Palo Alto Networks · Capability

Palo Alto Networks PAN-OS REST API — Policies

Palo Alto Networks PAN-OS REST API — Policies. 12 operations. Lead operation: Palo Alto Networks List NAT Rules. Self-contained Naftiko capability covering one Palo Alto Networks business surface.

Run with Naftiko Palo Alto NetworksPolicies

What You Can Do

GET

Listnatrules — Palo Alto Networks List NAT Rules

/v1/policies/natrules

POST

Createnatrule — Palo Alto Networks Create NAT Rule

/v1/policies/natrules

PUT

Updatenatrule — Palo Alto Networks Update NAT Rule

/v1/policies/natrules

DELETE

Deletenatrule — Palo Alto Networks Delete NAT Rule

/v1/policies/natrules

GET

Listqosrules — Palo Alto Networks List QoS Rules

/v1/policies/qosrules

POST

Createqosrule — Palo Alto Networks Create QoS Rule

/v1/policies/qosrules

PUT

Updateqosrule — Palo Alto Networks Update QoS Rule

/v1/policies/qosrules

DELETE

Deleteqosrule — Palo Alto Networks Delete QoS Rule

/v1/policies/qosrules

GET

Listsecurityrules — Palo Alto Networks List Security Rules

/v1/policies/securityrules

POST

Createsecurityrule — Palo Alto Networks Create Security Rule

/v1/policies/securityrules

PUT

Updatesecurityrule — Palo Alto Networks Update Security Rule

/v1/policies/securityrules

DELETE

Deletesecurityrule — Palo Alto Networks Delete Security Rule

/v1/policies/securityrules

MCP Tools

palo-alto-networks-list-nat

Palo Alto Networks List NAT Rules

read-only idempotent

palo-alto-networks-create-nat

Palo Alto Networks Create NAT Rule

palo-alto-networks-update-nat

Palo Alto Networks Update NAT Rule

idempotent

palo-alto-networks-delete-nat

Palo Alto Networks Delete NAT Rule

idempotent

palo-alto-networks-list-qos

Palo Alto Networks List QoS Rules

read-only idempotent

palo-alto-networks-create-qos

Palo Alto Networks Create QoS Rule

palo-alto-networks-update-qos

Palo Alto Networks Update QoS Rule

idempotent

palo-alto-networks-delete-qos

Palo Alto Networks Delete QoS Rule

idempotent

palo-alto-networks-list-security

Palo Alto Networks List Security Rules

read-only idempotent

palo-alto-networks-create-security

Palo Alto Networks Create Security Rule

palo-alto-networks-update-security

Palo Alto Networks Update Security Rule

idempotent

palo-alto-networks-delete-security

Palo Alto Networks Delete Security Rule

idempotent

Capability Spec

naftiko: 1.0.0-alpha2
info:
  label: Palo Alto Networks PAN-OS REST API — Policies
  description: 'Palo Alto Networks PAN-OS REST API — Policies. 12 operations. Lead operation: Palo Alto Networks List NAT
    Rules. Self-contained Naftiko capability covering one Palo Alto Networks business surface.'
  tags:
  - Palo Alto Networks
  - Policies
  created: '2026-05-19'
  modified: '2026-05-19'
binds:
- namespace: env
  keys:
    PALO_ALTO_NETWORKS_API_KEY: PALO_ALTO_NETWORKS_API_KEY
capability:
  consumes:
  - type: http
    namespace: palo-alto-pan-os-rest-policies
    baseUri: https://{firewall}/restapi/v10.2
    description: Palo Alto Networks PAN-OS REST API — Policies business capability. Self-contained, no shared references.
    resources:
    - name: Policies-NATRules
      path: /Policies/NATRules
      operations:
      - name: listnatrules
        method: GET
        description: Palo Alto Networks List NAT Rules
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: name
          in: query
          type: string
          description: Filter by NAT rule name.
      - name: createnatrule
        method: POST
        description: Palo Alto Networks Create NAT Rule
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: name
          in: query
          type: string
          description: Name of the NAT rule to create.
          required: true
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
      - name: updatenatrule
        method: PUT
        description: Palo Alto Networks Update NAT Rule
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: name
          in: query
          type: string
          description: Name of the NAT rule to update.
          required: true
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
      - name: deletenatrule
        method: DELETE
        description: Palo Alto Networks Delete NAT Rule
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: name
          in: query
          type: string
          description: Name of the NAT rule to delete.
          required: true
    - name: Policies-QoSRules
      path: /Policies/QoSRules
      operations:
      - name: listqosrules
        method: GET
        description: Palo Alto Networks List QoS Rules
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: name
          in: query
          type: string
          description: Filter by QoS rule name.
      - name: createqosrule
        method: POST
        description: Palo Alto Networks Create QoS Rule
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: name
          in: query
          type: string
          description: Name of the QoS rule to create.
          required: true
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
      - name: updateqosrule
        method: PUT
        description: Palo Alto Networks Update QoS Rule
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: name
          in: query
          type: string
          description: Name of the QoS rule to update.
          required: true
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
      - name: deleteqosrule
        method: DELETE
        description: Palo Alto Networks Delete QoS Rule
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: name
          in: query
          type: string
          description: Name of the QoS rule to delete.
          required: true
    - name: Policies-SecurityRules
      path: /Policies/SecurityRules
      operations:
      - name: listsecurityrules
