Create an SD-WAN Policy Pre Rule (REST API)
Table of Contents
Expand all | Collapse all
-
- Upgrade a Firewall to the Latest PAN-OS Version (API)
- Show and Manage GlobalProtect Users (API)
- Query a Firewall from Panorama (API)
- Upgrade PAN-OS on Multiple HA Firewalls through Panorama (API)
- Automatically Check for and Install Content Updates (API)
- Enforce Policy using External Dynamic Lists and AutoFocus Artifacts (API)
- Configure SAML 2.0 Authentication (API)
- Quarantine Compromised Devices (API)
- Manage Certificates (API)
-
- Asynchronous and Synchronous Requests to the PAN-OS XML API
- Run Operational Mode Commands (API)
- Apply User-ID Mapping and Populate Dynamic Groups (API)
- Get Version Info (API)
-
- PAN-OS REST API
- Access the PAN-OS REST API
- Resource Methods and Query Parameters (REST API)
- PAN-OS REST API Request and Response Structure
- PAN-OS REST API Error Codes
- Work With Objects (REST API)
- Create a Security Policy Rule (REST API)
- Work with Policy Rules on Panorama (REST API)
- Create a Tag (REST API)
- Configure a Security Zone (REST API)
- Configure an SD-WAN Interface (REST API)
- Create an SD-WAN Policy Pre Rule (REST API)
- Configure an Ethernet Interface (REST API)
- Update a Virtual Router (REST API)
- Work With Decryption (APIs)
Create an SD-WAN Policy Pre Rule (REST API)
An SD-WAN policy rule specifies when and how
a firewall performs application-based SD-WAN path selection. You
can configure an SD-WAN policy pre rule or post rule on Panorama™
and push the rule to the firewalls in your device group.
The
examples in this section show how to use the REST API to create
an SD-WAN policy pre rule on Panorama. An SD-WAN policy rule includes
both a path quality profile and a traffic distribution profile.
The policy rule uses these two profiles to identify network quality
requirements and to determine path selection when the network doesn’t
meet those quality requirements.
-
Create a path quality profile.
A path quality profile identifies network quality or health requirements based on packet loss percentage, jitter, and latency. Once included in an SD-WAN policy rule, the path quality profile will control the threshold at which the firewall replaces a deteriorating path with a new path for matching application packets. A number of predefined path quality profiles exist, but you can create your own if none of the existing profiles meets your needs. The following POST request creates a path quality profile calledgeneral-business2.curl -X POST 'https://<Panorama>/restapi/v9.1/objects/sdwanpathqualityprofiles?location=device-group&device-group=SD-WAN_Branch&name=general-business2' -H 'X-PAN-KEY: <api key> -d '{ "entry": { "@name": "general-business2", "metric": { "jitter": { "sensitivity": "medium", "threshold": 20 }, "latency": { "sensitivity": "medium", "threshold": 300 }, "pkt-loss": { "sensitivity": "medium", "threshold": 5 } } } }'
- Create a traffic distribution profile.
Create a traffic distribution profile, which specifies how a firewall determines a new best path if the current preferred path exceeds a path quality threshold. A traffic distribution profile specifies one of three possible distribution methods: Best Available Path, Top-Down Priority, and Weighted Session Distribution. The profile also includes one or more link tags, which the distribution method uses to narrow its selection of a new path.The POST request below creates a traffic distribution profile that uses top-down priority and includes two link tags:Broadband-ISP andLTE-ISP. See Create a Tag (REST API) for an example of a REST API request to create a link tag.curl -X POST 'https://<Panorama>/restapi/v9.1/objects/sdwantrafficdistributionprofiles?location=device-group&device-group=SD-WAN_Branch&name=BroadBand2' -H 'X-PAN-KEY: <api key> -d '{"entry": {"@name": "BroadBand2","traffic-distribution": "Top Down Priority","link-tags": {"entry": [ {"@name": "Broadband-ISP" }, {"@name": "LTE-ISP", } ] } } }'- Create an SD-WAN policy pre rule.
An SD-WAN policy pre rule specifies application(s) and/or service(s) and a traffic distribution profile to determine how a firewall selects the preferred path for an incoming packet that doesn’t belong to an existing session and that matches all other criteria. Examples of the criteria are source and destination zones, source and destination IP addresses, and source user. The SD-WAN policy pre rule also specifies a path quality profile of thresholds for packet loss, jitter, and latency. When one of the thresholds is exceeded, the firewall selects a new path for the application(s) and/or service(s).The POST request below creates an SD-WAN policy pre rule that Panorama will push to a device group calledSD-WAN_Branch. The request body parameters include both a path quality profile and a traffic distribution profile. The parameters also includeTrust-PA220 andWireless-PA220 as the source zones andUntrust-PA220 as the destination zone. See Configure a Security Zone (REST API) for an example of a REST API request to create a zone.curl -X POST 'https://<Panorama>/restapi/v9.1/policies/sdwanprerules?location=device-group&device-group=SD-WAN_Branch&name=HQ_Service_Test' -H 'X-PAN-KEY: <api key>' -d '{"entry": {"@name": "HQ_Service_Test","from": {"member": ["Trust-PA220” ] },"to": {"member": ["Untrust-PA220" ] },"source": {"member": ["any” ] },"source-user": {"member": ["any" ] },"destination": {"member": ["any" ] },"application": {"member": ["ping" ] },"service": {"member": ["any" ] },"negate-source": "no","negate-destination": "no","disabled": "no","description": "For SD-WAN test","path-quality-profile": "general-business","action": {"traffic-distribution-profile": "BroadBand2" } } }' - Create a traffic distribution profile.