Get Active Policy Rule Recommendations
Table of Contents
Expand all | Collapse all
-
- Get Device Details per Device ID
- Get Device Details per IP Address
- Get the Device Inventory
- Get Profile Mapping
- Get Security Alerts
- Resolve a Security Alert
- Get Vulnerability Instances
- Resolve Vulnerability Instances
- Add User-defined Tags
- Get a List of User-defined Tags
- Get Active Policy Rule Recommendations
Get Active Policy Rule Recommendations
Get a list of all active policy rule recommendations
or all recommendations for one or more specific profiles.
Synopsis
| URI | /pub/v4.0/policy/recommendation |
| HTTP Method | GET |
| FQDN | <customer-name>.iot.paloaltonetworks.com |
Description
Get a list of all active policy
rule recommendations or all the active recommendations for one or
more IoT device profiles.
Request Fields
The URL of this request
contains the following parameters:
| Field | Description |
|---|---|
| customerid | (Required) The customer ID specifies
the API call for a specific tenant. The following value is
a string. |
| profile | A profile filters policy rule recommendations
by one or more source profile names. The following value is a string
with profile names separated by commas; for example: profile=Palo Alto Networks Device,iPhone,Polycom IP Phone.
All profiles must be IoT profiles. Without a profile filter, the
request returns all active policy rule recommendations. |
For other parameters you can include in
the URL—offset and pagelength—see
the general parameters described in Get Started with the IoT Security API.
Policy
Rule Recommendations Request Example
curl --location -X GET 'https://acmecorp.iot.paloaltonetworks.com/pub/v4.0/policy/recommendation?customerid=acmecorp' \ -H 'X-Key-Id: KEY_ID' \ -H 'X-Access-Key: ACCESS_KEY'
Success Response
Upon success,
the HTTP response code is 200. In addition, this API returns a JSON
object containing policy rules and their attributes.
An
empty field indicates any. For example,
if there are no IP addresses for destinationIpList,
then the rule applies to any destination IP address.
| Field | Description |
|---|---|
| ver | API version (string) |
| api | API path (string) |
| total | Total number of active recommended policy rules for which information was returned (integer) |
| policies | Array of active recommended policy rules (array) |
| id | Unique identifier composed of alphanumeric characters for the policy rule (string) |
| policySetName | Name of the user-defined policy set to which the policy rule belongs (string) |
| geo | Location of the destination in the policy rule (string): intranet (internal) or internet (external) |
| action | Action the firewall takes when applying the policy rule, which is always allow (string) |
| lastActivityTime | UTC timestamp for the last detected network activity corresponding to the elements in this policy rule (string) |
| sourceProfiles | Device profile assigned to devices initiating traffic
to which the policy rule applies (array) Although this is
an array, there can only be a single source profile. |
| apps | Applications to which the policy rule applies such as youtube-base (array) |
| destinationProfiles | Device profile of the destination in the policy rule. A destination device profile is used when the source and destination are in the same intranet and IoT Security is monitoring them both and has assigned a profile to the destination. (array) |
| sourceIpList | List of source IP addresses to which the policy rule
applies (array) This is included in anticipation of future
functionality and is currently always empty. |
| destinationIpList | List of destination IP addresses to which the policy
rule applies (array) When a destination is internal, IoT
Security displays its IP address in destinationIpList.
When it’s external, IoT Security displays it in destinationFqdnList. |
| destinationFqdnList | List of destination FQDNs to which the policy
rule applies (array) When a destination is external, IoT
Security displays its IP address in destinationFqdnList.
When it’s internal, IoT Security displays it in destinationIpList. |
| sourceZones | List of source zones to which the policy rule applies (array) |
| destinationZones | List of destination zones to which the policy rule applies (array) |
| destinationUrlCategories | List of categories to which the policy rule applies. Some examples: games, entertainment, and health-and-medicine (array) |
| services | List of non-standard service port numbers for
an application or the user-defined values service-http and service-https (array) When
IoT Security identifies an application that's using non-standard
UDP or TCP port numbers, it displays the application name in "apps"
and the non-standard port numbers in "services". When an application
is using standard ports, IoT Security displays the application name
and leaves "services" empty. If a user manually applied one of the
predefined services service-http or service-https to
an application, then the predefined service name appears in "services". |
| tags | System-defined tag IoTSecurityRecommended and any user-defined tags applied to the policy rule (array) |
| securityProfiles | List of Security profiles for antivirus, vulnerability protection, anti-spyware, and so on in the policy rule (array) |
| firewallList | List of firewalls that enforce the policy rule (array) |
| deviceGroups | (Panorama) List of device groups containing firewalls that enforce the policy rule (array) |
Success Response Example
{ "ver": "v4.0", "api": "/policy/recommendation", "total": 116, "policies": [ { "id": "96122896cb71f1c302253842e1fb3518", "geo": "internet", "action": "allow", "lastActivityTime": "2021-06-03T04:43:26.400Z", "sourceProfiles": [ "DICOM-Imager" ], "apps": [ "cfdp" ], "destinationProfiles": [], "sourceIpList": [], "destinationIpList": [], "destinationFqdnList": [], "sourceZones": [], "destinationZones": [], "destinationUrlCategories": [], "services": [], "tags": [ "IoTSecurityRecommended" ], "securityProfiles": [], "firewallList": [], "deviceGroups": [] }, ... ] }
Policy Rule Recommendations for a Specific Profile
Request Example
curl --location -X GET 'https://acmecorp.iot.paloaltonetworks.com/pub/v4.0/policy/recommendation?customerid=acmecorp&profile=DICOM-Imager' \ -H 'X-Key-Id: KEY_ID' \ -H 'X-Access-Key: ACCESS_KEY'
Error Response
Upon error,
the reply includes an HTTP response code, an error message, and
additional information describing the error. The HTTP response code
is one of the following:
| Field | Description |
|---|---|
| 400 | Bad Request. This occurs when an HTTP request contains an invalid query string. |
| 403 | Forbidden access. Either the provided API Key is invalid or it does not have the required RBAC permissions to run this API. |
| 429 | Too many requests. The number of requests for the list of recommended policy rules exceeded the rate limit of 180 queries per minute per tenant. |
| 500 | Internal server error. A unified status for API communication type errors. |
Error Response Format
{code: STATUS_CODE, msg: GENERAL_MESSAGE}