Firewall Zones Usage and Behavior
Table of Contents
Firewall Zones Usage and Behavior
Learn about Firewall Zones and how to use the openconfig-zones model with the PAN-OS OpenConfig plugin. Find more information and guides on managing firewall zones and their behavior.
Firewall Zones Behavior
You can use the firewall zones OpenConfig model to manage zones that contain
firewalls as you would using the PAN-OS XML API. Each of the firewall zones contain
interfaces that you can manage together to segment your network. The more segmented
your zones, the more control you have over your network.
Review the deviation file before using the
openconfig-zones model to familiarize yourself with supported paths. The deviation
file contains which paths Palo Alto Networks currently supports.
When using the openconfig-zones model, do not submit an empty zone,
instead make sure to include at least one interface.
Create a Zone
The following request creates a new zone and sets the firewall zone type to
layer3.
gnmic -a localhost --port 9339 -u username -p password --timeout 300s --skip-verify -e JSON_IETF set --update-path "/zones" --update-file new-zone.json
The contents of new-zone.json are as follows:
{ "zone": [ { "fw-zone-type": "pan-fw-zones-deviations:layer3", "openconfig-fw-zones:interfaces": { "interface": [] }, "openconfig-fw-zones:name": "openconfig-test" } ] }
A successful request returns the output below:
Set Response: { "results": [ { "operation": "UPDATE", "path": "zones/zone[name=opencofig-test]/interfaces/interface/id" } ] }
The following command adds interface1/5 the zone named testzone:
gnmic -a localhost --port 9339 -u username -p password --timeout 300s --skip-verify -e JSON_IETF set --update "/zones/zone[name=openconfig-tet]/interfaces/interface/id:::string:::ethernet1/5"
A successful request returns the output below:
{ "results": [ { "operation": "UPDATE", "path": "zones/zone[name=openconfig-test]/interfaces/interface/id" } ] }
The following is displayed in PAN-OS after making the previous updates:
