Buy or Renew
Buy or Renew
COMING SOON: Umbrella and Secure Access release notes are coming to Cisco Community. The community will be in read-only August 16 – 19. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1472
Views
5
Helpful
3
Replies

Cisco FMC access control policy POST a 'BLOCK' action

Marius Gunnerud
VIP
VIP

‎01-20-2021 04:39 AM - edited ‎01-20-2021 04:39 AM

I am trying to post a rule using {'action': 'BLOCK'} but this is failing.  If I change the action to {'action': 'ALLOW'} the POST is successful.  I have configured a rule with the block action in GUI and then checked the output in api-explorer and there the action is also shown as 'BLOCK' so I am uncertain why this is happening.  Anyone seen this issue before and / or have any suggestions on how to remedy the issue?

This is the configuration that is being POSTed:

{'action': 'BLOCK',
'destinationNetworks': {'objects': None},
'destinationPorts': {'objects': None},
'destinationZones': {'objects': None},
'enabled': False,
'logEnd': True,
'name': 'Deny Any',
'sendEventsToFMC': True,
'sourceNetworks': {'objects': None},
'sourceZones': {'objects': [{'id': 'd5997ca8-54bb-11eb-920e-f851204a1f7d',
'name': 'LAN_Zone',
'type': 'SecurityZone'}]},
'type': 'AccessRule'}
Error in connection --> 400 Client Error: 400 for url: https://192.168.0.50/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/policy/accesspolicies/000C29C8-1550-0ed3-0000-017179869187/accessrules

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
3 Replies 3

Marius Gunnerud
VIP
VIP

‎01-21-2021 01:29 AM - edited ‎01-21-2021 01:31 AM

This is quite odd.  All block posts fail (i.e. BLOCK, BLOCK_REST, etc.) but ALLOW, TRUST, and MONITOR work fine.  Could this be a bug in the 6.7?

I also notice that when trying to add the rule into Mandatory {'metadata': {'section': 'Mandatory'}} this also fails.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Madhuri Dewangan
Cisco Employee
Cisco Employee
In response to Marius Gunnerud

‎03-05-2021 10:22 AM

Hi,

 

Its sending 400 error code, which denotes the there is some issue with the request being made. 

Looking at the payload, it might be due the reason that you are trying to set 'logEnd' attribute to True for a BLOCK action which is not an expected setting. 

logEnd can be set to true only for ALLOW action.

 

Regards,

Madhuri

Marius Gunnerud
VIP
VIP
In response to Madhuri Dewangan

‎03-05-2021 10:46 AM

I solved this a while back but forgot to post the solution, and yes the issue was the logEnd being set to true.

 

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents