Buy or Renew
Buy or Renew
We are currently experiencing Knowledge Base board outages and are working to resolve. Thank you for your patience.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
216
Views
1
Helpful
2
Replies

FMC API – How to clone ACP rules while preserving both section and cat

mdusman
Level 1
Level 1

‎10-03-2025 11:01 AM

Hi Community,

I’m working on a Python automation script to clone an Access Control Policy (ACP) from a default template into a new customer-specific policy. The goal is to replicate the ACP structure exactly as in FMC:

  • Sections: Mandatory and Default

  • Categories inside sections: e.g. GEO_BLOCK, APP_BLOCK, VPN, URL_FILTERING, INSIDE_1 … INSIDE_7, etc.

Problem

According to the FMC REST API documentation:

  • The section query param is allowed (?section=Mandatory or ?section=Default).

  • The category query param is allowed (?category=APP_BLOCK).

  •  But section and category cannot be specified together.

  •  And if I try to include "category": "APP_BLOCK" in the rule body, FMC rejects with:

    Unprocessable Entity - Unrecognized Field 'category'

So effectively, I can either:

  • Post rules with section=Mandatory/Default but lose their original categories, OR

  • Post rules with category=APP_BLOCK/GEO_BLOCK/etc. but they all end up under the Default section.

This makes it impossible (at least from what I see) to fully replicate the template’s structure where rules live in both Mandatory+Default sections and also in categories.

Example

  • Template ACP JSON shows:

    • Rule 1–2: section=Mandatory, category=GEO_BLOCK

    • Rule 3–9: section=Mandatory, category=APP_BLOCK

    • Rule 10–12: section=Default, category=--Undefined--

  • Cloned ACP JSON (via API) ends up with either:

    • All rules in Mandatory/Default but category lost, OR

    • All rules categorized (APP_BLOCK, GEO_BLOCK, etc.) but only in Default section.

Question

Has anyone found a way or workaround to preserve both section and category when cloning rules via FMC API?

  • Is there a way to re-assign rules to a section after posting them with a category?

  • Or is this simply a current FMC API limitation (and we need to choose one dimension: section or category)?

What I’ve tried

  • POST with ?section=Mandatory&category=APP_BLOCK → 400 error: “not allowed together”.

  • POST with "category" in body → 422 error: “Unrecognized Field ‘category’”.

  • POST with only section works (but no category).

  • POST with only category works (but section always Default).

 

Labels:
0 Helpful
2 Replies 2

bigevilbeard
VIP
VIP

‎10-04-2025 09:05 AM

From past threads on here, I think you are hitting an FMC API limitation and from memory there is no direct programmatic workaround. You options would be to use the categories within the default section and then rely on using  the rule priority/naming to maintain your intended policy structure.

HTH

 

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io

Jonatan Jonasson
Level 4
Level 4

‎10-05-2025 04:21 PM

Maybe I'm misunderstanding something here.

With category names being unique within the access-policy, even across sections, if you post a rule to a category that's in the mandatory section, the rule will end up there.

So can you clarify this part?
"All rules categorized (APP_BLOCK, GEO_BLOCK, etc.) but only in Default section."

I tested just now using the API to add a rule that's ended up within a category in the Mandatory section.

When you're retrieving the rules via API, you get both category and section in the metadata, so while re-posting, if a rule has a category, why not just post directly to that category, and if the rule doesn't have a category, then post to the relevant section.

 

---
Please mark helpful answers & solutions
---
0 Helpful
Customers Also Viewed These Support Documents