Solved: Re: FMC API - can not associate a prefilter policy to an access policy

Difan_Zhao · ‎01-17-2023

Hi team,

I am using the API to create an access policy with the following URL with the POST action.

{{protocol}}://{{hostname}}/api/fmc_config/v1/domain/{{domain_id}}/policy/accesspolicies

The data (body in the POST) is like this. The prefilter policy is specified here.

{
   "type":"AccessPolicy",
   "name":"FTD-Mig-edm-syn-research-57-ngfw-pcn_ZonesRemoved",
   "defaultAction":{
      "action":"BLOCK",
      "logBegin":false,
      "logEnd":false,
      "sendEventsToFMC":false,
      "type":"AccessPolicyDefaultAction",
      "id":"90E2BAC8-8AE5-0ed3-0000-000268630400"
   },
   "prefilterPolicySetting":{
      "name":"edm-syn-research-57-Prefilter",
      "type":"PrefilterPolicy"
   },
   "description":"Policy created from source with hostname CASYE-SECFIO101(with Zones Removed)"
}

I am getting a 201 with this response. The policy is created however still associated with the default prefilter policy. What did I do wrong? Thanks!

{
    "description": "Policy created from source with hostname CASYE-SECFIO101(with Zones Removed)",
    "id": "90E2BAC8-8AE5-0ed3-0001-851131602251",
    "links": {
        "self": "https://fmc.network.lan/api/fmc_config/v1/domain/f9dc2331-a42f-1eb1-464f-000000000001/policy/accesspolicies/90E2BAC8-8AE5-0ed3-0001-851131602251"
    },
    "metadata": {
        "domain": {
            "id": "f9dc2331-a42f-1eb1-464f-000000000001",
            "name": "Global \\ Syncrude",
            "type": "Domain"
        },
        "inherit": false
    },
    "name": "FTD-Mig-edm-syn-research-57-ngfw-pcn_ZonesRemoved",
    "rules": {
        "links": {
            "self": "https://fmc.network.lan/api/fmc_config/v1/domain/f9dc2331-a42f-1eb1-464f-000000000001/policy/accesspolicies/90E2BAC8-8AE5-0ed3-0001-851131602251/accessrules"
        },
        "refType": "list",
        "type": "AccessRule"
    },
    "type": "AccessPolicy"
}

Marius Gunnerud · ‎01-25-2023

So.... I got this to work...Finally.

The issue is that it looks like we are unable to add a prefilter rule when creating the ACP policy. The same is when we create the ACP policy in GUI we are not able to identify the prefilter policy then and there during creation. We need to first create the policy then edit it and add the prefilter policy. The same holds true for when creating the ACP Policy via API.

The way I got this to work was, first create the ACP policy and then updating that policy with the prefilter policy.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎01-24-2023

I am not entirely sure I understand what the issue is. You are creating a prefilter rule and it is not being associated with the access control policy?

--
Please remember to select a correct answer and rate helpful posts

Difan_Zhao · ‎01-25-2023

Hi Marius, sorry for the confusion... The Prefilter policy pre-exists. I am creating a new access policy and I want to associate the prefilter policy to it.. Thanks

khorram1998 · ‎01-24-2023

The issue you are encountering may be related to the way you are specifying the prefilter policy in the API call. The prefilterPolicySetting field only accepts the name of the prefilter policy, and not the entire policy object.

To properly associate a prefilter policy to an access policy, you will need to first retrieve the prefilter policy's id by calling the API endpoint for prefilter policies and searching for the desired policy by name. Then, you will need to include this id in the prefilterPolicySetting field of the access policy object when you create the access policy.

Here is an example of how you can retrieve the id of a prefilter policy:

GET {{protocol}}://{{hostname}}/api/fmc_config/v1/domain/{{domain_id}}/policy/prefilterpolicies?name=edm-syn-research-57-Prefilter

Then use the id of the prefilter policy in the access policy creation

{
   "type":"AccessPolicy",
   "name":"FTD-Mig-edm-syn-research-57-ngfw-pcn_ZonesRemoved",
   "defaultAction":{
      "action":"BLOCK",
      "logBegin":false,
      "logEnd":false,
      "sendEventsToFMC":false,
      "type":"AccessPolicyDefaultAction",
      "id":"90E2BAC8-8AE5-0ed3-0000-000268630400"
   },
   "prefilterPolicySetting":{
      "id":"90E2BAC8-8AE5-0ed3-0000-000268630400",
      "type":"PrefilterPolicy"
   },
   "description":"Policy created from source with hostname CASYE-SECFIO101(with Zones Removed)"
}

By including the prefilter policy id in the access policy object, you will properly associate the prefilter policy with the access policy and it should be correctly associated with the newly created access policy.

Please rate this and mark as solution/answer, if this resolved your issue
All the best,
AK

Difan_Zhao · ‎01-25-2023

Hi Khorram1998, thanks for your response! I just tried and I still don't see the prefilter applied to the access policy... Here is the data I posted:

{
   "type":"AccessPolicy",
   "name":"FTD-Mig-edm-syn-research-57-ngfw-pcn_ZonesRemoved",
   "defaultAction":{
      "action":"BLOCK",
      "logBegin":false,
      "logEnd":false,
      "sendEventsToFMC":false,
      "type":"AccessPolicyDefaultAction",
      "id":"90E2BAC8-8AE5-0ed3-0000-000268630400"
   },
   "prefilterPolicySetting":{
      "id":"90E2BAC8-8AE5-0ed3-0001-842542028952",
      "type":"PrefilterPolicy"
   },
   "description":"Policy created from source with hostname CASYE-SECFIO101(with Zones Removed)"
}

I did diff between mine and yours and the only difference is the UUID... Did you try it and it worked for you?

