openapi: 3.1.0 info: title: Palo Alto Networks Prisma Access Configuration API description: >- REST API for the Prisma Access SASE platform providing programmatic configuration of remote networks, service connections, mobile user infrastructure settings, IKE gateways, IPSec tunnels, and security rules. Prisma Access delivers cloud-delivered security for branch offices, retail locations, and mobile users. All configuration changes are staged in a candidate configuration and must be explicitly pushed using the candidate push endpoint to take effect. Supports OAuth 2.0 Bearer token authentication. version: '1.0' contact: name: Palo Alto Networks Developer Support url: https://pan.dev/ license: name: Proprietary url: https://www.paloaltonetworks.com/legal servers: - url: https://api.sase.paloaltonetworks.com/sse/config/v1 description: Prisma Access SASE configuration API server. security: - oauth2: [] tags: - name: Configuration description: >- Candidate configuration management and job tracking. - name: IKEGateways description: >- IKE gateway configuration for establishing IPSec VPN tunnels to Prisma Access. - name: IPSecTunnels description: >- IPSec tunnel configuration for site-to-site VPN connectivity. - name: MobileAgent description: >- Mobile user agent infrastructure settings for GlobalProtect remote user connectivity. - name: RemoteNetworks description: >- Remote network configuration for connecting branch offices and data centers to Prisma Access via IPSec tunnels. - name: SecurityRules description: >- Security policy rule management for controlling traffic flowing through Prisma Access. - name: ServiceConnections description: >- Service connection management for providing access to internal resources through Prisma Access. paths: /remote-networks: get: operationId: listRemoteNetworks summary: Palo Alto Networks List Remote Networks description: >- Returns a list of all configured remote networks in the Prisma Access tenant. Each remote network represents a branch or data center site connected via IPSec tunnel. Supports filtering by name and folder, with pagination. tags: - RemoteNetworks parameters: - name: folder in: query description: Filter remote networks by folder (e.g., Remote Networks). schema: type: string example: example-folder - name: name in: query description: Filter by remote network name. schema: type: string example: Production Firewall 82 - name: offset in: query description: Starting offset for pagination. schema: type: integer default: 0 example: 0 - name: limit in: query description: Maximum number of results to return. schema: type: integer default: 200 maximum: 5000 example: 200 responses: '200': description: Remote networks returned successfully. content: application/json: schema: type: object properties: data: type: array items: $ref: '#/components/schemas/RemoteNetwork' offset: type: integer total: type: integer limit: type: integer examples: ListRemoteNetworks200Example: summary: Default listRemoteNetworks 200 response x-microcks-default: true value: data: - id: example-id name: Corporate Sensor 34 region: us-west-2 license_type: FWAAS-AGGREGATE spn_name: Production Gateway 60 ecmp_load_balancing: disable subnets: &id001 - 10.231.109.0/24 - 10.117.88.0/24 folder: example-folder - id: example-id name: Corporate Sensor 34 region: us-west-2 license_type: FWAAS-AGGREGATE spn_name: Production Gateway 60 ecmp_load_balancing: disable subnets: *id001 folder: example-folder offset: 310 total: 460 limit: 429 '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '500': $ref: '#/components/responses/InternalServerError' x-microcks-operation: delay: 0 dispatcher: FALLBACK post: operationId: createRemoteNetwork summary: Palo Alto Networks Create a Remote Network description: >- Creates a new remote network configuration in the candidate configuration. The remote network defines an IPSec tunnel endpoint for connecting a branch office or data center to Prisma Access. Changes must be pushed to take effect. tags: - RemoteNetworks parameters: - name: folder in: query required: true description: Target folder for the remote network (e.g., Remote Networks). schema: type: string example: example-folder requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/RemoteNetwork' examples: CreateRemoteNetworkRequestExample: summary: Default createRemoteNetwork request x-microcks-default: true value: id: example-id name: Corporate Sensor 34 region: us-west-2 license_type: FWAAS-AGGREGATE spn_name: Production Gateway 60 ecmp_load_balancing: disable subnets: *id001 folder: example-folder responses: '201': description: Remote network created successfully. content: application/json: schema: $ref: '#/components/schemas/RemoteNetwork' examples: CreateRemoteNetwork201Example: summary: Default createRemoteNetwork 201 response x-microcks-default: true value: id: example-id name: Corporate Sensor 34 region: us-west-2 license_type: FWAAS-AGGREGATE spn_name: Production Gateway 60 ecmp_load_balancing: disable subnets: *id001 folder: example-folder '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '500': $ref: '#/components/responses/InternalServerError' x-microcks-operation: delay: 0 dispatcher: FALLBACK /remote-networks/{id}: get: operationId: getRemoteNetwork summary: Palo Alto Networks Get a Remote Network description: Returns the configuration of a specific remote network by ID. tags: - RemoteNetworks parameters: - name: id in: path required: true description: Unique remote network identifier. schema: type: string example: example-id responses: '200': description: Remote network returned successfully. content: application/json: schema: $ref: '#/components/schemas/RemoteNetwork' examples: GetRemoteNetwork200Example: summary: Default getRemoteNetwork 200 response x-microcks-default: true value: id: example-id name: Corporate Sensor 34 region: us-west-2 license_type: FWAAS-AGGREGATE spn_name: Production Gateway 60 ecmp_load_balancing: disable subnets: *id001 folder: example-folder '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '404': $ref: '#/components/responses/NotFound' '500': $ref: '#/components/responses/InternalServerError' x-microcks-operation: delay: 0 dispatcher: FALLBACK put: operationId: updateRemoteNetwork summary: Palo Alto Networks Update a Remote Network description: >- Updates the configuration of an existing remote network in the candidate configuration. Changes must be pushed to take effect. tags: - RemoteNetworks parameters: - name: id in: path required: true description: Unique remote network identifier. schema: type: string example: example-id requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/RemoteNetwork' examples: UpdateRemoteNetworkRequestExample: summary: Default updateRemoteNetwork request x-microcks-default: true value: id: example-id name: Corporate Sensor 34 region: us-west-2 license_type: FWAAS-AGGREGATE spn_name: Production Gateway 60 ecmp_load_balancing: disable subnets: *id001 folder: example-folder responses: '200': description: Remote network updated successfully. content: application/json: schema: $ref: '#/components/schemas/RemoteNetwork' examples: UpdateRemoteNetwork200Example: summary: Default updateRemoteNetwork 200 response x-microcks-default: true value: id: example-id name: Corporate Sensor 34 region: us-west-2 license_type: FWAAS-AGGREGATE spn_name: Production Gateway 60 ecmp_load_balancing: disable subnets: *id001 folder: example-folder '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '404': $ref: '#/components/responses/NotFound' '500': $ref: '#/components/responses/InternalServerError' x-microcks-operation: delay: 0 dispatcher: FALLBACK delete: operationId: deleteRemoteNetwork summary: Palo Alto Networks Delete a Remote Network description: >- Deletes a remote network from the candidate configuration. Changes must be pushed to take effect. tags: - RemoteNetworks parameters: - name: id in: path required: true description: Unique remote network identifier. schema: type: string example: example-id responses: '200': description: Remote network deleted successfully. '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '404': $ref: '#/components/responses/NotFound' '500': $ref: '#/components/responses/InternalServerError' x-microcks-operation: delay: 0 dispatcher: FALLBACK /service-connections: get: operationId: listServiceConnections summary: Palo Alto Networks List Service Connections description: >- Returns a list of all configured service connections. Service connections provide access to internal data center resources from Prisma Access through dedicated IPSec tunnels. tags: - ServiceConnections parameters: - name: folder in: query description: Filter by folder. schema: type: string example: example-folder - name: offset in: query schema: type: integer default: 0 example: 0 - name: limit in: query schema: type: integer default: 200 example: 200 responses: '200': description: Service connections returned successfully. content: application/json: schema: type: object properties: data: type: array items: $ref: '#/components/schemas/ServiceConnection' offset: type: integer total: type: integer limit: type: integer examples: ListServiceConnections200Example: summary: Default listServiceConnections 200 response x-microcks-default: true value: data: - id: example-id name: Branch Sensor 44 region: us-west-2 ipsec_tunnel: example-ipsec_tunnel subnets: &id002 - 10.241.132.0/24 - 10.82.85.0/24 nat_pool: example-nat_pool qos_enabled: false folder: example-folder - id: example-id name: Branch Sensor 44 region: us-west-2 ipsec_tunnel: example-ipsec_tunnel subnets: *id002 nat_pool: example-nat_pool qos_enabled: false folder: example-folder offset: 852 total: 192 limit: 331 '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '500': $ref: '#/components/responses/InternalServerError' x-microcks-operation: delay: 0 dispatcher: FALLBACK post: operationId: createServiceConnection summary: Palo Alto Networks Create a Service Connection description: >- Creates a new service connection in the candidate configuration. Changes must be pushed to take effect. tags: - ServiceConnections parameters: - name: folder in: query required: true description: Target folder for the service connection. schema: type: string example: example-folder requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/ServiceConnection' examples: CreateServiceConnectionRequestExample: summary: Default createServiceConnection request x-microcks-default: true value: id: example-id name: Branch Sensor 44 region: us-west-2 ipsec_tunnel: example-ipsec_tunnel subnets: *id002 nat_pool: example-nat_pool qos_enabled: false folder: example-folder responses: '201': description: Service connection created successfully. content: application/json: schema: $ref: '#/components/schemas/ServiceConnection' examples: CreateServiceConnection201Example: summary: Default createServiceConnection 201 response x-microcks-default: true value: id: example-id name: Branch Sensor 44 region: us-west-2 ipsec_tunnel: example-ipsec_tunnel subnets: *id002 nat_pool: example-nat_pool qos_enabled: false folder: example-folder '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '500': $ref: '#/components/responses/InternalServerError' x-microcks-operation: delay: 0 dispatcher: FALLBACK /service-connections/{id}: get: operationId: getServiceConnection summary: Palo Alto Networks Get a Service Connection description: Returns the configuration of a specific service connection. tags: - ServiceConnections parameters: - name: id in: path required: true description: Unique service connection identifier. schema: type: string example: example-id responses: '200': description: Service connection returned successfully. content: application/json: schema: $ref: '#/components/schemas/ServiceConnection' examples: GetServiceConnection200Example: summary: Default getServiceConnection 200 response x-microcks-default: true value: id: example-id name: Branch Sensor 44 region: us-west-2 ipsec_tunnel: example-ipsec_tunnel subnets: *id002 nat_pool: example-nat_pool qos_enabled: false folder: