cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1580
Views
10
Helpful
2
Replies

FMC - remove all rules within ACP category

dalamanster
Level 1
Level 1

Hello,

 

I am trying to remove all ACP rules within given category (via REST API).

Is there any way how can I get IDs of access rules within category?

 

I have only found following:

When I try to GET the category object I can see following parameters:

"metadata": {

   .......

   "startIndex": 1,

   "endIndex": 4,

   ....

}

 

However this is just the index of the rule within the category...

Not the ID. I am not sure if it is possible to delete rule by index

 

Thanks for any help

Roman

2 Accepted Solutions

Accepted Solutions

jarsmith
Cisco Employee
Cisco Employee

I can see two possible approaches here I didn't find a built-in filter, unfortunately.

 

Using the category fetch you end up with a result something like:

 

{
  "metadata": {
    "section": "Mandatory",
    "startIndex": 2,
    "endIndex": 3,
    "accessPolicy": {
      "type": "AccessPolicy",
      "name": "test_policy1",
      "id": "00000000-0000-0ed3-0000-004294969708"
    }
  },
  "links": {
    "self": "https://fmc.cisco.com/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/policy/accesspolicies/00000000-0000-0ed3-0000-004294969708/categories/00000000-0000-0ed3-0000-000268434436"
  },
  "type": "Category",
  "id": "00000000-0000-0ed3-0000-000268434436",
  "name": "my_cat"
}

 

As you pointed out you have the indexes so what you can do is take that and do a query on the rules table that looks like this:

 

https://fmc.cisco.com/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/policy/accesspolicies/00000000-0000-0ed3-0000-004294969708/accessrules?offset=1&limit=2&expanded=true

 

Key items here are:

 

offset=1&limit=2

 

It appears that the index in the category object is 1 based and the index in the paging offset is zero-based.

 

So if we look at the original response we had:

 

"startIndex": 2, "endIndex": 3,

So your index covers 2 numbers (index 2 and index 3) so that is how we get the limit = 2

To convert the startIndex to zero-based subtract 1 which is how we get offset = 1

 

 

You could also do a raw query on access rules and do a manual (in code) filter on the metadata field category.  You will see a block like the following in each returned rule if run in expanded=true mode:

 

"metadata": {
        "ruleIndex"2,
        "section""Mandatory",
        "category": "my_cat",
        "accessPolicy": {
          "type""AccessPolicy",
          "name""test_policy1",
          "id""00000000-0000-0ed3-0000-004294969708"
        },
        "timestamp"1625611085506,
        "domain": {
          "name""Global",
          "id""e276abec-e0f2-11e3-8169-6d9ed49b625f",
          "type""Domain"
        }
      }
 
 
Once you have the rule content from either of these approaches you will need to delete by ID value returned in the rule query not index.  I'm not aware of any API to delete by index.

View solution in original post

dalamanster
Level 1
Level 1

Thanks a lot for quick response! Both options are interesting. I will play with it. 

 

I am using "fmcapi" package from github - as a "wrapper" for rest api calls. It is much easier to play with REST API - but it has some limitation. For example - no support for offset & limit

 

Probably the second option will be easier to do:

  1. get all rules in ACP
  2. filter rules where item.metadata.category == cat
  3. delete found IDs 

View solution in original post

2 Replies 2

jarsmith
Cisco Employee
Cisco Employee

I can see two possible approaches here I didn't find a built-in filter, unfortunately.

 

Using the category fetch you end up with a result something like:

 

{
  "metadata": {
    "section": "Mandatory",
    "startIndex": 2,
    "endIndex": 3,
    "accessPolicy": {
      "type": "AccessPolicy",
      "name": "test_policy1",
      "id": "00000000-0000-0ed3-0000-004294969708"
    }
  },
  "links": {
    "self": "https://fmc.cisco.com/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/policy/accesspolicies/00000000-0000-0ed3-0000-004294969708/categories/00000000-0000-0ed3-0000-000268434436"
  },
  "type": "Category",
  "id": "00000000-0000-0ed3-0000-000268434436",
  "name": "my_cat"
}

 

As you pointed out you have the indexes so what you can do is take that and do a query on the rules table that looks like this:

 

https://fmc.cisco.com/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/policy/accesspolicies/00000000-0000-0ed3-0000-004294969708/accessrules?offset=1&limit=2&expanded=true

 

Key items here are:

 

offset=1&limit=2

 

It appears that the index in the category object is 1 based and the index in the paging offset is zero-based.

 

So if we look at the original response we had:

 

"startIndex": 2, "endIndex": 3,

So your index covers 2 numbers (index 2 and index 3) so that is how we get the limit = 2

To convert the startIndex to zero-based subtract 1 which is how we get offset = 1

 

 

You could also do a raw query on access rules and do a manual (in code) filter on the metadata field category.  You will see a block like the following in each returned rule if run in expanded=true mode:

 

"metadata": {
        "ruleIndex"2,
        "section""Mandatory",
        "category": "my_cat",
        "accessPolicy": {
          "type""AccessPolicy",
          "name""test_policy1",
          "id""00000000-0000-0ed3-0000-004294969708"
        },
        "timestamp"1625611085506,
        "domain": {
          "name""Global",
          "id""e276abec-e0f2-11e3-8169-6d9ed49b625f",
          "type""Domain"
        }
      }
 
 
Once you have the rule content from either of these approaches you will need to delete by ID value returned in the rule query not index.  I'm not aware of any API to delete by index.

dalamanster
Level 1
Level 1

Thanks a lot for quick response! Both options are interesting. I will play with it. 

 

I am using "fmcapi" package from github - as a "wrapper" for rest api calls. It is much easier to play with REST API - but it has some limitation. For example - no support for offset & limit

 

Probably the second option will be easier to do:

  1. get all rules in ACP
  2. filter rules where item.metadata.category == cat
  3. delete found IDs