Palo Alto Networks · Schema
PAN-OS Security Rule
Schema for a PAN-OS firewall security policy rule as represented in the REST and XML API. Security rules define the traffic enforcement criteria on Palo Alto Networks next-generation firewalls and Panorama-managed devices. Each rule specifies source zone, destination zone, source address, destination address, application, service, and action parameters that determine how matching traffic is handled. Rules are evaluated top-down within a rulebase and can be configured at the device, virtual system, or Panorama device group level.
Cloud SecurityCybersecurityFirewallNetwork SecuritySASESOARThreat IntelligenceXDR
Properties
| Name | Type | Description |
|---|---|---|
| name | string | Unique name of the security rule within its rulebase. Must be unique within the device group or virtual system. Maximum 63 characters, must start with a letter or underscore, and may contain letters, |
| description | string | Free-form text description of the rule's purpose, intent, or business justification. Used for documentation and operational context in policy management workflows. Maximum 1024 characters. |
| tag | array | List of administrative tags applied to the rule for organizational grouping, filtering, and policy management. Tags must be pre-defined as tag objects on the device or Panorama before being referenced |
| from | array | List of source security zones. Traffic must originate from one of the listed zones for the rule to match. Use 'any' to match all zones. Corresponds to the Source Zone field in the PAN-OS security poli |
| to | array | List of destination security zones. Traffic must be destined for one of the listed zones for the rule to match. Use 'any' to match all zones. Corresponds to the Destination Zone field in the PAN-OS se |
| source | array | List of source address specifiers. Each entry may be an address object name, address group name, IPv4 address, IPv6 address, IP range, CIDR subnet, FQDN object, or the keyword 'any' to match all sourc |
| destination | array | List of destination address specifiers. Each entry may be an address object name, address group name, IPv4 address, IPv6 address, IP range, CIDR subnet, FQDN object, or the keyword 'any' to match all |
| source-user | array | List of source users or user groups the rule applies to. Requires User-ID to be enabled on the ingress zone. Use 'any' to match all users, 'unknown' to match unauthenticated traffic, 'known-user' to m |
| application | array | List of applications or application groups the rule applies to. PAN-OS uses App-ID technology to identify applications regardless of port, protocol, or encryption. Use 'any' to match all applications |
| service | array | List of services (TCP/UDP port combinations) the rule applies to. Use 'application-default' to enforce the rule only on the default ports defined for the matched applications, or 'any' to match all po |
| action | string | The enforcement action applied when traffic matches all criteria of this rule. 'allow' permits the traffic and applies security profiles if configured. 'deny' blocks the traffic and sends an ICMP unre |
| profile-setting | object | Security profile settings defining which threat prevention profiles are applied to traffic matching this rule. Profiles are only evaluated when action is 'allow'. |
| log-setting | string | Name of the log forwarding profile to use for traffic logs generated by this rule. The profile determines log destinations such as Panorama, syslog servers, email, SNMP traps, or HTTP log forwarding p |
| log-start | boolean | Whether to generate a traffic log entry at the start of each session matching this rule. Enabling log-start increases log volume significantly and is typically reserved for debugging or specific compl |
| log-end | boolean | Whether to generate a traffic log entry at the end of each session matching this rule. Log-end captures session summary data including total bytes, packets, and duration. Enabled by default for most s |
| disabled | boolean | Whether the security rule is administratively disabled. Disabled rules remain in the configuration and policy position but are skipped during policy lookup and traffic enforcement. |
| schedule | string | Name of a schedule object that restricts this rule to specific days and times. When no schedule is specified the rule is active at all times. Schedule objects are defined in Objects > Schedules on the |
| negate-source | boolean | When true, the rule matches traffic from any source address except those listed in the source field. Inverts the source address matching logic to create an exclusion-based source match. |
| negate-destination | boolean | When true, the rule matches traffic destined for any address except those listed in the destination field. Inverts the destination address matching logic to create an exclusion-based destination match |
| rule-type | string | Specifies the zone-based scope of the rule enforcement. 'universal' matches inter-zone and intra-zone traffic (default). 'intrazone' matches only traffic where source and destination zones are the sam |