Create a Security Policy Rule (REST API)
Table of Contents
Create a Security Policy Rule (REST API)
The example in this section shows you how to
create and update a Security policy rule on the firewall. Use this
example to get familiar with the REST API and then make it work
with other policy types on the firewall. Access the REST API reference
documentation at https://<IP address or FQDN of the firewall or Panorama>/restapi-doc/for
help with the resource URIs for the different objects and policies
and for help with the properties supported for each type of request.
For an overview, see PAN-OS REST API Request and Response Structure.
Create an Application Object
Make a POST request to create an
application object that allows you to allow browser-based applications
that belong to the category collaboration and subcategory email.
To make this application object named email-collaboration-apps available
across all virtual systems on a firewall, create the object at location=shared.
Use Palo Alto Networks Applipedia,
the application database to view the attributes (Category, Subcategory,
Technology, Risk or Characteristic) that you can use to define the
object. You can also refer to https://<firewall_IP>/restapi-doc/#tag/objects-applications for
details on how to construct an application object. Here is an example.
curl -X POST \ 'https://10.1.1.4/restapi/v10.0/Objects/Applications?location=shared&name=email-collaboration-apps' \ -H 'X-PAN-KEY: LUFRPT=' \ -d '{ "entry": [ { "@location": "shared", "@name": "email-collaboration-apps", "able-to-transfer-file": "yes", "category": "collaboration", "description": "apps we allow for collaboration", "risk": "2", "subcategory": "email", "technology": "browser-based" } ] }'
You can now use this application object
in a Security policy rule.
Create a Security Policy Rule
Before you start here, use the
XML API or any of the other management interfaces to set up interfaces
and zones on the firewall.
To create a Security policy rule,
make a POST request. In the following example, the API key is provided
as a custom header X-PAN-KEY instead of as query parameter. For
more details, see Access the PAN-OS REST API. The
query parameters include the name of the rule, location and vsys
name location=vsys&vsys=<vsys_name>&name=<rule_name>.
And in the request body specify the same name, location, vsys name,
and includes additional properties for the Security policy rule including
the application object you created earlier.
curl -X POST \ 'https://10.1.1.4/restapi/v10.0/Policies/SecurityRules?location=vsys&vsys=vsys1&name=rule-example1' \ -H 'X-PAN-KEY: LUFRPT=' \ -d '{ "entry": [ { "@location": "vsys", "@name": "rule-example1", "@vsys": "vsys1", "action": "allow", "application": { "member": [ "email-collaboration-apps" ] }, "category": { "member": [ "any" ] }, "destination": { "member": [ "any" ] }, "from": { "member": [ "zone-edge1" ] }, "source-hip": { "member": [ "any" ] }, "destination-hip": { "member": [ "any" ] }, "service": { "member": [ "application-default" ] }, "source": { "member": [ "any" ] }, "source-user": { "member": [ "any" ] }, "to": { "member": [ "any" ] } } ] }'
Instead of using an application
object, you can list applications by name as long as the applications
are included in the application content version installed on the
firewall.
"application": { "member": [ "gmail", "linkedin", "sendgrid", "front" ] }
Reference an Address Object in the Rule
To allow access to only
specific addresses in the source zone, you can include an address
object and restrict access to only those members in the source zone
with "source": {"member": ["web-servers-production"]} as
shown in the following example:
curl -X PUT \ 'https://10.1.1.4/restapi/v10.0/Policies/SecurityRules?location=vsys&name=rule-example1&vsys=vsys1' \ -H 'X-PAN-KEY: LUFRPT=' \ -d '{ "entry": [ { "@location": "vsys", "@name": "rule-example1", "@vsys": "vsys1", "action": "allow", "application": { "member": [ "email-collaboration-apps" ] }, "category": { "member": [ "any" ] }, "destination": { "member": [ "any" ] }, "from": { "member": [ "zone-edge1" ] }, "source-hip": { "member": [ "any" ] }, "destination-hip": { "member": [ "any" ] }, "service": { "member": [ "application-default" ] }, "source": { "member": [ "web-servers-production" ] }, "source-user": { "member": [ "any" ] }, "to": { "member": [ "any" ] } } ] }'
If successful, the response is
{"@status": "success","@code": "20","msg":"command succeeded" } }
If the address object does not exist,
the response is as follows:
{"code": 3,"message": "Invalid Object","details": [ {"@type": "CauseInfo","causes": [ {"code": 12,"module": "panui_mgmt","description": "Invalid Object: rule-example1 -> source 'web-servers-production' is not an allowed keyword. rule-example1 -> source web-servers-production is an invalid ipv4/v6 address. rule-example1 -> source web-servers-production invalid range start IP. rule-example1 -> source 'web-servers-production' is not a valid reference. rule-example1 -> source is invalid." } ] } ] }
