Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.


Creating access policy rules with AD user group condition

Hi, Cisco community!

Currently I'm doing a configuration migration from Palo Alto firewall to Cisco FirePOWER solution. With the help of FirePOWER REST API I already performed network objects migration and now i'm trying to do access policy rules migration. The problem is that the rules contains many concurrent conditions, for example, source and destination networks, ports, AD users/user groups etc. I managed to create rules with simple conditions such as source network condition only, but I can't create a rules which contains AD user group condition. Code that I used:

"type": "AccessRule",
"name": "Rule_10",
"action": "ALLOW",
"enabled": true,
"ipsPolicy": {
"name": "Intrusion_policy_1",
"id": "dbafc1d0-fe64-11e6-bf24-c1e6426a3d95",
"type": "IntrusionPolicy"
"sourceNetworks": {
"objects": [
"type": "Network",
"id": "54A2745A-3874-0ed3-0000-042949673233"
"users": {
"objects": [
"id": "7d97efbc-10ae-11e7-beb8-e02a6b262272_1345023",
"type": "RealmUserGroup",
"name": "AD_group_1",
"realm": {
"id": "7d97afbc-10ae-11e7-bab8-e62a6b262212",
"type": "Realm"

It seems that in my case object "users": {} has improper format, because I get a 422 "Unprocessable Entity" response code when using this object. So, my questions:

  1. Is it possible to create rules with AD user/user group condition and where can I get a proper syntax description?;
  2. Is it possible to specify a section in which rule will be placed (Mandatory, Default etc)?
CreatePlease login to create content