Manage Firewall Zones
Table of Contents
Manage Firewall Zones
How to automate firewall zones configuration with PAN-OS
using openconfig models.
Create a Zone
The following request creates a new zone and sets the
firewall zone type to layer3.
gnmic -a localhost --port 9339 -u username -p password --timeout 300s --skip-verify -e JSON_IETF set --update-path "/zones" --update-file new-zone.json
The contents of new-zone.json are as follows:
{ "zone": [ { "fw-zone-type": "pan-fw-zones-deviations:layer3", "openconfig-fw-zones:interfaces": { "interface": [] }, "openconfig-fw-zones:name": "openconfig-test" } ] }
A successful request returns the output below:
Set Response: { "results": [ { "operation": "UPDATE", "path": "zones/zone[name=opencofig-test]/interfaces/interface/id" } ] }
The following command adds interface1/5 the zone named testzone:
gnmic -a localhost --port 9339 -u username -p password --timeout 300s --skip-verify -e JSON_IETF set --update "/zones/zone[name=openconfig-tet]/interfaces/interface/id:::string:::ethernet1/5"
A successful request returns the output below:
{ "results": [ { "operation": "UPDATE", "path": "zones/zone[name=openconfig-test]/interfaces/interface/id" } ] }
The following is displayed in PAN-OS after making the previous
updates:
Retrieving Zones
The following command
provides the output retrieved after setting the example above.
gnmic -a localhost --port 9339 -u username -p password --e JSON_IETF get --path "/zones"
[ { "time": "1969-12-31T16:00:00-08:00", "updates": [ { "Path": "zones/zone[name=openconfig-test]", "values": { "zones/zone": { "config": { "fw-zone-type": "pan-fw-zones-deviations:layer3", "name": "openconfig-test" }, "interfaces": { "interface": [ { "config": { "id": "ethernet1/4" }, "id": "ethernet1/4", "state": { "id": "ethernet1/4" } }, { "config": { "id": "ethernet1/4.1" }, "id": "ethernet1/4.1", "state": { "id": "ethernet1/4.1" } }, { "config": { "id": "ethernet1/5" }, "id": "ethernet1/5", "state": { "id": "ethernet1/5" } }, { "config": { "id": "ethernet1/5.1" }, "id": "ethernet1/5.1", "state": { "id": "ethernet1/5.1" } } ] }, "name": "openconfig-test", "state": { "fw-zone-type": "pan-fw-zones-deviations:layer3", "name": "openconfig-test" } } } } ] } ]