example-folder '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '404': $ref: '#/components/responses/NotFound' '500': $ref: '#/components/responses/InternalServerError' x-microcks-operation: delay: 0 dispatcher: FALLBACK put: operationId: updateServiceConnection summary: Palo Alto Networks Update a Service Connection description: Updates an existing service connection in the candidate configuration. tags: - ServiceConnections parameters: - name: id in: path required: true description: Unique service connection identifier. schema: type: string example: example-id requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/ServiceConnection' examples: UpdateServiceConnectionRequestExample: summary: Default updateServiceConnection request x-microcks-default: true value: id: example-id name: Branch Sensor 44 region: us-west-2 ipsec_tunnel: example-ipsec_tunnel subnets: *id002 nat_pool: example-nat_pool qos_enabled: false folder: example-folder responses: '200': description: Service connection updated successfully. content: application/json: schema: $ref: '#/components/schemas/ServiceConnection' examples: UpdateServiceConnection200Example: summary: Default updateServiceConnection 200 response x-microcks-default: true value: id: example-id name: Branch Sensor 44 region: us-west-2 ipsec_tunnel: example-ipsec_tunnel subnets: *id002 nat_pool: example-nat_pool qos_enabled: false folder: example-folder '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '404': $ref: '#/components/responses/NotFound' '500': $ref: '#/components/responses/InternalServerError' x-microcks-operation: delay: 0 dispatcher: FALLBACK delete: operationId: deleteServiceConnection summary: Palo Alto Networks Delete a Service Connection description: Deletes a service connection from the candidate configuration. tags: - ServiceConnections parameters: - name: id in: path required: true description: Unique service connection identifier. schema: type: string example: example-id responses: '200': description: Service connection deleted successfully. '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '404': $ref: '#/components/responses/NotFound' '500': $ref: '#/components/responses/InternalServerError' x-microcks-operation: delay: 0 dispatcher: FALLBACK /mobile-agent/infrastructure-settings: get: operationId: getMobileAgentInfrastructureSettings summary: Palo Alto Networks Get Mobile Agent Infrastructure Settings description: >- Returns the mobile user infrastructure settings for GlobalProtect agent connectivity. These settings define the Prisma Access compute locations, IP pool allocations, and portal configuration for remote mobile users. tags: - MobileAgent parameters: - name: folder in: query description: Filter by folder (e.g., Mobile Users). schema: type: string example: example-folder responses: '200': description: Mobile agent infrastructure settings returned successfully. content: application/json: schema: $ref: '#/components/schemas/MobileAgentInfrastructureSettings' examples: GetMobileAgentInfrastructureSettings200Example: summary: Default getMobileAgentInfrastructureSettings 200 response x-microcks-default: true value: id: example-id name: Branch Sensor 52 ip_pool: &id003 - example-ip_pool_item - example-ip_pool_item dns_servers: &id004 - example-dns_servers_item dns_suffix: &id005 - example-dns_suffix_item regions: &id006 - name: Production Firewall 52 addresses: - example-addresses_item - example-addresses_item '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '500': $ref: '#/components/responses/InternalServerError' x-microcks-operation: delay: 0 dispatcher: FALLBACK post: operationId: createMobileAgentInfrastructureSettings summary: Palo Alto Networks Create Mobile Agent Infrastructure Settings description: >- Creates or updates the mobile user infrastructure settings in the candidate configuration. Changes must be pushed to take effect. tags: - MobileAgent requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/MobileAgentInfrastructureSettings' examples: CreateMobileAgentInfrastructureSettingsRequestExample: summary: Default createMobileAgentInfrastructureSettings request x-microcks-default: true value: id: example-id name: Branch Sensor 52 ip_pool: *id003 dns_servers: *id004 dns_suffix: *id005 regions: *id006 responses: '200': description: Mobile agent infrastructure settings saved successfully. content: application/json: schema: $ref: '#/components/schemas/MobileAgentInfrastructureSettings' examples: CreateMobileAgentInfrastructureSettings200Example: summary: Default createMobileAgentInfrastructureSettings 200 response x-microcks-default: true value: id: example-id name: Branch Sensor 52 ip_pool: *id003 dns_servers: *id004 dns_suffix: *id005 regions: *id006 '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '500': $ref: '#/components/responses/InternalServerError' x-microcks-operation: delay: 0 dispatcher: FALLBACK /ike-gateways: get: operationId: listIKEGateways summary: Palo Alto Networks List IKE Gateways description: >- Returns a list of IKE gateway configurations. IKE gateways define the parameters for establishing the IKE phase 1 negotiation used by IPSec VPN tunnels connecting to Prisma Access. tags: - IKEGateways parameters: - name: folder in: query description: Filter by folder. schema: type: string example: example-folder - name: offset in: query schema: type: integer default: 0 example: 0 - name: limit in: query schema: type: integer default: 200 example: 200 responses: '200': description: IKE gateways returned successfully. content: application/json: schema: type: object properties: data: type: array items: $ref: '#/components/schemas/IKEGateway' offset: type: integer total: type: integer limit: type: integer examples: ListIkegateways200Example: summary: Default listIKEGateways 200 response x-microcks-default: true value: data: - id: example-id name: Branch Sensor 55 version: ikev2-preferred peer_address: &id007 ip: 10.213.81.33 dynamic: true authentication: &id008 pre_shared_key: example-pre_shared_key certificate: