https://live.paloaltonetworks.com/t5/automation-api-discussions/delete-specific-zone-in-security-policy-via-xml-api/m-p/351919#M2458 <P>So i am trying to delete a specific zone in a policy via XML API.&nbsp; However, it deletes all of the zones within the policy. Is there a better way to accomplish this?&nbsp; Or is it even possible to remove a specific zone without removing all of them?&nbsp;</P> Thu, 24 Sep 2020 18:58:23 GMT dhebal 2020-09-24T18:58:23Z https://live.paloaltonetworks.com/t5/automation-api-discussions/delete-specific-zone-in-security-policy-via-xml-api/m-p/351919#M2458 <P>So i am trying to delete a specific zone in a policy via XML API.&nbsp; However, it deletes all of the zones within the policy. Is there a better way to accomplish this?&nbsp; Or is it even possible to remove a specific zone without removing all of them?&nbsp;</P> Thu, 24 Sep 2020 18:58:23 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/delete-specific-zone-in-security-policy-via-xml-api/m-p/351919#M2458 dhebal 2020-09-24T18:58:23Z https://live.paloaltonetworks.com/t5/automation-api-discussions/delete-specific-zone-in-security-policy-via-xml-api/m-p/381969#M2540 <P>I struggled with this as well and came up with this as my solution for running on Panorama.<BR /><BR />I'm using Postman for my API calls in this case<BR /><BR /><STRONG>update <U>all</U> zones in either the Source Zone OR the Destination Zone - </STRONG>not both at the same time&nbsp; (you are basically overwriting/replacing all of the zones in either the source or destination zone to have the zones you want instead of "deleting" only the zone you want rid of).<BR /><BR />if you had a rule or multiple rules with multiple source (or destination) zones - i.e. trust, untrust and dmz - and you wanted to just eliminate the dmz zone - I used the below API and CSV to accomplish this.<BR /><BR />I have a CSV file with variables for device group/policy name {{$policy}}, rule name {{$ruleName}} and FROM zone {{$FROM_Zone}}.<BR /><STRONG>CSV:</STRONG></P><P>$policy,$ruleName,$FROM_Zone<BR />pan-policy-1,testrule1,&lt;member&gt;trust&lt;/member&gt;&lt;member&gt;untrust&lt;/member&gt;</P><P>pan-policy-1,testrule2,&lt;member&gt;trust&lt;/member&gt;&lt;member&gt;untrust&lt;/member&gt;</P><P>pan-policy-1,testrule3,&lt;member&gt;trust&lt;/member&gt;&lt;member&gt;untrust&lt;/member&gt;</P><P>&nbsp;</P><P><STRONG>then the API Call:</STRONG><BR />https://&lt;panorama-IP&gt;/api/?Key=&lt;API-KEY&gt;&amp;type=config&amp;action=edit&amp;xpath=/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='{{$policy}}']/pre-rulebase/security/rules/entry[@name='{{$ruleName}}']/from&amp;element=&lt;from&gt;{{$FROM_Zone}}&lt;/from&gt;</P><P>&nbsp;</P><P>This will replace all 3 zones (trust, untrust and dmz) in the Source ("from") Zone with only the 2 desired zones - trust and untrust - essentially eliminating the unwanted zone (dmz).</P> Mon, 25 Jan 2021 16:20:04 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/delete-specific-zone-in-security-policy-via-xml-api/m-p/381969#M2540 jfandel 2021-01-25T16:20:04Z