Skip to content
Network as Code

Access Control Policy

Location in GUI: Policies » Access Control

This resource covers Access Control Policy, Access Control Policy Rules and Access Control Policy Categories.

Diagram

Section titled “Diagram”
Diagram

Classes

Section titled “Classes”

policies (fmc.domains)

Section titled “policies (fmc.domains)”
NameTypeConstraintMandatoryDefault Value
access_control_policiesList[access_control_policies]No

access_control_policies (fmc.domains.policies)

Section titled “access_control_policies (fmc.domains.policies)”
NameTypeConstraintMandatoryDefault Value
nameStringRegex: ^[a-zA-Z0-9_ -]{1,64}$Yes
descriptionStringmax: 255No
default_actionChoiceBLOCK, TRUST, PERMIT, NETWORK_DISCOVERY, INHERIT_FROM_PARENTNoBLOCK
base_intrusion_policyStringNo
base_variable_setStringNo
log_connection_beginBooleantrue, falseNo
log_connection_endBooleantrue, falseNo
send_events_to_fmcBooleantrue, falseNofalse
send_syslogBooleantrue, falseNofalse
syslog_severityChoiceALERT, CRIT, DEBUG, EMERG, ERR, INFO, NOTICE, WARNINGNo
snmp_alertStringNo
syslog_alertStringNo
prefilter_policyStringNo
categoriesList[categories]No
access_rulesList[access_rules]No

categories (fmc.domains.policies.access_control_policies)

Section titled “categories (fmc.domains.policies.access_control_policies)”
NameTypeConstraintMandatoryDefault Value
nameStringRegex: ^[a-zA-Z0-9_ -]{1,50}$Yes
sectionChoicemandatory, defaultNo

access_rules (fmc.domains.policies.access_control_policies)

Section titled “access_rules (fmc.domains.policies.access_control_policies)”
NameTypeConstraintMandatoryDefault Value
nameStringRegex: ^[a-zA-Z0-9_ \-#]{1,50}$Yes
actionChoiceALLOW, TRUST, BLOCK, MONITOR, BLOCK_RESET, BLOCK_INTERACTIVE, BLOCK_RESET_INTERACTIVEYes
applicationsListStringNo
application_filter_objectsListStringNo
categoryStringNo
destination_dynamic_objectsListStringNo
destination_network_literalsListStringNo
destination_network_objectsListStringNo
destination_port_literalsList[destination_port_literals]No
destination_port_objectsListStringNo
destination_sgtsListStringNo
destination_zonesListStringNo
enabledBooleantrue, falseNotrue
endpoint_device_typesListStringNo
file_policyStringNo
intrusion_policyStringNo
log_connection_beginBooleantrue, falseNo
log_connection_endBooleantrue, falseNo
log_filesBooleantrue, falseNo
sectionChoicemandatory, defaultNo
send_events_to_fmcBooleantrue, falseNo
send_syslogBooleantrue, falseNofalse
snmp_alertStringNo
source_dynamic_objectsListStringNo
source_network_literalsListStringNo
source_network_objectsListStringNo
source_port_literalsList[source_port_literals]No
source_port_objectsListStringNo
source_sgtsListStringNo
source_zonesListStringNo
syslog_alertStringNo
syslog_severityChoiceALERT, CRIT, DEBUG, EMERG, ERR, INFO, NOTICE, WARNINGNo
url_objectsListStringNo
url_literalsListStringNo
variable_setStringNo
time_rangeStringNo
vlan_tag_objectsListStringNo
vlan_tag_literalsList[vlan_tag_literals]No

destination_port_literals (fmc.domains.policies.access_control_policies.access_rules)

Section titled “destination_port_literals (fmc.domains.policies.access_control_policies.access_rules)”
NameTypeConstraintMandatoryDefault Value
protocolChoiceTCP, UDP, ICMPYes
portIntegermin: 1, max: 65535No
icmp_typeIntegermin: 0, max: 255No
icmp_codeIntegermin: 0, max: 255No

vlan_tag_literals (fmc.domains.policies.access_control_policies.access_rules)

Section titled “vlan_tag_literals (fmc.domains.policies.access_control_policies.access_rules)”
NameTypeConstraintMandatoryDefault Value
start_tagIntegermin: 1, max: 4095Yes
end_tagIntegermin: 1, max: 4095No

Examples

Section titled “Examples”

Prerequisites:

existing:
  fmc:
    domains:
      - name: Global
        objects:
          file_types:
            - name: PDF
          file_categories:
            - name: PDF files
        policies:
          intrusion_policies:
            - name: Balanced Security and Connectivity
fmc:
  domains:
    - name: Global
      objects:
        hosts:
          - name: MyHostName1
            ip: 10.10.10.1
        networks:
          - name: MyNetworkName1
            prefix: 10.10.10.0/24
        network_groups:
          - name: MyNetworkGroupName1
            objects:
              - MyHostName1
              - MyNetworkName1
            literals:
              - 10.99.0.0/24
        ports:
          - name: MyPortName1
            port: 8080
            protocol: TCP
        icmpv4s:
          - name: MyICMPv4Name1
            icmp_type: 3
            code: 2
        port_groups:
          - name: MyPortGroupName1
            objects:
              - MyPortName1
              - MyICMPv4Name1
        security_zones:
          - name: MySecurityZoneName1
          - name: MySecurityZoneName2
        time_ranges:
          - name: MyTimeRangeName1
            start_time: "2025-02-13T10:00"
            end_time: "2025-02-21T20:00"
            recurrences:
              - recurrence_type: DAILY_INTERVAL
                daily_days: ["MON", "THU"]
                daily_start_time: "11:00"
                daily_end_time: "13:00"
      policies:
        file_policies:
          - name: MyFilePolicyName1
            file_rules:
              - action: DETECT
                application_protocol: HTTP
                direction_of_transfer: DOWNLOAD
                file_categories:
                  - PDF files
              - action: DETECT
                application_protocol: HTTP
                direction_of_transfer: UPLOAD
                file_types:
                  - PDF
        intrusion_policies:
          - name: MyIntrusionPolicyName1
            inspection_mode: DETECTION
            base_policy: Balanced Security and Connectivity

Access Policy:

fmc:
  domains:
    - name: Global
      policies:
        access_control_policies:
          - name: MyAccessPolicyName1
            default_action: BLOCK
            categories:
              - name: MyCategoryName1
                section: mandatory
            access_rules:
              - name: MyAccessRuleName1
                action: ALLOW
                category: MyCategoryName1
                source_zones:
                  - MySecurityZoneName1
                destination_zones:
                  - MySecurityZoneName2
                source_network_objects:
                  - MyNetworkName1
                destination_network_objects:
                  - MyHostName1
                destination_port_objects:
                  - MyPortName1
                intrusion_policy: Balanced Security and Connectivity
                log_connection_begin: true
                log_connection_end: true
                log_files: false
                send_events_to_fmc: true
                time_range: MyTimeRangeName1
              - name: MyAccessRuleName2
                action: ALLOW
                category: MyCategoryName1
                source_zones:
                  - MySecurityZoneName1
                destination_zones:
                  - MySecurityZoneName1
                source_network_objects:
                  - MyNetworkGroupName1
                destination_network_literals:
                  - 10.20.30.0/24
                destination_port_objects:
                  - MyPortGroupName1
                intrusion_policy: MyIntrusionPolicyName1
                file_policy: MyFilePolicyName1
                log_connection_begin: true
                log_connection_end: true
                log_files: false
                send_events_to_fmc: true