local_certificate: example-local_certificate local_id: &id009 type: fqdn id: example-id peer_id: &id010 type: ufqdn id: example-id folder: example-folder - id: example-id name: Branch Sensor 55 version: ikev2-preferred peer_address: *id007 authentication: *id008 local_id: *id009 peer_id: *id010 folder: example-folder offset: 969 total: 242 limit: 163 '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '500': $ref: '#/components/responses/InternalServerError' x-microcks-operation: delay: 0 dispatcher: FALLBACK post: operationId: createIKEGateway summary: Palo Alto Networks Create an IKE Gateway description: Creates a new IKE gateway in the candidate configuration. tags: - IKEGateways parameters: - name: folder in: query required: true description: Target folder for the IKE gateway. schema: type: string example: example-folder requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/IKEGateway' examples: CreateIkegatewayRequestExample: summary: Default createIKEGateway request x-microcks-default: true value: id: example-id name: Branch Sensor 55 version: ikev2-preferred peer_address: *id007 authentication: *id008 local_id: *id009 peer_id: *id010 folder: example-folder responses: '201': description: IKE gateway created successfully. content: application/json: schema: $ref: '#/components/schemas/IKEGateway' examples: CreateIkegateway201Example: summary: Default createIKEGateway 201 response x-microcks-default: true value: id: example-id name: Branch Sensor 55 version: ikev2-preferred peer_address: *id007 authentication: *id008 local_id: *id009 peer_id: *id010 folder: example-folder '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '500': $ref: '#/components/responses/InternalServerError' x-microcks-operation: delay: 0 dispatcher: FALLBACK /ike-gateways/{id}: get: operationId: getIKEGateway summary: Palo Alto Networks Get an IKE Gateway description: Returns the configuration of a specific IKE gateway. tags: - IKEGateways parameters: - name: id in: path required: true description: Unique IKE gateway identifier. schema: type: string example: example-id responses: '200': description: IKE gateway returned successfully. content: application/json: schema: $ref: '#/components/schemas/IKEGateway' examples: GetIkegateway200Example: summary: Default getIKEGateway 200 response x-microcks-default: true value: id: example-id name: Branch Sensor 55 version: ikev2-preferred peer_address: *id007 authentication: *id008 local_id: *id009 peer_id: *id010 folder: example-folder '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '404': $ref: '#/components/responses/NotFound' '500': $ref: '#/components/responses/InternalServerError' x-microcks-operation: delay: 0 dispatcher: FALLBACK put: operationId: updateIKEGateway summary: Palo Alto Networks Update an IKE Gateway description: Updates an existing IKE gateway in the candidate configuration. tags: - IKEGateways parameters: - name: id in: path required: true description: Unique IKE gateway identifier. schema: type: string example: example-id requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/IKEGateway' examples: UpdateIkegatewayRequestExample: summary: Default updateIKEGateway request x-microcks-default: true value: id: example-id name: Branch Sensor 55 version: ikev2-preferred peer_address: *id007 authentication: *id008 local_id: *id009 peer_id: *id010 folder: example-folder responses: '200': description: IKE gateway updated successfully. content: application/json: schema: $ref: '#/components/schemas/IKEGateway' examples: UpdateIkegateway200Example: summary: Default updateIKEGateway 200 response x-microcks-default: true value: id: example-id name: Branch Sensor 55 version: ikev2-preferred peer_address: *id007 authentication: *id008 local_id: *id009 peer_id: *id010 folder: example-folder '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '404': $ref: '#/components/responses/NotFound' '500': $ref: '#/components/responses/InternalServerError' x-microcks-operation: delay: 0 dispatcher: FALLBACK delete: operationId: deleteIKEGateway summary: Palo Alto Networks Delete an IKE Gateway description: Deletes an IKE gateway from the candidate configuration. tags: - IKEGateways parameters: - name: id in: path required: true description: Unique IKE gateway identifier. schema: type: string example: example-id responses: '200': description: IKE gateway deleted successfully. '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '404': $ref: '#/components/responses/NotFound' '500': $ref: '#/components/responses/InternalServerError' x-microcks-operation: delay: 0 dispatcher: FALLBACK /ipsec-tunnels: get: operationId: listIPSecTunnels summary: Palo Alto Networks List IPSec Tunnels description: >- Returns a list of IPSec tunnel configurations. IPSec tunnels use the IKE gateways to establish encrypted VPN connectivity between branch sites or data centers and Prisma Access. tags: - IPSecTunnels parameters: - name: folder in: query description: Filter by folder. schema: type: string example: example-folder - name: offset in: query schema: type: integer default: 0 example: 0 - name: limit in: query schema: type: integer default: 200 example: 200 responses: '200': description: IPSec tunnels returned successfully. content: application/json: schema: type: object properties: data: type: array items: $ref: '#/components/schemas/IPSecTunnel' offset: type: integer total: type: integer limit: type: integer examples: ListIpsecTunnels200Example: summary: Default listIPSecTunnels 200 response x-microcks-default: true value: data: - id: example-id name: Staging Firewall 42 auto_key: &id011 ike_gateway: - name: Corporate Firewall 77 ipsec_crypto_profile: HVAC Controller tunnel_monitor: &id012 enable: false destination_ip: 10.26.144.251 proxy_id: '408309' anti_replay: true folder: example-folder offset: 212 total: 309 limit: 181 '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '500': $ref: '#/components/responses/InternalServerError' x-microcks-operation: delay: 0 dispatcher: FALLBACK post: operationId: createIPSecTunnel