topic Re: How can I only allow specific source address to insert XML-API request in General Topics

How can I only allow specific source address to insert XML-API request

SampleWu — Fri, 09 Aug 2013 02:37:44 GMT

Hi, all,

As title, everybody can ask PA and insert the URI to do what they want PA to do if people have the plaintext key and correct URI request.

I want to limit the request to only permitted source address, but I cannot find any app-id about it, how can I do?

Thanks,

Sample Wu

Re: How can I only allow specific source address to insert XML-API request

UhMayYeah — Fri, 09 Aug 2013 06:22:08 GMT

XML API request on PA interface would be treated as general admin web access ,identified as web-browsing.

If there is a particular data plane interface that is used for XML-API requests ,you could configure Permitted IP through Interface-Management Profile or create an intra-zone rule allowing only a single address for Web-browsing .

Other option would be to create a Custom- HTTP based app for XML api.

Re: How can I only allow specific source address to insert XML-API request

Chatri — Fri, 09 Aug 2013 06:22:51 GMT

The interface that you are using to log in to the API browser or to put in the API request, you set up an interface management profile on that interface and specify permitted Ip addresses on it.

That should help you achieve what you are trying to achieve.

Re: How can I only allow specific source address to insert XML-API request

mbutt — Sat, 10 Aug 2013 23:36:43 GMT

For dataplane ports create a management profile by going to Network ---->interface management--->

select the services you want and allow permitted ip addresses.

Now apply to the interface you are interested on by going to network ---->interfaces

To permit certain ip address on management interface you can go to Device--> setup -> management->management interface settings.

select the services you want and allow permitted ip addresses.

Hope this helps.

Thanks

Re: How can I only allow specific source address to insert XML-API request

SampleWu — Sun, 11 Aug 2013 00:49:27 GMT

Hi, Nadir, Chatri, and mbutt,

I'm appreciated about your replies, it's helpful.

Besides this way, do we have another way to control who can use the XML-API request ? just like an app-id ?

I want to control it by service port number, but it cannot be.

Because the service port number are tcp/80, tcp/443, or tcp/4443, so that I cannot limit it and seprate the Admin's management and XML-API request.

Is it possible to create an app-id is about XML-API request ?

Thanks,

Sample Wu