Group Policy

Version:

Location in GUI: Objects » VPN » Group Policy

Diagram

Classes

objects (fmc.domains)

Name	Type	Constraint	Mandatory	Default Value
group_policies	List	`[group_policies]`	No

group_policies (fmc.domains.objects)

Name	Type	Constraint	Mandatory
name	String		Yes
description	String	max: `255`	No
general	Class	`[general]`	No
secure_client	Class	`[secure_client]`	No
advanced	Class	`[advanced]`	No

general (fmc.domains.objects.group_policies)

Name	Type	Constraint	Mandatory	Default Value
protocol_ssl	Boolean	`true`, `false`	No	`true`
protocol_ipsec_ikev2	Boolean	`true`, `false`	No	`true`
ipv4_address_pools	List	String	No
banner	String		No
primary_dns_server	String		No
secondary_dns_server	String		No
primary_wins_server	String		No
secondary_wins_server	String		No
default_domain	String		No
ipv4_dhcp_network_scope	String		No
ipv4_split_tunnel_policy	Choice	`TUNNEL_ALL`, `TUNNEL_SPECIFIED`, `EXCLUDE_SPECIFIED_OVER_TUNNEL`	No	`TUNNEL_ALL`
ipv6_split_tunnel_policy	Choice	`TUNNEL_ALL`, `TUNNEL_SPECIFIED`, `EXCLUDE_SPECIFIED_OVER_TUNNEL`	No	`TUNNEL_ALL`
split_tunnel_access_list	String		No
dns_request_split_tunnel_policy	Choice	`USE_SPLIT_TUNNEL_SETTING`, `TUNNEL_ALL`, `TUNNEL_SPECIFIED_DOMAINS`	No	`USE_SPLIT_TUNNEL_SETTING`
dns_request_split_tunnel_domains	List	String	No

secure_client (fmc.domains.objects.group_policies)

Name	Type	Constraint	Mandatory	Default Value
profile	String		No
management_profile	String		No
modules	List	`[modules]`	No
ssl_compression	Choice	`DISABLED`, `DEFLATE`, `LZS`	No	`DISABLED`
dtls_compression	Choice	`DISABLED`, `LZS`	No	`DISABLED`
mtu_size	Integer	min: `576`, max: `1462`	No	`1406`
ignore_df_bit	Boolean	`true`, `false`	No	`false`
keep_alive_messages_interval	Integer	min: `15`, max: `600`	No	`20`
gateway_dead_peer_detection_interval	Integer	min: `5`, max: `3600`	No	`30`
client_dead_peer_detection_interval	Integer	min: `5`, max: `3600`	No	`30`
client_bypass_protocol	Boolean	`true`, `false`	No	`false`
ssl_rekey_method	Choice	`NEW_TUNNEL`, `EXISTING_TUNNEL`	No	`NEW_TUNNEL`
ssl_rekey_interval	Integer	min: `4`, max: `10080`	No	`4`
client_firewall_private_network_rules_access_list	String		No
client_firewall_public_network_rules_access_list	String		No
custom_attributes	List	String	No

advanced (fmc.domains.objects.group_policies)

Name	Type	Constraint	Mandatory	Default Value
traffic_filter_access_list	String		No
restrict_vpn_to_vlan	Integer	min: `1`, max: `4094`	No
access_hours_time_range	String		No
simultaneous_logins_per_user	Integer	min: `0`, max: `2147483647`	No	`3`
maximum_connection_time	Integer	min: `1`, max: `4473924`	No
maximum_connection_time_alert_interval	Integer	min: `1`, max: `30`	No
idle_timeout	Integer	min: `1`, max: `4473924`	No	`30`
idle_timeout_alert_interval	Integer	min: `1`, max: `30`	No	`1`

modules (fmc.domains.objects.group_policies.secure_client)

Name	Type	Constraint	Mandatory
type	Choice	`AMP_ENABLER`, `FEEDBACK`, `ISE_POSTURE`, `NETWORK_ACCESS_MANAGER`, `NETWORK_VISIBILITY`, `UMBRELLA_ROAMING`, `WEB_SECURITY`, `START_BEFORE_LOGIN`, `DART`	No
profile_name	String		No
download_module	Boolean	`true`, `false`	No

Examples

Pre-requisites:

fmc:
  domains:
    - name: Global
      objects:

        ipv4_address_pools:
          - name: MyIPv4AddressPool1
            description: My Test IPv4 Address Pool 1
            range: 192.168.10.1-192.168.10.100
            netmask: 255.255.255.0
            overridable: false

        hosts:
          - name: MyHostName1
            ip: 10.10.10.1
          - name: MyHostName2
            description: My Host 2 Description
            ip: 10.10.10.2

        networks:
          - name: MyNetworkName1
            prefix: 10.10.10.0/24

        extended_access_lists:
          - name: MyExtendedACLName2
            entries:
              - action: PERMIT
                logging: DEFAULT
                source_network_literals:
                  - 10.1.1.0/24
                destination_network_literals:
                  - 10.1.2.0/24

        time_ranges:
          - name: MyTimeRangeName1
            start_time: "2025-02-13T10:00"
            end_time: "2025-02-21T20:00"
            recurrences:
              - recurrence_type: DAILY_INTERVAL
                daily_days: ["MON", "THU"]
                daily_start_time: "11:00"
                daily_end_time: "13:00"

        secure_client_profiles:
          - name: MySecureClientProfileName1
            description: My Secure Client Profile Description 1
            file_type: ANYCONNECT_VPN_PROFILE
            path: ../files_local/CiscoSecureAccessVPN_Profile.xml
          - name: MySecureClientProfileName2
            description: My Secure Client Profile Description 2
            file_type: UMBRELLA_ROAMING
            path: ../files_local/umbrella_profile.json

       secure_client_custom_attributes:
          - name: MySecureClientCustomAttributeName1
            description: My Secure Client Custom Attribute Description 1
            attribute_type: USER_DEFINED_CUSTOM_ATTR
            user_defined_attribute_name: my_custom_attribute_name
            user_defined_attribute_value: my_custom_attribute_value
          - name: MySecureClientCustomAttributeName2
            description: My Secure Client Custom Attribute Description 2
            attribute_type: DYNAMIC_SPLIT_TUNNELING
            dynamic_split_tunnel_included_domains:
              - included.domain1.com
              - included.domain2.com
            dynamic_split_tunnel_excluded_domains:
              - excluded.domain1.com

Group policy

fmc:
  domains:
    - name: Global
      objects:
        group_policies:
          - name: MyGroupPolicyName1
            description: "This is my group policy description"
            general:
              protocol_ssl: true
              protocol_ipsec_ikev2: true
              ipv4_address_pools:
                - MyIPv4AddressPool1
              banner: Welcome to my VPN
              primary_dns_server: MyHostName1
              secondary_dns_server: MyHostName2
              default_domain: example.com
              ipv4_dhcp_network_scope: MyNetworkName1
              ipv4_split_tunnel_policy: TUNNEL_ALL
              ipv6_split_tunnel_policy: EXCLUDE_SPECIFIED_OVER_TUNNEL
              split_tunnel_access_list: MyExtendedACLName2
              dns_request_split_tunnel_policy: TUNNEL_SPECIFIED_DOMAINS
              dns_request_split_tunnel_domains:
                - example.com
                - example.org
                - example.net
            secure_client:
              profile: MySecureClientProfileName1
              modules:
                - profile_name: MySecureClientProfileName2
                - type: DART
              custom_attributes:
                - MySecureClientCustomAttributeName1
                - MySecureClientCustomAttributeName2
            advanced:
              access_hours_time_range: MyTimeRangeName1