summary: Palo Alto Networks Create an IPSec Tunnel description: Creates a new IPSec tunnel in the candidate configuration. tags: - IPSecTunnels parameters: - name: folder in: query required: true description: Target folder for the IPSec tunnel. schema: type: string example: example-folder requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/IPSecTunnel' examples: CreateIpsecTunnelRequestExample: summary: Default createIPSecTunnel request x-microcks-default: true value: id: example-id name: Staging Firewall 42 auto_key: *id011 tunnel_monitor: *id012 anti_replay: true folder: example-folder responses: '201': description: IPSec tunnel created successfully. content: application/json: schema: $ref: '#/components/schemas/IPSecTunnel' examples: CreateIpsecTunnel201Example: summary: Default createIPSecTunnel 201 response x-microcks-default: true value: id: example-id name: Staging Firewall 42 auto_key: *id011 tunnel_monitor: *id012 anti_replay: true folder: example-folder '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '500': $ref: '#/components/responses/InternalServerError' x-microcks-operation: delay: 0 dispatcher: FALLBACK /ipsec-tunnels/{id}: get: operationId: getIPSecTunnel summary: Palo Alto Networks Get an IPSec Tunnel description: Returns the configuration of a specific IPSec tunnel. tags: - IPSecTunnels parameters: - name: id in: path required: true description: Unique IPSec tunnel identifier. schema: type: string example: example-id responses: '200': description: IPSec tunnel returned successfully. content: application/json: schema: $ref: '#/components/schemas/IPSecTunnel' examples: GetIpsecTunnel200Example: summary: Default getIPSecTunnel 200 response x-microcks-default: true value: id: example-id name: Staging Firewall 42 auto_key: *id011 tunnel_monitor: *id012 anti_replay: true folder: example-folder '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '404': $ref: '#/components/responses/NotFound' '500': $ref: '#/components/responses/InternalServerError' x-microcks-operation: delay: 0 dispatcher: FALLBACK put: operationId: updateIPSecTunnel summary: Palo Alto Networks Update an IPSec Tunnel description: Updates an existing IPSec tunnel in the candidate configuration. tags: - IPSecTunnels parameters: - name: id in: path required: true description: Unique IPSec tunnel identifier. schema: type: string example: example-id requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/IPSecTunnel' examples: UpdateIpsecTunnelRequestExample: summary: Default updateIPSecTunnel request x-microcks-default: true value: id: example-id name: Staging Firewall 42 auto_key: *id011 tunnel_monitor: *id012 anti_replay: true folder: example-folder responses: '200': description: IPSec tunnel updated successfully. content: application/json: schema: $ref: '#/components/schemas/IPSecTunnel' examples: UpdateIpsecTunnel200Example: summary: Default updateIPSecTunnel 200 response x-microcks-default: true value: id: example-id name: Staging Firewall 42 auto_key: *id011 tunnel_monitor: *id012 anti_replay: true folder: example-folder '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '404': $ref: '#/components/responses/NotFound' '500': $ref: '#/components/responses/InternalServerError' x-microcks-operation: delay: 0 dispatcher: FALLBACK delete: operationId: deleteIPSecTunnel summary: Palo Alto Networks Delete an IPSec Tunnel description: Deletes an IPSec tunnel from the candidate configuration. tags: - IPSecTunnels parameters: - name: id in: path required: true description: Unique IPSec tunnel identifier. schema: type: string example: example-id responses: '200': description: IPSec tunnel deleted successfully. '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '404': $ref: '#/components/responses/NotFound' '500': $ref: '#/components/responses/InternalServerError' x-microcks-operation: delay: 0 dispatcher: FALLBACK /security-rules: get: operationId: listSecurityRules summary: Palo Alto Networks List Security Rules description: >- Returns a list of security policy rules configured in Prisma Access. Security rules control traffic flowing through the SASE platform by specifying source, destination, application, and action criteria. Rules are evaluated in order from top to bottom. tags: - SecurityRules parameters: - name: folder in: query required: true description: >- The folder containing the security rules (e.g., Shared, Mobile Users, Remote Networks). schema: type: string example: example-folder - name: position in: query description: Filter by rule position (pre or post). schema: type: string enum: - pre - post example: pre - name: offset in: query schema: type: integer default: 0 example: 0 - name: limit in: query schema: type: integer default: 200 example: 200 responses: '200': description: Security rules returned successfully. content: application/json: schema: type: object properties: data: type: array items: $ref: '#/components/schemas/SecurityRule' offset: type: integer total: type: integer limit: type: integer examples: ListSecurityRules200Example: summary: Default listSecurityRules 200 response x-microcks-default: true value: data: - id: example-id name: Branch Policy 74 description: Security incident incident threat violation malware. disabled: false from: &id013 - example-from_item to: &id014 - example-to_item source: &id015 - example-source_item - example-source_item destination: &id016 - example-destination_item source_user: &id017 - example-source_user_item application: &id018 - ssl - dns service: &id019 - example-service_item category: &id020 - custom action: drop profile_setting: &id021 group: - example-group_item log_setting: example-log_setting tag: &id022 - production - critical-asset folder: example-folder position: pre - id: example-id name: Branch Policy 74 description: Security incident incident threat violation malware. disabled: false from: *id013 to: *id014 source: *id015 destination: *id016 source_user: *id017 application: *id018 service: *id019 category: *id020 action: drop profile_setting: *id021 log_setting: