>
    Strata Copilot
    Create a Security Policy Rule (REST API)
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. PAN-OS REST API Use Cases
    4. Create a Security Policy Rule (REST API)
    Download PDF
    Next-Generation Firewall

    Create a Security Policy Rule (REST API)

    Table of Contents

    Create a Security Policy Rule (REST API)

    The example in this section shows you how to create and update a Security policy rule on the firewall. Use this example to get familiar with the REST API and then make it work with other policy types on the firewall. Access the REST API reference documentation athttps://<IP address or FQDN of the firewall or Panorama>/restapi-doc/for help with the resource URIs for the different objects and policies and for help with the properties supported for each type of request. For an overview, see PAN-OS REST API Request and Response Structure.

    Create an Application Object

    Make a POST request to create an application object that allows you to allow browser-based applications that belong to the category collaboration and subcategory email. To make this application object namedemail-collaboration-apps available across all virtual systems on a firewall, create the object atlocation=shared. Use Palo Alto Networks Applipedia, the application database to view the attributes (Category, Subcategory, Technology, Risk or Characteristic) that you can use to define the object. You can also refer tohttps://<firewall_IP>/restapi-doc/#tag/objects-applications for details on how to construct an application object. Here is an example.
    curl -X POST \
  'https://10.2.1.4/restapi/v11.0/Objects/Applications?location=shared&name=email-collaboration-apps' \
  -H 'X-PAN-KEY: *******' \
  -d '{
    "entry": [
        {
            "@location": "shared",
            "@name": "email-collaboration-apps",
            "able-to-transfer-file": "yes",
            "category": "collaboration",
            "description": "apps we allow for collaboration",
            "risk": "2",
            "subcategory": "email",
            "technology": "browser-based"
        }
    ]
}'
    You can now use this application object in a Security policy rule.

    Create a Security Policy Rule

    Before you start here, use the XML API or any of the other management interfaces to set up interfaces and zones on the firewall.
    To create a Security policy rule, make a POST request. In the following example, the API key is provided as a custom header X-PAN-KEY instead of as query parameter. For more details, see Access the PAN-OS REST API. The query parameters include the name of the rule, location and vsys namelocation=vsys&vsys=<vsys_name>&name=<rule_name>. And in the request body specify the same name, location, vsys name, and includes additional properties for the Security policy rule including the application object you created earlier. 
    curl -X POST \

  'https://10.2.1.4/restapi/v11.0/Policies/SecurityRules?location=vsys&vsys=vsys1&name=rule-example1' \
  -H 'X-PAN-KEY: *******' \
  -d '{
    "entry": [
        {
            "@location": "vsys",
            "@name": "rule-example1",
            "@vsys": "vsys1",
            "action": "allow",
            "application": {
                "member": [
                    "email-collaboration-apps"
                ]
            },
            "category": {
                "member": [
                    "any"
                ]
            },
            "destination": {
                "member": [
                    "any"
                ]
            },
            "from": {
                "member": [
                    "zone-edge1"
                ]
            },
            "source-hip": {
            	"member": [
            		"any"
            	]
            },
            "destination-hip": {
            	"member": [
            		"any"
	            ]
            },
            "service": {
                "member": [
                    "application-default"
                ]
            },
            "source": {
                "member": [
                    "any"
                ]
            },
            "source-user": {
                "member": [
                    "any"
                ]
            },
            "to": {
                "member": [
                    "any"
                ]
            }
        }
    ]
}'
    Instead of using an application object, you can list applications by name as long as the applications are included in the application content version installed on the firewall. 
     "application": {
    "member": [
        "gmail",
        "linkedin",
        "sendgrid",
        "front"
    ]
}

    Reference an Address Object in the Rule

    To allow access to only specific addresses in the source zone, you can include an address object and restrict access to only those members in the source zone with"source": {"member": ["web-servers-production"]} as shown in the following example:
    curl -X PUT \
  'https://10.2.1.4/restapi/v11.0/Policies/SecurityRules?location=vsys&name=rule-example1&vsys=vsys1' \
  -H 'X-PAN-KEY: *******' \
  -d '{
    "entry": [
        {
            "@location": "vsys",
            "@name": "rule-example1",
            "@vsys": "vsys1",
            "action": "allow",
            "application": {
                "member": [
                    "email-collaboration-apps"
                ]
            },
            "category": {
                "member": [
                    "any"
                ]
            },
            "destination": {
                "member": [
                    "any"
                ]
            },
            "from": {
                "member": [
                    "zone-edge1"
                ]
            },
            "source-hip": {
            	"member": [
            		"any"
            	]
            },
            "destination-hip": {
            	"member": [
            		"any"
	            ]
            },
            "service": {
                "member": [
                    "application-default"
                ]
            },
            "source": {
                "member": [
                    "web-servers-production"
                ]
            },
            "source-user": {
                "member": [
                    "any"
                ]
            },
            "to": {
                "member": [
                    "any"
                ]
            }
        }
    ]
}'
    If successful, the response is
    {"@status": "success","@code": "20","msg":"command succeeded"
    }
}
    If the address object does not exist, the response is as follows:
    {"code": 3,"message": "Invalid Object","details": [
        {"@type": "CauseInfo","causes": [
                {"code": 12,"module": "panui_mgmt","description": "Invalid Object:  rule-example1 -> source 'web-servers-production' is not an allowed keyword.  rule-example1 -> source web-servers-production is an invalid ipv4/v6 address. rule-example1 -> source web-servers-production invalid range start IP.  
	rule-example1 -> source 'web-servers-production' is not a valid reference. rule-example1 -> source is invalid."
                }
            ]
        }
    ]
}

    © 2026 Palo Alto Networks, Inc. All rights reserved.