Hi,
You would like to block a set of IP's both datacenters with a single rule, thats what you are trying to do and you can achive this by prefilter policy and SI-Blacklist.
Prefilter Policy
You can create a prefilter policy with the IP's you want to block and bind that prefilter to both ACP's. So with a single change in prefilter policy will block in both DC's.
Security Intelligence Blacklist
Security Intelligence uses reputation intelligence to quickly block connections to or from IP addresses, URLs, and domain names. This is called Security Intelligence blacklisting.
Security Intelligence is an early phase of access control, before the system performs more resource-intensive evaluation. Blacklisting improves performance by quickly excluding traffic that does not require inspection.
Add the IP's in SI-Blacklist to block the connections to and from the IP's.
HTH
Abheesh