example-log_setting tag: *id022 folder: example-folder position: pre offset: 526 total: 263 limit: 721 '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '500': $ref: '#/components/responses/InternalServerError' x-microcks-operation: delay: 0 dispatcher: FALLBACK post: operationId: createSecurityRule summary: Palo Alto Networks Create a Security Rule description: >- Creates a new security rule in the candidate configuration. Changes must be pushed to take effect. tags: - SecurityRules parameters: - name: folder in: query required: true description: Target folder for the security rule. schema: type: string example: example-folder - name: position in: query description: Position for the new rule (pre or post). schema: type: string enum: - pre - post example: pre requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/SecurityRule' examples: CreateSecurityRuleRequestExample: summary: Default createSecurityRule request x-microcks-default: true value: id: example-id name: Branch Policy 74 description: Security incident incident threat violation malware. disabled: false from: *id013 to: *id014 source: *id015 destination: *id016 source_user: *id017 application: *id018 service: *id019 category: *id020 action: drop profile_setting: *id021 log_setting: example-log_setting tag: *id022 folder: example-folder position: pre responses: '201': description: Security rule created successfully. content: application/json: schema: $ref: '#/components/schemas/SecurityRule' examples: CreateSecurityRule201Example: summary: Default createSecurityRule 201 response x-microcks-default: true value: id: example-id name: Branch Policy 74 description: Security incident incident threat violation malware. disabled: false from: *id013 to: *id014 source: *id015 destination: *id016 source_user: *id017 application: *id018 service: *id019 category: *id020 action: drop profile_setting: *id021 log_setting: example-log_setting tag: *id022 folder: example-folder position: pre '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '500': $ref: '#/components/responses/InternalServerError' x-microcks-operation: delay: 0 dispatcher: FALLBACK /security-rules/{id}: get: operationId: getSecurityRule summary: Palo Alto Networks Get a Security Rule description: Returns the configuration of a specific security rule. tags: - SecurityRules parameters: - name: id in: path required: true description: Unique security rule identifier. schema: type: string example: example-id responses: '200': description: Security rule returned successfully. content: application/json: schema: $ref: '#/components/schemas/SecurityRule' examples: GetSecurityRule200Example: summary: Default getSecurityRule 200 response x-microcks-default: true value: id: example-id name: Branch Policy 74 description: Security incident incident threat violation malware. disabled: false from: *id013 to: *id014 source: *id015 destination: *id016 source_user: *id017 application: *id018 service: *id019 category: *id020 action: drop profile_setting: *id021 log_setting: example-log_setting tag: *id022 folder: example-folder position: pre '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '404': $ref: '#/components/responses/NotFound' '500': $ref: '#/components/responses/InternalServerError' x-microcks-operation: delay: 0 dispatcher: FALLBACK put: operationId: updateSecurityRule summary: Palo Alto Networks Update a Security Rule description: Updates an existing security rule in the candidate configuration. tags: - SecurityRules parameters: - name: id in: path required: true description: Unique security rule identifier. schema: type: string example: example-id requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/SecurityRule' examples: UpdateSecurityRuleRequestExample: summary: Default updateSecurityRule request x-microcks-default: true value: id: example-id name: Branch Policy 74 description: Security incident incident threat violation malware. disabled: false from: *id013 to: *id014 source: *id015 destination: *id016 source_user: *id017 application: *id018 service: *id019 category: *id020 action: drop profile_setting: *id021 log_setting: example-log_setting tag: *id022 folder: example-folder position: pre responses: '200': description: Security rule updated successfully. content: application/json: schema: $ref: '#/components/schemas/SecurityRule' examples: UpdateSecurityRule200Example: summary: Default updateSecurityRule 200 response x-microcks-default: true value: id: example-id name: Branch Policy 74 description: Security incident incident threat violation malware. disabled: false from: *id013 to: *id014 source: *id015 destination: *id016 source_user: *id017 application: *id018 service: *id019 category: *id020 action: drop profile_setting: *id021 log_setting: example-log_setting tag: *id022 folder: example-folder position: pre '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '404': $ref: '#/components/responses/NotFound' '500': $ref: '#/components/responses/InternalServerError' x-microcks-operation: delay: 0 dispatcher: FALLBACK delete: operationId: deleteSecurityRule summary: Palo Alto Networks Delete a Security Rule description: Deletes a security rule from the candidate configuration. tags: - SecurityRules parameters: - name: id in: path required: true description: Unique security rule identifier. schema: type: string example: example-id responses: '200': description: Security rule deleted successfully. '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '404': $ref: '#/components/responses/NotFound' '500': $ref: '#/components/responses/InternalServerError' x-microcks-operation: delay: 0 dispatcher: FALLBACK /config-versions/candidate:push: post: operationId: pushCandidateConfig summary: Palo Alto Networks Push Candidate Configuration description: >- Pushes the current candidate configuration to the running configuration, activating all staged changes across remote networks, service connections, security policies, and other configuration elements modified since the last push. The push is asynchronous