I do have a TAC case open but they haven't got back to me on this too.

Thanks!

Marius Gunnerud · ‎01-25-2023

So.... I got this to work...Finally.

The issue is that it looks like we are unable to add a prefilter rule when creating the ACP policy. The same is when we create the ACP policy in GUI we are not able to identify the prefilter policy then and there during creation. We need to first create the policy then edit it and add the prefilter policy. The same holds true for when creating the ACP Policy via API.

The way I got this to work was, first create the ACP policy and then updating that policy with the prefilter policy.

--
Please remember to select a correct answer and rate helpful posts

Marius Gunnerud · ‎01-25-2023

Here is the PUT data I used to update the policy.

{
'type': 'AccessPolicy',
'name': 'NEW_Policy',
'defaultAction': {
'action': 'BLOCK',
'logBegin': False,
'logEnd': True,
'sendEventsToFMC': False,
'type': 'AccessPolicyDefaultAction',
'id': '000C29F7-A272-0ed3-0000-000268435465'
},
'prefilterPolicySetting': {
'name': 'My_Prefilter',
'id': '000C29F7-A272-0ed3-0000-021474836482',
'type': 'PrefilterPolicy'},
'id': '000C29F7-A272-0ed3-0000-021474837536'
}

--
Please remember to select a correct answer and rate helpful posts

Difan_Zhao · ‎01-26-2023

Hi Marius, I will try today but do you mind sharing with me your URL for the PUT operation? Thanks!

Marius Gunnerud · ‎01-26-2023

https://{FMC_IP}/api/fmc_config/v1/domain/{domainUUID}/policy/accesspolicies/{objectID}

--
Please remember to select a correct answer and rate helpful posts

Difan_Zhao · ‎01-26-2023

Hi Marius, I feel that I am getting really close. Here is my PUT data, identical to yours:

{
   "type":"AccessPolicy",
   "name":"FTD-Mig-edm-syn-research-57-ngfw-pcn-NEW_ZonesRemoved",
   "defaultAction":{
      "action":"BLOCK",
      "logBegin":false,
      "logEnd":false,
      "sendEventsToFMC":false,
      "type":"AccessPolicyDefaultAction",
      "id":"90E2BAC8-8AE5-0ed3-0000-000268638324"
   },
   "prefilterPolicySetting":{
      "name":"edm-syn-research-57-Prefilter",
      "id":"90E2BAC8-8AE5-0ed3-0001-842542028952",
      "type":"PrefilterPolicy"
   },
   "description":"Policy created from source with hostname CASYE-SECFIO101(with Zones Removed)",
   "id":"90E2BAC8-8AE5-0ed3-0001-851131815492"
}

My URL is '/api/fmc_config/v1/domain/f9dc2331-a42f-1eb1-464f-000000000001/policy/accesspolicies/90E2BAC8-8AE5-0ed3-0001-851131815492'

However, I am getting status 400 with this error:

'{"error":{"category":"FRAMEWORK","messages":[{"description":"Unable to update access policy."}],"severity":"ERROR"}}'

Let me know where I did wrong... Thank you!

Marius Gunnerud · ‎01-27-2023

Here is the PUT data I am sending to the FMC

{'type': 'AccessPolicy', 'name': 'NEW_Policy', 'defaultAction': {'action': 'BLOCK', 'logBegin': False, 'logEnd': False, 'sendEventsToFMC': False, 'type': 'AccessPolicyDefaultAction', 'id': '000C29F7-A272-0ed3-0000-000268436487'}, 'prefilterPolicySetting': {'name': 'My_Prefilter', 'id': '000C29F7-A272-0ed3-0000-021474836482', 'type': 'PrefilterPolicy'}, 'description': 'THIS IS A TEST DESCRIPTION', 'id': '000C29F7-A272-0ed3-0000-025769804992'}

I originally though there was an issue with how the FMC handled POST and PUT with regard to the description field but that was not the case.

--
Please remember to select a correct answer and rate helpful posts

Difan_Zhao · ‎01-27-2023

I must have made a typo or something... I tried again this morning and it works fine now. Thanks for your help! Your previous post is marked as the solution.

khorram1998 · ‎01-25-2023

Hi @Difan_Zhao

It's possible that there may be an issue with the specific UUID you are using for the prefilter policy in the "prefilterPolicySetting" field. I would recommend double checking that the UUID for the prefilter policy you are trying to associate with the access policy is correct and that the prefilter policy actually exists in your FMC.

You could also try using the FMC UI to associate the prefilter policy with the access policy and then use the "GET" method to retrieve the policy and see the format of the json returned. Compare that to your json payload and see if there is any difference.

I would also recommend checking the FMC version you are running, as there may be a bug or limitation with your version that is preventing the association of prefilter policy to access policy via the API.

You may also want to check with TAC if there is any specific setting that needs to be changed in order to enable the association of prefilter policy to access policy via the API.

Please rate this and mark as solution/answer, if this resolved your issue
All the best,
AK

Marius Gunnerud · ‎01-26-2023

@khorram1998 This is not a UUID issue but rather how the API works. I tried this with several different data configurations and all created the ACP policy but none added the pre-filter rule at the time of creation.

So to get this to work you need to do this in two steps.

Create the ACP policy
update the newly created ACP policy to add the pre-filter rule

For whatever reason, adding the prefilter policy at the time of creation is currently not supported via API (or GUI for that matter). Could be a nice feature request so we do not need to make two calls to create and then update the policy.

--
Please remember to select a correct answer and rate helpful posts

Difan_Zhao · ‎01-27-2023

Thanks AK for the helpful suggestions! I finally got it working. The TAC said would contact me but hasn't yet. Now I have another problem and I trust the community can help me better than TAC. I will ask on a separate subject and hope you give me advice.