Work with Policy Rules on Panorama (REST API)
Table of Contents
PAN.OS 11.1 & Later
Expand all | Collapse all
-
- Upgrade a Firewall to the Latest PAN-OS Version (API)
- Show and Manage GlobalProtect Users (API)
- Query a Firewall from Panorama (API)
- Upgrade PAN-OS on Multiple HA Firewalls through Panorama (API)
- Automatically Check for and Install Content Updates (API)
- Enforce Policy using External Dynamic Lists and AutoFocus Artifacts (API)
- Configure SAML 2.0 Authentication (API)
- Quarantine Compromised Devices (API)
- Manage Certificates (API)
-
- Asynchronous and Synchronous Requests to the PAN-OS XML API
- Run Operational Mode Commands (API)
- Apply User-ID Mapping and Populate Dynamic Groups (API)
- Get Version Info (API)
-
- PAN-OS REST API
- Access the PAN-OS REST API
- Resource Methods and Query Parameters (REST API)
- PAN-OS REST API Request and Response Structure
- PAN-OS REST API Error Codes
- Work With Objects (REST API)
- Create a Security Policy Rule (REST API)
- Work with Policy Rules on Panorama (REST API)
- Create a Tag (REST API)
- Configure a Security Zone (REST API)
- Configure an SD-WAN Interface (REST API)
- Create an SD-WAN Policy Pre Rule (REST API)
- Configure an Ethernet Interface (REST API)
- Update a Virtual Router (REST API)
- Work With Decryption (APIs)
Work with Policy Rules on Panorama (REST API)
On Panorama, you create policy rules as Pre
Rules or Post Rules and then push them from Panorama to the managed
firewalls. While you can view these rules on the managed firewalls,
you can edit the Pre Rules and Post Rules only on Panorama. Pre
Rules are added to the top of the rule order and are evaluated first,
and Post Rules are added after any locally defined rules on the
firewall and are at the bottom of the rule hierarchy, so they evaluated
last. Post Rules typically include rules to deny access to traffic
based on the App-ID, User-ID, or Service. Pre Rules and Post Rules
are of two types: Shared Post Rules are shared across all managed
devices and device groups, and device group Post Rules are specific
to a device group.
The example in this section shows you how
to create and update a Security policy rule on Panorama. Use this
example to get familiar with the REST API and then make it work
with other policy types on the firewall. Access the REST API reference documentation
athttps://<Panorama IP address or FQDN>/restapi-doc/for
help with the resource URIs for the different objects and policies
and for help with the properties supported for each type of request.
For an overview, see
PAN-OS REST API Request and Response Structure.
Create a Log Forwarding Object
Make a POST request to create
an log forwarding object that allows you to forward traffic and
threat logs to the Logging Service. To make this log forwarding object
namedlog-forwarding-LS available for all
firewalls in the device group nameddevicegroup-7,
create the object atlocation=devicegroup-7.
Include the name of the object, specify the location as device-group
and the device-group name in the query parameterslocation=device-group&device-group=<dg_name>&name=<object_name>and
create the request body. The API key is provided as a custom header
X-PAN-KEY.
curl -X POST \ 'http://10.5.1.70/restapi/v11.0/Objects/LogForwardingProfiles?name=log-forwarding-LS&location=device-group&device-group=devicegroup-7' \ -H 'X-PAN-KEY: LUFRPT1=' \ -d ' { "entry": { "@name": "log-forwarding-LS", "match-list": { "entry": [ { "@name": "only_traffic_logs", "filter": "All Logs", "log-type": "traffic", "send-to-panorama": "yes" }, { "@name": "only_threat_logs", "filter": "All Logs", "log-type": "threat", "send-to-panorama": "yes" } ] } } }'
You can now use this log forwarding object in
a Security policy rule.
Edit a Security Policy Pre Rule
To modify a Security policy
Pre Rule, make a PUT request tohttps://<Panorama IP address or FQDN>/restapi/v11.0/Policies/SecurityPreRules.
The query parameters include the name of the rule, location and
device group name if the location is a device grouplocation=device-group&device-group=<device_group_name>&name=<rule_name>.
And in the request body specify the same name, location, device
group name, and include the required properties for the Security
policy pre rule. This example shows you how to reference the log
forwarding object you created earlier. Refer to the REST API reference
documentation athttps://<Panorama IP address or FQDN>/restapi-doc/ for
help with the required and optional properties in the request body.
Use a GET request to fetch the configuration
of the Security policy pre rule you want to modify and copy the
response. You can then use this as a starting point for the request
body in your PUT request and modify as needed to edit the rule.
curl -X PUT \ 'http://10.2.1.7/restapi/v11.0/Policies/SecurityPreRules?LOCATION=device-group&device-group=devicegroup-7&name=allow-dns' \ -H 'X-PAN-KEY: LUFRPT=' \ -d '{ "entry": [ { "@device-group": "devicegroup-7", "@location": "device-group", "@name": "allow-dns", "action": "allow", "application": { "member": [ "dns" ] }, "category": { "member": [ "any" ] }, "destination": { "member": [ "any" ] }, "from": { "member": [ "any" ] }, "source-hip": { "member": [ "any" ] }, "destination-hip": { "member": [ "any" ] }, "log-setting": "log-forwarding-LS", "log-start": "yes", "service": { "member": [ "application-default" ] }, "source": { "member": [ "any" ] }, "source-user": { "member": [ "any" ] }, "target": { "negate": "no" }, "to": { "member": [ "any" ] } } ] }
The response body indicates the success or
failure of the request. If you reference a Security policy Pre Rule
that does not exist because the name of the rule is invalid or the
location is incorrect, the response displays as
For help with the error codes, see PAN-OS REST API Error Codes.{ "code": 5, "details": [ { "@type": "CauseInfo", "causes": [ { "code": 7, "description": "Object Not Present: No object to edit.", "module": "panui_mgmt" } ] } ], "message": "Object Not Present" }