and returns a job ID for tracking progress. tags: - Configuration requestBody: required: true content: application/json: schema: type: object properties: folders: type: array description: >- List of folders to push. If omitted, all folders with pending changes are pushed. items: type: string description: type: string description: Description of the configuration push. examples: PushCandidateConfigRequestExample: summary: Default pushCandidateConfig request x-microcks-default: true value: folders: - example-folders_item description: Policy policy firewall incident threat incident firewall malware traffic threat applied incident. responses: '200': description: Configuration push initiated successfully. content: application/json: schema: type: object properties: success: type: boolean description: Whether the push was initiated successfully. job_id: type: string description: Job identifier for tracking push operation status. message: type: string examples: PushCandidateConfig200Example: summary: Default pushCandidateConfig 200 response x-microcks-default: true value: success: false job_id: '436513' message: Monitoring incident network detected blocked traffic applied suspicious. '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '500': $ref: '#/components/responses/InternalServerError' x-microcks-operation: delay: 0 dispatcher: FALLBACK /jobs/{id}: get: operationId: getJobStatus summary: Palo Alto Networks Get Job Status description: >- Returns the current status of an asynchronous job such as a candidate configuration push. Poll this endpoint to track the progress of long-running operations. tags: - Configuration parameters: - name: id in: path required: true description: Job identifier returned by an asynchronous operation. schema: type: string example: example-id responses: '200': description: Job status returned successfully. content: application/json: schema: $ref: '#/components/schemas/JobStatus' examples: GetJobStatus200Example: summary: Default getJobStatus 200 response x-microcks-default: true value: id: example-id type: advanced status: pending result: FAIL start_ts: '2025-09-19T19:32:25Z' end_ts: '2024-08-13T06:47:25Z' description: Investigation violation threat firewall monitoring suspicious. details: &id023 - example-details_item '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '404': $ref: '#/components/responses/NotFound' '500': $ref: '#/components/responses/InternalServerError' x-microcks-operation: delay: 0 dispatcher: FALLBACK components: securitySchemes: oauth2: type: oauth2 description: >- OAuth 2.0 client credentials flow for obtaining an access token. Requires a client ID and client secret from the Palo Alto Networks SASE identity provider. flows: clientCredentials: tokenUrl: https://auth.apps.paloaltonetworks.com/oauth2/access_token scopes: {} responses: Unauthorized: description: Missing or invalid OAuth2 access token. content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' Forbidden: description: Insufficient permissions for this operation. content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' BadRequest: description: Invalid request parameters or body. content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' NotFound: description: The requested resource was not found. content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' InternalServerError: description: Internal server error. content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' schemas: RemoteNetwork: type: object required: - name - region properties: id: type: string description: Unique identifier for the remote network. readOnly: true example: example-id name: type: string description: Name of the remote network. example: Corporate Sensor 34 region: type: string description: Prisma Access compute region (e.g., us-east-1, eu-west-1). example: us-west-2 license_type: type: string enum: - FWAAS-AGGREGATE - FWAAS-BYOL description: License type assigned to this remote network. example: FWAAS-AGGREGATE spn_name: type: string description: Service provider node name for the Prisma Access gateway location. example: Production Gateway 60 ecmp_load_balancing: type: string enum: - enable - disable description: Enable or disable ECMP load balancing. example: disable subnets: type: array items: type: string description: Local subnets at the remote network site. example: *id001 folder: type: string description: Folder containing this remote network. readOnly: true example: example-folder ServiceConnection: type: object required: - name - region - ipsec_tunnel properties: id: type: string description: Unique identifier for the service connection. readOnly: true example: example-id name: type: string description: Name of the service connection. example: Branch Sensor 44 region: type: string description: Prisma Access compute region. example: us-west-2 ipsec_tunnel: type: string description: Name of the associated IPSec tunnel. example: example-ipsec_tunnel subnets: type: array items: type: string description: Internal subnets accessible through this connection. example: *id002 nat_pool: type: string description: NAT pool CIDR for source translation. example: example-nat_pool qos_enabled: type: boolean default: false description: Whether QoS is enabled on this connection. example: false folder: type: string readOnly: true example: example-folder MobileAgentInfrastructureSettings: type: object properties: id: type: string readOnly: true example: example-id name: type: string description: Name for the infrastructure settings configuration. example: Branch Sensor 52 ip_pool: type: array items: type: string description: IP address pools for mobile user address allocation. example: *id003 dns_servers: type: array items: type: string description: DNS server IP addresses for mobile users. example: *id004 dns_suffix: type: array items: type: string description: DNS suffixes to append for mobile users. example: *id005 regions: type: array items: type: object properties: name: type: string description: Prisma Access compute