FMC: apply changes to multiple Access Control rules

PAUL GILBERT ARIAS · ‎04-04-2019

Is there a way to apply the same change to multiple rules within an access control policy?

Recently I had to enable logging on every single rule withing an access control policy and now I have to enable the IPS policy to every single rule. Is there a way to enable this to all the rules at the same time?

Francesco Molino · ‎04-04-2019

Hi

This isn't possible.
A workaround would be to script this change by using APIs.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

andrew.butterworth · ‎12-15-2022

This is sort of possible, however it seems to be only half implemented. I've tried it on FMC 6.6.5.2, 7.0.5 and 7.3 and the behaviour is the same on all of them.

Open the ACP, hold down shift, left click the 1st rule, go to the last rule or a rule further in the list and left click again and you will see all lines selected. Right click over one of the selected rules and a menu appears, click 'edit' and you are presented with options to apply to all selected rules. Check the box for logging (at the beginning or at the end of the connection) and click OK. This enabled logging for all the selected rules. However..... It doesn't set a destination for the logging. You then need to go into each rule and click the checkbox for the destination (Event Viewer, Syslog or SNMP trap). So you are no better off....

It works for inspection rules though and you can select the IPS policy to apply to all the rules.

Anyone know if its possible to enable logging for multiple rules AND select a destination for the logs?

Andy

Karsten Iwen · ‎12-15-2022

And another opinion ... ;.)

It is easily doable. The first thing with the logging can be done regardless of the FMC version by adding a Monitor Rule at the beginning.. The other thing is done with the newer FMC versions (7.1+ or 7.2+, not sure which one it was) where the new ACP Editor can be enabled and be used to directly apply the same change to a broad range of ACP rules.

andrew.butterworth · ‎12-15-2022

"by adding a Monitor Rule at the beginning."

"new ACP Editor can be enabled and be used to directly apply the same change to a broad range of ACP rules."

Please elaborate?

I can see the option in the new UI to select multiple rules and 'Select Bulk Action', however the same options are presented?

andrew.butterworth · ‎12-15-2022

Oh, bollox... Just realised the logging requires the 'Log at Beggining/End' to be ticked AND the 'Send Connection Events to:' to have a destination ticked when editing a range of rules..... Thought the GUI would kick it out if no destination is selected as that's an invalid option.

OK, so question answered. Not sure about the 'adding a Monitor Rule at the beginning' though?

Karsten Iwen · ‎12-15-2022

You can add a rule at the beginning with the Action "Monitor" It will not decide on any traffic to block or allow, the whole purpose is to add a logging action to the further processing.

And with the bulk action you can easily assign the IPS policy to all selected rules:

Kasper Elsborg · ‎05-01-2025

at least the new FMC has the option to bulkupdate ACP, I cant remember from which version but this is from a 7.4, just select the all chackbox