I'd like to know if it's possible to restrict access to the API? (ex: to some IP addresses).
Example: if remote management is allowed from 192.168.0.0/24, is it possible to restrict the API usage to 192.168.0.1 by example?
Is it an option to dedicate a specific IP address to the answer to API requests?
What are the best practices to prevent an API key to be used by another host to access the firewall?
in the Management Interface Settings you can control which IP addresses or subnets are permitted to connect to the firewall interface.
you can then prevent individual administrator accounts from accessing the API by creating an admin role
(so the best practice here is to not share your API key, as this is linked to your account and grants access to the API)
and then create new admins with that role
any interface that has management features enabled (mgmt interface or dataplane interface with management profile) will also respond to API if the IP is permitted to connect to any management feature
hope this helps
Has the thought been made to allow admins to restrict an API account to certain commands? For example API accounts built for dynamic address groups but you don't want them to be able to run any other commands..?
@Gun-Slinger I would put in a future request for it and see if it maybe already has a request in place for it. Currently you only have the ability to lock down the api so that they have the right to perform different types of request.
Feature Request Submitted. If anyone else is looking for this feature please have your SE vote for the following:
FR ID: 7154
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!