- MyNetworkName1
destination_network_objects:
- MyHostName1
destination_port_objects:
- MyPortName1
intrusion_policy: Balanced Security and Connectivity
log_connection_begin: true
log_connection_end: true
log_files: false
send_events_to_fmc: true
time_range: MyTimeRangeName1
- name: MyAccessRuleName2
action: ALLOW
category: MyCategoryName1
source_zones:
- MySecurityZoneName1
destination_zones:
- MySecurityZoneName1
source_network_objects:
- MyNetworkGroupName1
destination_network_literals:
- 10.20.30.0/24
destination_port_objects:
- MyPortGroupName1
intrusion_policy: MyIntrusionPolicyName1
file_policy: MyFilePolicyName1
log_connection_begin: true
log_connection_end: true
log_files: false
send_events_to_fmc: true