Restricted access to API?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Restricted access to API?

L1 Bithead

Hi *,

 

I'd like to know if it's possible to restrict access to the API? (ex: to some IP addresses).

Example: if remote management is allowed from 192.168.0.0/24, is it possible to restrict the API usage to 192.168.0.1 by example?

Is it an option to dedicate a specific IP address to the answer to API requests?

What are the best practices to prevent an API key to be used by another host to access the firewall?

 

KR,

/x

 

4 REPLIES 4

Cyber Elite
Cyber Elite

Hi Xavier

 

in the Management Interface Settings you can control which IP addresses or subnets are permitted to connect to the firewall interface. 

2015-12-22_15-30-49.png

 

you can then prevent individual administrator accounts from accessing the API by creating an admin role

(so the best practice here is to not share your API key, as this is linked to your account and grants access to the API)

2015-12-22_15-36-32.png

and then create new admins with that role

2015-12-22_15-42-04.png

 

any interface that has management features enabled (mgmt interface or dataplane interface with management profile) will also respond to API if the IP is permitted to connect to any management feature

 

hope this helps

Tom

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Has the thought been made to allow admins to restrict an API account to certain commands? For example API accounts built for dynamic address groups but you don't want them to be able to run any other commands..?

@Gun-Slinger I would put in a future request for it and see if it maybe already has a request in place for it. Currently you only have the ability to lock down the api so that they have the right to perform different types of request. 

Feature Request Submitted. If anyone else is looking for this feature please have your SE vote for the following:

 

FR ID: 7154

 

 

  • 4040 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!