Next-Generation Firewall
Configure an Ethernet Interface (REST API)
Table of Contents
                    
          Expand All
          |
          Collapse All
        
        Next-Generation Firewall Docs
- 
                  
                  
- 
                  
                  
- 
                  
                  
- 
                  
                  
- 
                  
                  
- 
                  
                  
- 
                  
                  - PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
 
- 
                  
                  - PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1
 
Configure an Ethernet Interface (REST API)
REST API example(s) to configure an Ethernet interface
    There are multiple deployment options for
				Ethernet interfaces on firewalls. Three common options are: Tap,
				Virtual Wire, and Layer 3. 
			The following example shows how
				to configure a Layer 3 Ethernet interface. Configuration of a Layer
				3 Ethernet interface on a firewall involves two REST API requests:
				(1) A request to configure the interface and (2) a request to import
				the interface into the virtual system.
			The example includes
				the creation of an interface management profile that you assign
				to the Layer 3 Ethernet interface. While an interface management
				profile  is optional for configuring the interface,  this profile
				has an important role because it provides protection from unauthorized
				access.
		- Configure an interface management profile (Optional).An interface management profile protects the firewall from unauthorized access by defining the services and IP addresses that a firewall interface permits. The following example creates an interface management profile that allows only ping and response pages. This example restricts IP addresses that can access the interface to 192.168.1.0/24, but if there are no IP restrictions required, then don’t add entries to thepermitted-ip list.curl -X POST https://<firewall>/restapi/v11.0/network/interfacemanagementnetworkprofiles?name=ping-and-response-pages' -H 'X-PAN-KEY: <api key> -d '{ "entry": { "@name": "ping-and-response-pages", "http": "no", "http-ocsp": "no", "https": "no", "permitted-ip": { "entry": [ { "@name": "192.168.1.0/24" } ] }, "ping": "yes", "response-pages": "yes", "snmp": "no", "ssh": "no", "telnet": "no", "userid-service": "no", "userid-syslog-listener-ssl": "no", "userid-syslog-listener-udp": "no" } }'Configure a Layer 3 Ethernet interface.The following is an example of an API request to configure a Layer 3 Ethernet interface that uses DHCP for IP address assignment. The configuration includes application of the interface management profile you configured in step 1.curl -X POST https://<firewall>/restapi/v11.0/network/ethernetinterfaces?name=ethernet1/3' -H 'X-PAN-KEY: <api key> -d '{ "entry": { "@name": "ethernet1/3", "layer3": { "dhcp-client": { "create-default-route": "yes", "default-route-metric": 10, "enable": "yes", "send-hostname": { "enable": "no", "hostname": "system-hostname" } }, "interface-management-profile": "ping-and-response-pages" } } }'Import the Ethernet interface into your virtual system (vsys).The following example updates the import section of the firewall virtual systemvsys1 with the Ethernet interface you configured in step 2.curl -X POST https://<firewall>/restapi/v11.0/device/virtualsystems?name=vsys1' -H 'X-PAN-KEY: <api key> -d '{ "entry": [ { "@name": "vsys1", "import": { "network": { "interface": { "member": [ "ethernet1/3" ] } } } } ] }'Add this interface to a security zone.The steps above complete the configuration of the Ethernet interface, but for the interface to process network traffic, you must add the interface to a security zone. See Update a Security Zone for an example of REST API requests to add an Ethernet interface to an existing security zone.Add the Ethernet interface to an existing virtual router, like the default virtual router.The firewall requires a virtual router to obtain routes to other subnets through either participating L3 routing protocols (dynamic routes) or static routes. See Update a Virtual Router (REST API) for an example of REST API requests to add an interface to a virtual router.
