Configure a Security Zone (REST API)

Security zones are a logical way to group physical and virtual interfaces on the firewall to control and log the traffic that traverses specific interfaces on your network. You must assign an interface on the firewall to a security zone before that interface can process traffic. A zone can have multiple interfaces of the same type, but an interface can belong to only one zone.

Create a Security Zone

You can create a security zone either directly on the firewall or as part of a network template on Panorama™.
  1. Make a REST API request to add a security zone.
    The following example shows you how to use a Panorama REST API request to create a security zone with Ethernet interfaces and a virtual SD-WAN interface. See Configure an SD-WAN Interface (REST API) for an example of a REST API request to create a virtual SD-WAN interface through Panorama and Configure an Ethernet Interface (REST API) for an example of a REST API request on the firewall to configure an Ethernet interface.
    curl -X POST 'https://<Panorama>/restapi/v10.0/network/zones?location=template&template=SDWAN-Branch-Network&name=Untrust' -H 'X-PAN-KEY: <api key>' -d '{ "entry": { "@name": "Untrust", "enable-user-identification": "no", "network": { "layer3": { "member": [ "ethernet1/1", "ethernet1/2", "ethernet1/3", "sdwan.1" ] } } } }'

Update a Security Zone

To update a security zone, you should first make a REST API request to get the existing security zone. You can then copy data from the response to your REST API request to update the zone to ensure no desired existing data is inadvertently lost or overwritten. The following example first retrieves an existing security zone from a PAN-OS firewall and then updates the zone by adding a new Ethernet interface.
  1. Get the zone you to which you want to add the Ethernet interface.
    The following example requests an existing security zone.
    curl -X GET 'https://<firewall>/restapi/v10.0/network/zones?name=test&location=vsys&vsys=vsys1' \ -H 'X-PAN-KEY: <api key>'
    The response is shown below. Note that this security zone already has on Ethernet interface, ethernet1/4. You need to include that member in your request to update this zone to avoid losing this data.
    { "@status": "success", "@code": "19", "result": { "@total-count": "1", "@count": "1", "entry": [ { "@name": "test", "@location": "vsys", "@vsys": "vsys1", "network": { "layer3": { "member": [ "ethernet1/4" ] } } } ] } }
  2. Add a new Ethernet interface and include any existing data.
    The following example updates the security zone with (1) a new Ethernet interface, ethernet1/3 and (2) the member that already existed in the zone, ethernet1/4.
    curl -X PUT 'https://<firewall>/restapi/v10.0/network/zones?location=vsys&vsys=vsys1&name=test' \ --header 'X-PAN-KEY: <api key>' \ -d '{ "entry": { "@name": "test", "enable-user-identification": "no", "enable-device-identification": "no", "network": { "layer3": { "member": [ "ethernet1/4", "ethernet1/3" ] } } } }'

Recommended For You