Configure an Ethernet Interface (REST API)
Table of Contents
Expand all | Collapse all
-
- Upgrade a Firewall to the Latest PAN-OS Version (API)
- Show and Manage GlobalProtect Users (API)
- Query a Firewall from Panorama (API)
- Upgrade PAN-OS on Multiple HA Firewalls through Panorama (API)
- Automatically Check for and Install Content Updates (API)
- Enforce Policy using External Dynamic Lists and AutoFocus Artifacts (API)
- Configure SAML 2.0 Authentication (API)
- Quarantine Compromised Devices (API)
- Manage Certificates (API)
-
- Asynchronous and Synchronous Requests to the PAN-OS XML API
- Run Operational Mode Commands (API)
- Apply User-ID Mapping and Populate Dynamic Groups (API)
- Get Version Info (API)
-
- PAN-OS REST API
- Access the PAN-OS REST API
- Resource Methods and Query Parameters (REST API)
- PAN-OS REST API Request and Response Structure
- PAN-OS REST API Error Codes
- Work With Objects (REST API)
- Create a Security Policy Rule (REST API)
- Work with Policy Rules on Panorama (REST API)
- Create a Tag (REST API)
- Configure a Security Zone (REST API)
- Configure an SD-WAN Interface (REST API)
- Create an SD-WAN Policy Pre Rule (REST API)
- Configure an Ethernet Interface (REST API)
- Update a Virtual Router (REST API)
- Work With Decryption (APIs)
Configure an Ethernet Interface (REST API)
REST API example(s) to configure an Ethernet interface
There are multiple deployment options for
Ethernet interfaces on firewalls. Three common options are: Tap,
Virtual Wire, and Layer 3.
The following example shows how
to configure a Layer 3 Ethernet interface. Configuration of a Layer
3 Ethernet interface on a firewall involves two REST API requests:
(1) A request to configure the interface and (2) a request to import
the interface into the virtual system.
The example includes
the creation of an interface management profile that you assign
to the Layer 3 Ethernet interface. While an interface management
profile is optional for configuring the interface, this profile
has an important role because it provides protection from unauthorized
access.
- Configure an interface management profile (Optional).An interface management profile protects the firewall from unauthorized access by defining the services and IP addresses that a firewall interface permits. The following example creates an interface management profile that allows only ping and response pages. This example restricts IP addresses that can access the interface to 192.168.1.0/24, but if there are no IP restrictions required, then don’t add entries to thepermitted-ip list.curl -X POST https://<firewall>/restapi/v11.0/network/interfacemanagementnetworkprofiles?name=ping-and-response-pages' -H 'X-PAN-KEY: <api key> -d '{ "entry": { "@name": "ping-and-response-pages", "http": "no", "http-ocsp": "no", "https": "no", "permitted-ip": { "entry": [ { "@name": "192.168.1.0/24" } ] }, "ping": "yes", "response-pages": "yes", "snmp": "no", "ssh": "no", "telnet": "no", "userid-service": "no", "userid-syslog-listener-ssl": "no", "userid-syslog-listener-udp": "no" } }'
- Configure a Layer 3 Ethernet interface.
The following is an example of an API request to configure a Layer 3 Ethernet interface that uses DHCP for IP address assignment. The configuration includes application of the interface management profile you configured in step 1.curl -X POST https://<firewall>/restapi/v11.0/network/ethernetinterfaces?name=ethernet1/3' -H 'X-PAN-KEY: <api key> -d '{ "entry": { "@name": "ethernet1/3", "layer3": { "dhcp-client": { "create-default-route": "yes", "default-route-metric": 10, "enable": "yes", "send-hostname": { "enable": "no", "hostname": "system-hostname" } }, "interface-management-profile": "ping-and-response-pages" } } }'- Import the Ethernet interface into your virtual system (vsys).
The following example updates the import section of the firewall virtual systemvsys1 with the Ethernet interface you configured in step 2.curl -X POST https://<firewall>/restapi/v11.0/device/virtualsystems?name=vsys1' -H 'X-PAN-KEY: <api key> -d '{ "entry": [ { "@name": "vsys1", "import": { "network": { "interface": { "member": [ "ethernet1/3" ] } } } } ] }'- Add this interface to a security zone.
The steps above complete the configuration of the Ethernet interface, but for the interface to process network traffic, you must add the interface to a security zone. See Update a Security Zone for an example of REST API requests to add an Ethernet interface to an existing security zone.- Add the Ethernet interface to an existing virtual router, like the default virtual router.
The firewall requires a virtual router to obtain routes to other subnets through either participating L3 routing protocols (dynamic routes) or static routes. See Update a Virtual Router (REST API) for an example of REST API requests to add an interface to a virtual router. - Configure a Layer 3 Ethernet interface.