Access Policy

Location in GUI: Policies » Access Control

This resource covers Access Control Policy, Access Control Policy Rules and Access Control Policy Categories.

Diagram

Classes

policies (fmc.domains)

Name	Type	Constraint	Mandatory	Default Value
access_policies	List	`[access_policies]`	No

access_policies (fmc.domains.policies)

Name	Type	Constraint	Mandatory	Default Value
name	String	Regex: `^[a-zA-Z0-9_ -]{1,64}$`	Yes
default_action	Choice	`BLOCK`, `TRUST`, `PERMIT`, `NETWORK_DISCOVERY`, `INHERIT_FROM_PARENT`	Yes	`BLOCK`
prefilter_policy	String		No
base_intrusion_policy	String		No
log_begin	Boolean	`true`, `false`	No	`false`
log_end	Boolean	`true`, `false`	No	`false`
send_events_to_fmc	Boolean	`true`, `false`	No	`false`
enable_syslog	Boolean	`true`, `false`	No	`false`
snmp_alert	String		No
syslog_alert	String		No
syslog_severity	Choice	`ALERT`, `CRIT`, `DEBUG`, `EMERG`, `ERR`, `INFO`, `NOTICE`, `WARNING`	No
description	String	max: `255`	No
categories	List	`[categories]`	No
access_rules	List	`[access_rules]`	No

categories (fmc.domains.policies.access_policies)

Name	Type	Constraint	Mandatory	Default Value
name	String	Regex: `^[a-zA-Z0-9_ -]{1,50}$`	Yes
section	Choice	`mandatory`, `default`	No

access_rules (fmc.domains.policies.access_policies)

Name	Type	Constraint	Mandatory	Default Value
name	String	Regex: `^[a-zA-Z0-9_ -]{1,50}$`	Yes
action	Choice	`ALLOW`, `TRUST`, `BLOCK`, `MONITOR`, `BLOCK_RESET`, `BLOCK_INTERACTIVE`, `BLOCK_RESET_INTERACTIVE`	Yes
category	String		No
description	String	max: `255`	No
destination_dynamic_objects	List	String	No
destination_network_literals	List	String	No
destination_network_objects	List	String	No
destination_port_literals	List	`[destination_port_literals]`	No
destination_port_objects	List	String	No
destination_zones	List	String	No
enabled	Boolean	`true`, `false`	No	`true`
file_policy	String		No
intrusion_policy	String		No
log_connection_begin	Boolean	`true`, `false`	No
log_connection_end	Boolean	`true`, `false`	No
log_files	Boolean	`true`, `false`	No
section	Choice	`mandatory`, `default`	No
send_events_to_fmc	Boolean	`true`, `false`	No
enable_syslog	Boolean	`true`, `false`	No	`false`
snmp_alert	String		No
source_dynamic_objects	List	String	No
source_network_literals	List	String	No
source_network_objects	List	String	No
source_port_literals	List	`[source_port_literals]`	No
source_port_objects	List	String	No
source_sgts	List	String	No
source_zones	List	String	No
syslog_alert	String		No
syslog_severity	Choice	`ALERT`, `CRIT`, `DEBUG`, `EMERG`, `ERR`, `INFO`, `NOTICE`, `WARNING`	No
url_categories	List	`[url_categories]`	No
url_objects	List	String	No
url_literals	List	String	No
variable_set	String		No
time_range	String		No
vlan_tag_objects	List	String	No
vlan_tag_literals	List	Integer[min: `1`, max: `4095`]	No

destination_port_literals (fmc.domains.policies.access_policies.access_rules)

Name	Type	Constraint	Mandatory
protocol	Choice	`TCP`, `UDP`, `ICMP`	Yes
port	Integer	min: `1`, max: `65535`	No
icmp_type	Integer	min: `0`, max: `255`	No
icmp_code	Integer	min: `0`, max: `255`	No

url_categories (fmc.domains.policies.access_policies.access_rules)

