: Work with Policy Rules on Panorama (REST API)
Focus
Focus

Work with Policy Rules on Panorama (REST API)

Table of Contents
End-of-Life (EoL)

Work with Policy Rules on Panorama (REST API)

On Panorama, you create policy rules as Pre Rules or Post Rules and then push them from Panorama to the managed firewalls. While you can view these rules on the managed firewalls, you can edit the Pre Rules and Post Rules only on Panorama. Pre Rules are added to the top of the rule order and are evaluated first, and Post Rules are added after any locally defined rules on the firewall and are at the bottom of the rule hierarchy, so they evaluated last. Post Rules typically include rules to deny access to traffic based on the App-ID, User-ID, or Service. Pre Rules and Post Rules are of two types: Shared Post Rules are shared across all managed devices and device groups, and device group Post Rules are specific to a device group.
The example in this section shows you how to create and update a Security policy rule on Panorama. Use this example to get familiar with the REST API and then make it work with other policy types on the firewall. Access the REST API reference documentation athttps://<Panorama IP address or FQDN>/restapi-doc/for help with the resource URIs for the different objects and policies and for help with the properties supported for each type of request. For an overview, see PAN-OS REST API Request and Response Structure.

Create a Log Forwarding Object

Make a POST request to create an log forwarding object that allows you to forward traffic and threat logs to the Logging Service. To make this log forwarding object namedlog-forwarding-LS available for all firewalls in the device group nameddevicegroup-7, create the object atlocation=devicegroup-7. Include the name of the object, specify the location as device-group and the device-group name in the query parameterslocation=device-group&device-group=<dg_name>&name=<object_name>and create the request body. The API key is provided as a custom header X-PAN-KEY.
curl -X POST \ 'http://10.5.1.70/restapi/v11.0/Objects/LogForwardingProfiles?name=log-forwarding-LS&location=device-group&device-group=devicegroup-7' \ -H 'X-PAN-KEY: LUFRPT1=' \ -d ' { "entry": { "@name": "log-forwarding-LS", "match-list": { "entry": [ { "@name": "only_traffic_logs", "filter": "All Logs", "log-type": "traffic", "send-to-panorama": "yes" }, { "@name": "only_threat_logs", "filter": "All Logs", "log-type": "threat", "send-to-panorama": "yes" } ] } } }'
You can now use this log forwarding object in a Security policy rule.

Edit a Security Policy Pre Rule

To modify a Security policy Pre Rule, make a PUT request tohttps://<Panorama IP address or FQDN>/restapi/v11.0/Policies/SecurityPreRules. The query parameters include the name of the rule, location and device group name if the location is a device grouplocation=device-group&device-group=<device_group_name>&name=<rule_name>. And in the request body specify the same name, location, device group name, and include the required properties for the Security policy pre rule. This example shows you how to reference the log forwarding object you created earlier. Refer to the REST API reference documentation athttps://<Panorama IP address or FQDN>/restapi-doc/ for help with the required and optional properties in the request body.
Use a GET request to fetch the configuration of the Security policy pre rule you want to modify and copy the response. You can then use this as a starting point for the request body in your PUT request and modify as needed to edit the rule.
curl -X PUT \ 'http://10.2.1.7/restapi/v11.0/Policies/SecurityPreRules?LOCATION=device-group&device-group=devicegroup-7&name=allow-dns' \ -H 'X-PAN-KEY: LUFRPT=' \ -d '{ "entry": [ { "@device-group": "devicegroup-7", "@location": "device-group", "@name": "allow-dns", "action": "allow", "application": { "member": [ "dns" ] }, "category": { "member": [ "any" ] }, "destination": { "member": [ "any" ] }, "from": { "member": [ "any" ] }, "source-hip": { "member": [ "any" ] }, "destination-hip": { "member": [ "any" ] }, "log-setting": "log-forwarding-LS", "log-start": "yes", "service": { "member": [ "application-default" ] }, "source": { "member": [ "any" ] }, "source-user": { "member": [ "any" ] }, "target": { "negate": "no" }, "to": { "member": [ "any" ] } } ] }
The response body indicates the success or failure of the request. If you reference a Security policy Pre Rule that does not exist because the name of the rule is invalid or the location is incorrect, the response displays as
{ "code": 5, "details": [ { "@type": "CauseInfo", "causes": [ { "code": 7, "description": "Object Not Present: No object to edit.", "module": "panui_mgmt" } ] } ], "message": "Object Not Present" }
For help with the error codes, see PAN-OS REST API Error Codes.