https://live.paloaltonetworks.com/t5/general-topics/restricted-access-to-api/m-p/69758#M40377 <P>Hi Xavier</P> <P>&nbsp;</P> <P>in the Management Interface Settings you can control which IP addresses or subnets are permitted to connect to the firewall interface.&nbsp;</P> <P><IMG src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/1729iF4CCF4C2E160B2A8/image-size/original?v=mpbl-1&amp;px=-1" border="0" alt="2015-12-22_15-30-49.png" title="2015-12-22_15-30-49.png" /></P> <P>&nbsp;</P> <P>you can then prevent individual administrator accounts from accessing the API by creating an admin role</P> <P>(so the best practice here is to not share <EM>your</EM> API key, as this is linked to your account and grants access to the API)</P> <P><IMG src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/1730iC88353D8E2052309/image-size/original?v=mpbl-1&amp;px=-1" border="0" alt="2015-12-22_15-36-32.png" title="2015-12-22_15-36-32.png" /></P> <P>and then create new admins with that role</P> <P><IMG src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/1731i17A5EDB4823CD6C6/image-size/original?v=mpbl-1&amp;px=-1" border="0" alt="2015-12-22_15-42-04.png" title="2015-12-22_15-42-04.png" /></P> <P>&nbsp;</P> <P>any interface that has management features enabled (mgmt interface or dataplane interface with management profile) will also respond to API if the IP is permitted to connect to any management feature</P> <P>&nbsp;</P> <P>hope this helps</P> <P>Tom</P> Tue, 22 Dec 2015 14:43:28 GMT reaper 2015-12-22T14:43:28Z https://live.paloaltonetworks.com/t5/general-topics/restricted-access-to-api/m-p/69755#M40376 <P>Hi *,</P> <P>&nbsp;</P> <P>I'd like to know if it's possible to restrict access to the API? (ex: to some IP addresses).</P> <P>Example: if remote management is allowed from 192.168.0.0/24, is it possible to restrict the API usage to 192.168.0.1 by example?</P> <P>Is it an option to dedicate a specific IP address to the answer to API requests?</P> <P>What are the best practices to prevent an API key to be used by another host to access the firewall?</P> <P>&nbsp;</P> <P>KR,</P> <P>/x</P> <P>&nbsp;</P> Tue, 22 Dec 2015 14:21:53 GMT https://live.paloaltonetworks.com/t5/general-topics/restricted-access-to-api/m-p/69755#M40376 XavierMe 2015-12-22T14:21:53Z https://live.paloaltonetworks.com/t5/general-topics/restricted-access-to-api/m-p/69758#M40377 <P>Hi Xavier</P> <P>&nbsp;</P> <P>in the Management Interface Settings you can control which IP addresses or subnets are permitted to connect to the firewall interface.&nbsp;</P> <P><IMG src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/1729iF4CCF4C2E160B2A8/image-size/original?v=mpbl-1&amp;px=-1" border="0" alt="2015-12-22_15-30-49.png" title="2015-12-22_15-30-49.png" /></P> <P>&nbsp;</P> <P>you can then prevent individual administrator accounts from accessing the API by creating an admin role</P> <P>(so the best practice here is to not share <EM>your</EM> API key, as this is linked to your account and grants access to the API)</P> <P><IMG src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/1730iC88353D8E2052309/image-size/original?v=mpbl-1&amp;px=-1" border="0" alt="2015-12-22_15-36-32.png" title="2015-12-22_15-36-32.png" /></P> <P>and then create new admins with that role</P> <P><IMG src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/1731i17A5EDB4823CD6C6/image-size/original?v=mpbl-1&amp;px=-1" border="0" alt="2015-12-22_15-42-04.png" title="2015-12-22_15-42-04.png" /></P> <P>&nbsp;</P> <P>any interface that has management features enabled (mgmt interface or dataplane interface with management profile) will also respond to API if the IP is permitted to connect to any management feature</P> <P>&nbsp;</P> <P>hope this helps</P> <P>Tom</P> Tue, 22 Dec 2015 14:43:28 GMT https://live.paloaltonetworks.com/t5/general-topics/restricted-access-to-api/m-p/69758#M40377 reaper 2015-12-22T14:43:28Z https://live.paloaltonetworks.com/t5/general-topics/restricted-access-to-api/m-p/151750#M50229 <P>Has the thought been made to allow admins to restrict an API account to certain commands? For example API accounts built for dynamic address groups but you don't want them to be able to run any other commands..?</P> Fri, 07 Apr 2017 16:49:14 GMT https://live.paloaltonetworks.com/t5/general-topics/restricted-access-to-api/m-p/151750#M50229 Gun-Slinger 2017-04-07T16:49:14Z https://live.paloaltonetworks.com/t5/general-topics/restricted-access-to-api/m-p/151782#M50237 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/5588">@Gun-Slinger</a>&nbsp;I would put in a future request for it and see if it maybe already has a request in place for it. Currently you only have the ability to lock down the api so that they have the right to perform different types of request.&nbsp;</P> Fri, 07 Apr 2017 18:52:50 GMT https://live.paloaltonetworks.com/t5/general-topics/restricted-access-to-api/m-p/151782#M50237 BPry 2017-04-07T18:52:50Z https://live.paloaltonetworks.com/t5/general-topics/restricted-access-to-api/m-p/151810#M50249 <P>Feature Request Submitted. If anyone else is looking for this feature please have your SE vote for the following:</P><P>&nbsp;</P><P><STRONG>FR ID:</STRONG> 7154</P><P>&nbsp;</P><P>&nbsp;</P> Sat, 08 Apr 2017 14:51:39 GMT https://live.paloaltonetworks.com/t5/general-topics/restricted-access-to-api/m-p/151810#M50249 Gun-Slinger 2017-04-08T14:51:39Z