Configure a Security Zone (REST API)
Table of Contents
Expand all | Collapse all
-
- Upgrade a Firewall to the Latest PAN-OS Version (API)
- Show and Manage GlobalProtect Users (API)
- Query a Firewall from Panorama (API)
- Upgrade PAN-OS on Multiple HA Firewalls through Panorama (API)
- Automatically Check for and Install Content Updates (API)
- Enforce Policy using External Dynamic Lists and AutoFocus Artifacts (API)
- Configure SAML 2.0 Authentication (API)
- Quarantine Compromised Devices (API)
- Manage Certificates (API)
-
- Asynchronous and Synchronous Requests to the PAN-OS XML API
- Run Operational Mode Commands (API)
- Apply User-ID Mapping and Populate Dynamic Groups (API)
- Get Version Info (API)
-
- PAN-OS REST API
- Access the PAN-OS REST API
- Resource Methods and Query Parameters (REST API)
- PAN-OS REST API Request and Response Structure
- PAN-OS REST API Error Codes
- Work With Objects (REST API)
- Create a Security Policy Rule (REST API)
- Work with Policy Rules on Panorama (REST API)
- Create a Tag (REST API)
- Configure a Security Zone (REST API)
- Configure an SD-WAN Interface (REST API)
- Create an SD-WAN Policy Pre Rule (REST API)
- Configure an Ethernet Interface (REST API)
- Update a Virtual Router (REST API)
- Work With Decryption (APIs)
Configure a Security Zone (REST API)
Security zones are a logical way to group physical and
virtual interfaces on the firewall to control and log the traffic
that traverses specific interfaces on your network. You must assign
an interface on the firewall to a security zone before that interface
can process traffic. A zone can have multiple interfaces of the same
type, but an interface can belong to only one zone.
Create a Security Zone
You can create a security zone either directly
on the firewall or as part of a network template on Panorama™.
- Make a REST API request to add a security zone.The following example shows you how to use a Panorama REST API request to create a security zone with Ethernet interfaces and a virtual SD-WAN interface. See Configure an SD-WAN Interface (REST API) for an example of a REST API request to create a virtual SD-WAN interface through Panorama and Configure an Ethernet Interface (REST API) for an example of a REST API request on the firewall to configure an Ethernet interface.curl -X POST 'https://<Panorama>/restapi/v10.2/network/zones?location=template&template=SDWAN-Branch-Network&name=Untrust' -H 'X-PAN-KEY: <api key>' -d '{ "entry": { "@name": "Untrust", "enable-user-identification": "no", "network": { "layer3": { "member": [ "ethernet1/1", "ethernet1/2", "ethernet1/3", "sdwan.1" ] } } } }'
Update a Security Zone
To update a security zone, you should first
make a REST API request to get the existing security zone. You can
then copy data from the response to your REST API request to update
the zone to ensure no desired existing data is inadvertently lost
or overwritten. The following example first retrieves an existing
security zone from a PAN-OS firewall and then updates the zone by
adding a new Ethernet interface.
- Get the zone you to which you want to add the
Ethernet interface.The following example requests an existing security zone.curl -X GET 'https://<firewall>/restapi/v10.2/network/zones?name=test&location=vsys&vsys=vsys1' \ -H 'X-PAN-KEY: <api key>'The response is shown below. Note that this security zone already has on Ethernet interface, ethernet1/4. You need to include that member in your request to update this zone to avoid losing this data.{ "@code": "19", "@status": "success", "result": { "@count": "1", "@total-count": "1", "entry": [ { "@location": "vsys", "@name": "test", "@vsys": "vsys1", "network": { "layer3": { "member": [ "ethernet1/4" ] } } } ] } }
- Add a new Ethernet interface and include any existing data.
The following example updates the security zone with (1) a new Ethernet interface, ethernet1/3 and (2) the member that already existed in the zone, ethernet1/4.curl -X PUT 'https://<firewall>/restapi/v10.2/network/zones?location=vsys&vsys=vsys1&name=test' \ --header 'X-PAN-KEY: <api key>' \ -d '{ "entry": { "@name": "test", "enable-device-identification": "no", "enable-user-identification": "no", "network": { "layer3": { "member": [ "ethernet1/4", "ethernet1/3" ] } } } }' - Add a new Ethernet interface and include any existing data.