Restricted access to API?

L1 Bithead

Restricted access to API?

Hi *,

 

I'd like to know if it's possible to restrict access to the API? (ex: to some IP addresses).

Example: if remote management is allowed from 192.168.0.0/24, is it possible to restrict the API usage to 192.168.0.1 by example?

Is it an option to dedicate a specific IP address to the answer to API requests?

What are the best practices to prevent an API key to be used by another host to access the firewall?

 

KR,

/x

 

Community Manager

Re: Restricted access to API?

Hi Xavier

 

in the Management Interface Settings you can control which IP addresses or subnets are permitted to connect to the firewall interface. 

2015-12-22_15-30-49.png

 

you can then prevent individual administrator accounts from accessing the API by creating an admin role

(so the best practice here is to not share your API key, as this is linked to your account and grants access to the API)

2015-12-22_15-36-32.png

and then create new admins with that role

2015-12-22_15-42-04.png

 

any interface that has management features enabled (mgmt interface or dataplane interface with management profile) will also respond to API if the IP is permitted to connect to any management feature

 

hope this helps

Tom


Help the community: Like helpful comments and mark solutions
Reaper out
L3 Networker

Re: Restricted access to API?

Has the thought been made to allow admins to restrict an API account to certain commands? For example API accounts built for dynamic address groups but you don't want them to be able to run any other commands..?

L7 Applicator

Re: Restricted access to API?

@Gun-Slinger I would put in a future request for it and see if it maybe already has a request in place for it. Currently you only have the ability to lock down the api so that they have the right to perform different types of request. 

Highlighted
L3 Networker

Re: Restricted access to API?

Feature Request Submitted. If anyone else is looking for this feature please have your SE vote for the following:

 

FR ID: 7154

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!