Configure a Security Zone (REST API)
Security zones are a logical way to group physical and
virtual interfaces on the firewall to control and log the traffic
that traverses specific interfaces on your network. You must assign
an interface on the firewall to a security zone before that interface
can process traffic. A zone can have multiple interfaces of the same
type, but an interface can belong to only one zone.
Create a Security Zone
You can create a security zone either directly
on the firewall or as part of a network template on Panorama™.
- Make a REST API request to add a security zone.The following example shows you how to use a Panorama REST API request to create a security zone with Ethernet interfaces and a virtual SD-WAN interface. See Configure an SD-WAN Interface (REST API) for an example of a REST API request to create a virtual SD-WAN interface through Panorama and Configure an Ethernet Interface (REST API) for an example of a REST API request on the firewall to configure an Ethernet interface.curl -X POST 'https://<Panorama>/restapi/v11.0/network/zones?location=template&template=SDWAN-Branch-Network&name=Untrust' -H 'X-PAN-KEY: <api key>' -d '{ "entry": { "@name": "Untrust", "enable-user-identification": "no", "network": { "layer3": { "member": [ "ethernet1/1", "ethernet1/2", "ethernet1/3", "sdwan.1" ] } } } }'
Update a Security Zone
To update a security zone, you should first
make a REST API request to get the existing security zone. You can
then copy data from the response to your REST API request to update
the zone to ensure no desired existing data is inadvertently lost
or overwritten. The following example first retrieves an existing
security zone from a PAN-OS firewall and then updates the zone by
adding a new Ethernet interface.
- Get the zone you to which you want to add the Ethernet interface.The following example requests an existing security zone.curl -X GET 'https://<firewall>/restapi/v11.0/network/zones?name=test&location=vsys&vsys=vsys1' \ -H 'X-PAN-KEY: <api key>'The response is shown below. Note that this security zone already has on Ethernet interface, ethernet1/4. You need to include that member in your request to update this zone to avoid losing this data.{ "@code": "19", "@status": "success", "result": { "@count": "1", "@total-count": "1", "entry": [ { "@location": "vsys", "@name": "test", "@vsys": "vsys1", "network": { "layer3": { "member": [ "ethernet1/4" ] } } } ] } }Add a new Ethernet interface and include any existing data.The following example updates the security zone with (1) a new Ethernet interface, ethernet1/3 and (2) the member that already existed in the zone, ethernet1/4.curl -X PUT 'https://<firewall>/restapi/v11.0/network/zones?location=vsys&vsys=vsys1&name=test' \ --header 'X-PAN-KEY: <api key>' \ -d '{ "entry": { "@name": "test", "enable-device-identification": "no", "enable-user-identification": "no", "network": { "layer3": { "member": [ "ethernet1/4", "ethernet1/3" ] } } } }'
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.