Create a Security Policy Rule (REST API)
Table of Contents
Create a Security Policy Rule (REST API)
The example in this section shows you how to
create and update a Security policy rule on the firewall. Use this
example to get familiar with the REST API and then make it work
with other policy types on the firewall. Access the REST API reference
documentation at
https://<IP address or FQDN of the firewall or Panorama>/restapi-doc/
for
help with the resource URIs for the different objects and policies
and for help with the properties supported for each type of request.
For an overview, see PAN-OS REST API Request and Response Structure.Create
an Application Object
Make a POST request to create an
application object that allows you to allow browser-based applications
that belong to the category collaboration and subcategory email.
To make this application object named
email-collaboration-apps
available
across all virtual systems on a firewall, create the object atlocation=shared
.
Use Palo Alto Networks Applipedia,
the application database to view the attributes (Category, Subcategory,
Technology, Risk or Characteristic) that you can use to define the
object. You can also refer tohttps://<firewall_IP>/restapi-doc/#tag/objects-applications
for details
on how to construct an application object. Here is an example.curl -X POST \ 'https://10.2.1.4/restapi/v11.0/Objects/Applications?location=shared&name=email-collaboration-apps' \ -H 'X-PAN-KEY: LUFRPT=' \ -d '{ "entry": [ { "@location": "shared", "@name": "email-collaboration-apps", "able-to-transfer-file": "yes", "category": "collaboration", "description": "apps we allow for collaboration", "risk": "2", "subcategory": "email", "technology": "browser-based" } ] }'
You can now use this application
object in a Security policy rule.
Create
a Security Policy Rule
Before you start here, use the
XML API or any of the other management interfaces to set up interfaces
and zones on the firewall.
To create a Security policy rule,
make a POST request. In the following example, the API key is provided
as a custom header X-PAN-KEY instead of as query parameter. For
more details, see Access the PAN-OS REST API. The query
parameters include the name of the rule, location and vsys name
location=vsys&vsys=<vsys_name>&name=<rule_name>
.
And in the request body specify the same name, location, vsys name,
and includes additional properties for the Security policy rule
including the application object you created earlier. curl -X POST \ 'https://10.2.1.4/restapi/v11.0/Policies/SecurityRules?location=vsys&vsys=vsys1&name=rule-example1' \ -H 'X-PAN-KEY: LUFRPT=' \ -d '{ "entry": [ { "@location": "vsys", "@name": "rule-example1", "@vsys": "vsys1", "action": "allow", "application": { "member": [ "email-collaboration-apps" ] }, "category": { "member": [ "any" ] }, "destination": { "member": [ "any" ] }, "from": { "member": [ "zone-edge1" ] }, "source-hip": { "member": [ "any" ] }, "destination-hip": { "member": [ "any" ] }, "service": { "member": [ "application-default" ] }, "source": { "member": [ "any" ] }, "source-user": { "member": [ "any" ] }, "to": { "member": [ "any" ] } } ] }'
Instead of using
an application object, you can list applications by name as long
as the applications are included in the application content version
installed on the firewall.
"application": { "member": [ "gmail", "linkedin", "sendgrid", "front" ] }
Reference
an Address Object in the Rule
To allow access to only
specific addresses in the source zone, you can include an address
object and restrict access to only those members in the source zone
with
"source": {"member": ["web-servers-production"]}
as shown
in the following example:curl -X PUT \ 'https://10.2.1.4/restapi/v11.0/Policies/SecurityRules?location=vsys&name=rule-example1&vsys=vsys1' \ -H 'X-PAN-KEY: LUFRPT=' \ -d '{ "entry": [ { "@location": "vsys", "@name": "rule-example1", "@vsys": "vsys1", "action": "allow", "application": { "member": [ "email-collaboration-apps" ] }, "category": { "member": [ "any" ] }, "destination": { "member": [ "any" ] }, "from": { "member": [ "zone-edge1" ] }, "source-hip": { "member": [ "any" ] }, "destination-hip": { "member": [ "any" ] }, "service": { "member": [ "application-default" ] }, "source": { "member": [ "web-servers-production" ] }, "source-user": { "member": [ "any" ] }, "to": { "member": [ "any" ] } } ] }'
If successful, the response
is
{"@status": "success","@code": "20","msg":"command succeeded" } }
If the address object does not exist,
the response is as follows:
{"code": 3,"message": "Invalid Object","details": [ {"@type": "CauseInfo","causes": [ {"code": 12,"module": "panui_mgmt","description": "Invalid Object: rule-example1 -> source 'web-servers-production' is not an allowed keyword. rule-example1 -> source web-servers-production is an invalid ipv4/v6 address. rule-example1 -> source web-servers-production invalid range start IP. rule-example1 -> source 'web-servers-production' is not a valid reference. rule-example1 -> source is invalid." } ] } ] }
