This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Restricted access to API?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Restricted access to API?

XavierMe
L1 Bithead

‎12-22-2015 06:21 AM - edited ‎12-22-2015 06:21 AM

Hi *,

 

I'd like to know if it's possible to restrict access to the API? (ex: to some IP addresses).

Example: if remote management is allowed from 192.168.0.0/24, is it possible to restrict the API usage to 192.168.0.1 by example?

Is it an option to dedicate a specific IP address to the answer to API requests?

What are the best practices to prevent an API key to be used by another host to access the firewall?

 

KR,

/x

 

0 Likes Likes
4 REPLIES 4

reaper
Cyber Elite
Cyber Elite

‎12-22-2015 06:39 AM - edited ‎12-22-2015 06:43 AM

Hi Xavier

 

in the Management Interface Settings you can control which IP addresses or subnets are permitted to connect to the firewall interface. 

2015-12-22_15-30-49.png

 

you can then prevent individual administrator accounts from accessing the API by creating an admin role

(so the best practice here is to not share your API key, as this is linked to your account and grants access to the API)

2015-12-22_15-36-32.png

and then create new admins with that role

2015-12-22_15-42-04.png

 

any interface that has management features enabled (mgmt interface or dataplane interface with management profile) will also respond to API if the IP is permitted to connect to any management feature

 

hope this helps

Tom

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes

Gun-Slinger
L4 Transporter
In response to reaper

‎04-07-2017 09:49 AM

Has the thought been made to allow admins to restrict an API account to certain commands? For example API accounts built for dynamic address groups but you don't want them to be able to run any other commands..?

0 Likes Likes

BPry
Cyber Elite
Cyber Elite
In response to Gun-Slinger

‎04-07-2017 11:52 AM

@Gun-Slinger I would put in a future request for it and see if it maybe already has a request in place for it. Currently you only have the ability to lock down the api so that they have the right to perform different types of request. 

0 Likes Likes

Gun-Slinger
L4 Transporter
In response to BPry

‎04-08-2017 07:51 AM

Feature Request Submitted. If anyone else is looking for this feature please have your SE vote for the following:

 

FR ID: 7154

 

 

  • 3997 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks