{ "$schema": "https://json-structure.org/meta/core/v0/#", "$id": "https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/pan-os-security-rule-structure.json", "name": "PAN-OS Security Rule", "description": "Schema for a PAN-OS firewall security policy rule as represented in the REST and XML API. Security rules define the traffic enforcement criteria on Palo Alto Networks next-generation firewalls and Panorama-managed devices. Each rule specifies source zone, destination zone, source address, destination address, application, service, and action parameters that determine how matching traffic is handled. Rules are evaluated top-down within a rulebase and can be configured at the device, virtual system, or Panorama device group level.", "type": "object", "properties": { "name": { "type": "string", "description": "Unique name of the security rule within its rulebase. Must be unique within the device group or virtual system. Maximum 63 characters, must start with a letter or underscore, and may contain letters, digits, periods, hyphens, underscores, and spaces.", "maxLength": 63, "pattern": "^[a-zA-Z_][a-zA-Z0-9._\\- ]*$" }, "description": { "type": "string", "description": "Free-form text description of the rule's purpose, intent, or business justification. Used for documentation and operational context in policy management workflows. Maximum 1024 characters.", "maxLength": 1024 }, "tag": { "type": "array", "description": "List of administrative tags applied to the rule for organizational grouping, filtering, and policy management. Tags must be pre-defined as tag objects on the device or Panorama before being referenced here.", "items": { "type": "string", "description": "A tag name referencing an existing tag object defined on the device or Panorama." } }, "from": { "type": "array", "description": "List of source security zones. Traffic must originate from one of the listed zones for the rule to match. Use 'any' to match all zones. Corresponds to the Source Zone field in the PAN-OS security policy editor.", "default": [ "any" ], "items": { "type": "string", "description": "A security zone name or the keyword 'any' to match all zones." } }, "to": { "type": "array", "description": "List of destination security zones. Traffic must be destined for one of the listed zones for the rule to match. Use 'any' to match all zones. Corresponds to the Destination Zone field in the PAN-OS security policy editor.", "default": [ "any" ], "items": { "type": "string", "description": "A security zone name or the keyword 'any' to match all zones." } }, "source": { "type": "array", "description": "List of source address specifiers. Each entry may be an address object name, address group name, IPv4 address, IPv6 address, IP range, CIDR subnet, FQDN object, or the keyword 'any' to match all source addresses.", "default": [ "any" ], "items": { "type": "string", "description": "An address object name, address group name, IP address, CIDR notation, IP range, FQDN, or 'any'." } }, "destination": { "type": "array", "description": "List of destination address specifiers. Each entry may be an address object name, address group name, IPv4 address, IPv6 address, IP range, CIDR subnet, FQDN object, or the keyword 'any' to match all destination addresses.", "default": [ "any" ], "items": { "type": "string", "description": "An address object name, address group name, IP address, CIDR notation, IP range, FQDN, or 'any'." } }, "source-user": { "type": "array", "description": "List of source users or user groups the rule applies to. Requires User-ID to be enabled on the ingress zone. Use 'any' to match all users, 'unknown' to match unauthenticated traffic, 'known-user' to match any identified user, or 'pre-logon' for GlobalProtect pre-logon tunnel users.", "default": [ "any" ], "items": { "type": "string", "description": "A username, user group name, or special keyword: any, unknown, known-user, pre-logon." } }, "application": { "type": "array", "description": "List of applications or application groups the rule applies to. PAN-OS uses App-ID technology to identify applications regardless of port, protocol, or encryption. Use 'any' to match all applications regardless of App-ID classification.", "default": [ "any" ], "items": { "type": "string", "description": "An App-ID application name, application group name, application filter name, or 'any'." } }, "service": { "type": "array", "description": "List of services (TCP/UDP port combinations) the rule applies to. Use 'application-default' to enforce the rule only on the default ports defined for the matched applications, or 'any' to match all ports regardless of application.", "default": [ "application-default" ], "items": { "type": "string", "description": "A service object name, service group name, 'any', or 'application-default'." } }, "action": { "type": "string", "description": "The enforcement action applied when traffic matches all criteria of this rule. 'allow' permits the traffic and applies security profiles if configured. 'deny' blocks the traffic and sends an ICMP unreachable response. 'drop' silently discards the traffic with no response. 'reset-client' sends a TCP RST to the client. 'reset-server' sends a TCP RST to the server. 'reset-both' sends TCP RST to both endpoints.", "enum": [ "allow", "deny", "drop", "reset-client", "reset-server", "reset-both" ] }, "profile-setting": { "description": "Security profile settings defining which threat prevention profiles are applied to traffic matching this rule. Profiles are only evaluated when action is 'allow'.", "$ref": "#/$defs/ProfileSetting" }, "log-setting": { "type": "string", "description": "Name of the log forwarding profile to use for traffic logs generated by this rule. The profile determines log destinations such as Panorama, syslog servers, email, SNMP traps, or HTTP log forwarding profiles." }, "log-start": { "type": "boolean", "description": "Whether to generate a traffic log entry at the start of each session matching this rule. Enabling log-start increases log volume significantly and is typically reserved for debugging or specific compliance requirements.", "default": false }, "log-end": { "type": "boolean", "description": "Whether to generate a traffic log entry at the end of each session matching this rule. Log-end captures session summary data including total bytes, packets, and duration. Enabled by default for most security rules.", "default": true }, "disabled": { "type": "boolean", "description": "Whether the security rule is administratively disabled. Disabled rules remain in the configuration and policy position but are skipped during policy lookup and traffic enforcement.", "default": false }, "schedule": { "type": "string", "description": "Name of a schedule object that restricts this rule to specific days and times. When no schedule is specified the rule is active at all times. Schedule objects are defined in Objects > Schedules on the device or Panorama." }, "negate-source": { "type": "boolean", "description": "When true, the rule matches traffic from any source address except those listed in the source field. Inverts the source address matching logic to create an exclusion-based source match.", "default": false }, "negate-destination": { "type": "boolean", "description": "When true, the rule matches traffic destined for any address except those listed in the destination field. Inverts the destination address matching logic to create an exclusion-based destination match.", "default": false }, "rule-type": { "type": "string", "description": "Specifies the zone-based scope of the rule enforcement. 'universal' matches inter-zone and intra-zone traffic (default). 'intrazone' matches only traffic where source and destination zones are the same. 'interzone' matches only traffic between different zones.", "enum": [ "universal", "intrazone", "interzone" ], "default": "universal" } }, "required": [ "name", "from", "to", "source", "destination", "application", "service", "action" ], "definitions": { "ProfileSetting": { "type": "object", "description": "Security profile configuration for a PAN-OS security rule. Profiles provide threat prevention capabilities applied to allowed traffic. Can be configured as a named security profile group bundling multiple profile types, or as individually specified profiles for each threat prevention category.", "properties": { "group": { "type": "array", "description": "List containing the name of a security profile group to apply to this rule. A security profile group bundles antivirus, anti-spyware, vulnerability protection, URL filtering, file blocking, WildFire analysis, and data filtering profiles into a single reusable object for simplified management.", "items": { "type": "string", "description": "Name of a security profile group object defined on the device or Panorama." }, "maxItems": 1 }, "profiles": { "description": "Individual security profile assignments applied when not using a profile group. Allows granular selection of different profile objects for each threat prevention category.", "$ref": "#/$defs/IndividualProfiles" } }, "name": "ProfileSetting" }, "IndividualProfiles": { "type": "object", "description": "Individual security profile type assignments for a PAN-OS security rule. Each property references a named profile object of the corresponding threat prevention category configured on the device or Panorama.", "properties": { "virus": { "type": "array", "description": "Antivirus profile name(s) providing malware detection and prevention for file transfers and downloads across supported protocols.", "items": { "type": "string", "description": "Name of an antivirus profile object defined on the device or Panorama." } }, "spyware": { "type": "array", "description": "Anti-spyware profile name(s) for detecting and blocking spyware callbacks, command-and-control traffic, and DNS-based threats including DNS tunneling and malicious domains.", "items": { "type": "string", "description": "Name of an anti-spyware profile object defined on the device or Panorama." } }, "vulnerability": { "type": "array", "description": "Vulnerability protection profile name(s) for detecting and preventing exploitation of known software vulnerabilities in operating systems, applications, and network services.", "items": { "type": "string", "description": "Name of a vulnerability protection profile object defined on the device or Panorama." } }, "url-filtering": { "type": "array", "description": "URL filtering profile name(s) for controlling access to websites based on URL category classifications from the PAN-DB URL database.", "items": { "type": "string", "description": "Name of a URL filtering profile object defined on the device or Panorama." } }, "file-blocking": { "type": "array", "description": "File blocking profile name(s) for controlling the upload and download of files based on file type, application, and traffic direction.", "items": { "type": "string", "description": "Name of a file blocking profile object defined on the device or Panorama." } }, "wildfire-analysis": { "type": "array", "description": "WildFire analysis profile name(s) for forwarding unknown files to the WildFire cloud sandbox for behavioral malware analysis and verdict generation.", "items": { "type": "string", "description": "Name of a WildFire analysis profile object defined on the device or Panorama." } }, "data-filtering": { "type": "array", "description": "Data filtering profile name(s) for detecting and preventing the unauthorized transfer of sensitive data patterns such as credit card numbers, social security numbers, or custom data patterns.", "items": { "type": "string", "description": "Name of a data filtering profile object defined on the device or Panorama." } } }, "name": "IndividualProfiles" } } }