region. example: Staging Gateway 93 addresses: type: array items: type: string description: IP addresses for the mobile user gateway in this region. example: - example-addresses_item description: Compute regions for mobile user connectivity. example: *id006 IKEGateway: type: object required: - name - peer_address - authentication properties: id: type: string description: Unique identifier for the IKE gateway. readOnly: true example: example-id name: type: string description: Name of the IKE gateway. example: Branch Sensor 55 version: type: string enum: - ikev1 - ikev2 - ikev2-preferred default: ikev2-preferred description: IKE protocol version. example: ikev2-preferred peer_address: type: object description: Peer IP address configuration. properties: ip: type: string format: ipv4 description: Static peer IP address. example: 10.81.220.11 dynamic: type: boolean description: Whether the peer address is dynamic. example: false example: *id007 authentication: type: object description: IKE authentication configuration. properties: pre_shared_key: type: string description: Pre-shared key for IKE authentication. example: example-pre_shared_key certificate: type: object properties: local_certificate: type: string description: Local certificate profile name. example: example-local_certificate example: local_certificate: example-local_certificate example: *id008 local_id: type: object properties: type: type: string enum: - ipaddr - keyid - fqdn - ufqdn example: ufqdn id: type: string example: example-id example: *id009 peer_id: type: object properties: type: type: string enum: - ipaddr - keyid - fqdn - ufqdn example: ipaddr id: type: string example: example-id example: *id010 folder: type: string readOnly: true example: example-folder IPSecTunnel: type: object required: - name - auto_key properties: id: type: string description: Unique identifier for the IPSec tunnel. readOnly: true example: example-id name: type: string description: Name of the IPSec tunnel. example: Staging Firewall 42 auto_key: type: object description: Auto-key IKE configuration for the tunnel. properties: ike_gateway: type: array items: type: object properties: name: type: string description: Name of the IKE gateway to use. example: Production Agent 99 example: - name: Branch Agent 66 - name: Primary Agent 16 ipsec_crypto_profile: type: string description: IPSec crypto profile name. example: IP Camera example: *id011 tunnel_monitor: type: object properties: enable: type: boolean example: false destination_ip: type: string format: ipv4 example: 10.93.88.181 proxy_id: type: string example: '109061' example: *id012 anti_replay: type: boolean default: true description: Whether anti-replay protection is enabled. example: true folder: type: string readOnly: true example: example-folder SecurityRule: type: object required: - name - from - to - source - destination - application - action properties: id: type: string readOnly: true example: example-id name: type: string description: Name of the security rule. example: Branch Policy 74 description: type: string example: Security incident incident threat violation malware. disabled: type: boolean default: false example: false from: type: array description: Source security zones. items: type: string example: *id013 to: type: array description: Destination security zones. items: type: string example: *id014 source: type: array description: Source addresses or address groups. items: type: string example: *id015 destination: type: array description: Destination addresses or address groups. items: type: string example: *id016 source_user: type: array description: Source user or user group names. items: type: string example: *id017 application: type: array description: Applications to match. items: type: string example: *id018 service: type: array description: Services or service groups to match. items: type: string example: *id019 category: type: array description: URL categories to match. items: type: string example: *id020 action: type: string enum: - allow - deny - drop - reset-client - reset-server - reset-both description: Action to take when the rule matches. example: drop profile_setting: type: object properties: group: type: array items: type: string description: Security profile group names. example: - example-group_item example: *id021 log_setting: type: string description: Log forwarding profile name. example: example-log_setting tag: type: array items: type: string example: *id022 folder: type: string readOnly: true example: example-folder position: type: string enum: - pre - post readOnly: true example: pre JobStatus: type: object properties: id: type: string description: Unique job identifier. example: example-id type: type: string description: Type of asynchronous job. example: advanced status: type: string enum: - pending - running - completed - failed description: Current status of the job. example: pending result: type: string enum: - OK - FAIL description: Final result of the job once completed. example: FAIL start_ts: type: string format: date-time description: Timestamp when the job started. example: '2025-09-19T19:32:25Z' end_ts: type: string format: date-time description: Timestamp when the job completed. example: '2024-08-13T06:47:25Z' description: type: string description: Job description. example: Investigation violation threat firewall monitoring suspicious. details: type: array items: type: string description: Job status detail messages. example: *id023 ErrorResponse: type: object properties: _errors: type: array items: type: object properties: code: type: string example: example-code message: type: string example: Alert malware configured threat rule network malware configured on. details: type: object example: {} example: - code: example-code message: Threat configured alert firewall violation monitoring traffic activity. details: {} - code: example-code message: Blocked threat Security traffic firewall monitoring malware endpoint suspicious network. details: {} _request_id: type: string example: '980164'