Name	Type	Constraint	Mandatory	Default Value
category	Choice	`Name of categories`	No
reputation	Choice	`ANY_EXCEPT_UNKNOWN`, `TRUSTED`, `FAVORABLE`, `NEUTRAL`, `QUESTIONABLE`, `UNTRUSTED`, `ANY_AND_UNKNOWN`, `TRUSTED_AND_UNKNOWN`, `FAVORABLE_AND_UNKNOWN`, `NEUTRAL_AND_UNKNOWN`, `QUESTIONABLE_AND_UNKNOWN`, `UNTRUSTED_AND_UNKNOWN`	No

Examples

Prerequisites:

existing:
  fmc:
    domains:
      - name: Global
        objects:
          file_types:
            - name: PDF
          file_categories:
            - name: PDF files
        policies:
          intrusion_policies:
            - name: Balanced Security and Connectivity
fmc:
  domains:
    - name: Global
      objects:
        hosts:
          - name: MyHostName1
            ip: 10.10.10.10
        networks:
          - name: MyNetworkName1
            prefix: 10.10.10.0/24
        ranges:
          - name: MyRangeName1
            ip_range: 1.1.1.1-1.1.1.2
        network_groups:
          - name: MyNetworkGroupName1
            objects:
              - MyNetworkName1
              - MyHostName1
              - MyRangeName1
        ports:
          - name: MyPortName1
            port: 8080
            protocol: TCP
        icmpv4s:
          - name: MyICMPv4Name1
            icmp_type: 8
        port_groups:
          - name: MyPortGroupName1
            objects:
              - MyPortName1
              - MyICMPv4Name1
        security_zones:
          - name: MySecurityZoneName1
          - name: MySecurityZoneName2
        time_ranges:
          - name: MyTimeRangeName1
            start_time:  "2025-02-13T10:00"
            end_time:  "2025-02-21T20:00"
            recurrences:
              - recurrence_type: DAILY_INTERVAL
                daily_days: [ "MON", "THU" ]
                daily_start_time: "11:00"
                daily_end_time: "13:00"
      policies:
        file_policies:
          - name: MyFilePolicyName1
            file_rules:
              - action: DETECT
                application_protocol: HTTP
                direction_of_transfer: DOWNLOAD
                file_categories:
                  - PDF files
              - action: DETECT
                application_protocol: HTTP
                direction_of_transfer: UPLOAD
                file_types:
                  - PDF
        intrusion_policies:
          - name: MyIntrusionPolicyName1
            inspection_mode: DETECTION
            base_policy: Balanced Security and Connectivity

Access Policy:

fmc:
  domains:
    - name: Global
      policies:
        access_policies:
          - name: MyAccessPolicyName1
            default_action: BLOCK
            prefilter_policy: MyPrefilterPolicyName1
            categories:
              - name: MyCategoryName1
                section: mandatory
            access_rules:
              - name: MyAccessRuleName1
                action: ALLOW
                category: MyCategoryName1
                source_zones:
                  - MySecurityZoneName1
                destination_zones:
                  - MySecurityZoneName2
                source_network_objects:
                  - MyNetworkName1
                destination_network_objects:
                  - MyHostName1
                destination_port_objects:
                  - MyPortName1
                intrusion_policy: Balanced Security and Connectivity
                log_connection_begin: true
                log_connection_end: true
                log_files: false
                send_events_to_fmc: true
                time_range: MyTimeRangeName1
              - name: MyAccessRuleName2
                action: ALLOW
                category: MyCategoryName1
                source_zones:
                  - MySecurityZoneName1
                destination_zones:
                  - MySecurityZoneName1
                source_network_objects:
                  - MyNetworkGroupName1
                destination_network_literals:
                  - 10.20.30.0/24
                destination_port_objects:
                  - MyPortGroupName1
                intrusion_policy: MyIntrusionPolicyName1
                file_policy: MyFilePolicyName1
                log_connection_begin: true
                log_connection_end: true
                log_files: false
                send_events_to_fmc: true