        method: GET
        description: Palo Alto Networks List Security Rules
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: name
          in: query
          type: string
          description: Filter by security rule name.
      - name: createsecurityrule
        method: POST
        description: Palo Alto Networks Create Security Rule
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: name
          in: query
          type: string
          description: Name of the security rule to create.
          required: true
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
      - name: updatesecurityrule
        method: PUT
        description: Palo Alto Networks Update Security Rule
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: name
          in: query
          type: string
          description: Name of the security rule to update.
          required: true
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
      - name: deletesecurityrule
        method: DELETE
        description: Palo Alto Networks Delete Security Rule
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: name
          in: query
          type: string
          description: Name of the security rule to delete.
          required: true
    authentication:
      type: apikey
      key: X-PAN-KEY
      value: '{{env.PALO_ALTO_NETWORKS_API_KEY}}'
      placement: header
  exposes:
  - type: rest
    namespace: palo-alto-pan-os-rest-policies-rest
    port: 8080
    description: REST adapter for Palo Alto Networks PAN-OS REST API — Policies. One Spectral-compliant resource per consumed
      operation, prefixed with /v1.
    resources:
    - path: /v1/policies/natrules
      name: policies-natrules
      description: REST surface for Policies-NATRules.
      operations:
      - method: GET
        name: listnatrules
        description: Palo Alto Networks List NAT Rules
        call: palo-alto-pan-os-rest-policies.listnatrules
        with:
          name: rest.name
        outputParameters:
        - type: object
          mapping: $.
      - method: POST
        name: createnatrule
        description: Palo Alto Networks Create NAT Rule
        call: palo-alto-pan-os-rest-policies.createnatrule
        with:
          name: rest.name
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
      - method: PUT
        name: updatenatrule
        description: Palo Alto Networks Update NAT Rule
        call: palo-alto-pan-os-rest-policies.updatenatrule
        with:
          name: rest.name
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
      - method: DELETE
        name: deletenatrule
        description: Palo Alto Networks Delete NAT Rule
        call: palo-alto-pan-os-rest-policies.deletenatrule
        with:
          name: rest.name
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/policies/qosrules
      name: policies-qosrules
      description: REST surface for Policies-QoSRules.
      operations:
      - method: GET
        name: listqosrules
        description: Palo Alto Networks List QoS Rules
        call: palo-alto-pan-os-rest-policies.listqosrules
        with:
          name: rest.name
        outputParameters:
        - type: object
          mapping: $.
      - method: POST
        name: createqosrule
        description: Palo Alto Networks Create QoS Rule
        call: palo-alto-pan-os-rest-policies.createqosrule
        with:
          name: rest.name
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
      - method: PUT
        name: updateqosrule
        description: Palo Alto Networks Update QoS Rule
        call: palo-alto-pan-os-rest-policies.updateqosrule
        with:
          name: rest.name
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
      - method: DELETE
        name: deleteqosrule
        description: Palo Alto Networks Delete QoS Rule
        call: palo-alto-pan-os-rest-policies.deleteqosrule
        with:
          name: rest.name
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/policies/securityrules
      name: policies-securityrules
      description: REST surface for Policies-SecurityRules.
      operations:
      - method: GET
        name: listsecurityrules
        description: Palo Alto Networks List Security Rules
        call: palo-alto-pan-os-rest-policies.listsecurityrules
        with:
          name: rest.name
        outputParameters:
        - type: object
          mapping: $.
      - method: POST
        name: createsecurityrule
        description: Palo Alto Networks Create Security Rule
        call: palo-alto-pan-os-rest-policies.createsecurityrule
        with:
          name: rest.name
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
      - method: PUT
        name: updatesecurityrule
        description: Palo Alto Networks Update Security Rule
        call: palo-alto-pan-os-rest-policies.updatesecurityrule
        with:
          name: rest.name
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
      - method: DELETE
        name: deletesecurityrule
        description: Palo Alto Networks Delete Security Rule
        call: palo-alto-pan-os-rest-policies.deletesecurityrule
        with:
          name: rest.name
        outputParameters:
        - type: object
          mapping: $.
  - type: mcp
    namespace: palo-alto-pan-os-rest-policies-mcp
    port: 9090
    transport: http
    description: MCP adapter for Palo Alto Networks PAN-OS REST API — Policies. One tool per consumed operation, routed inline
      through this capability's consumes block.
    tools:
    - name: palo-alto-networks-list-nat
      description: Palo Alto Networks List NAT Rules
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: palo-alto-pan-os-rest-policies.listnatrules
      with:
        name: tools.name
      outputParameters:
      - type: object
        mapping: $.
    - name: palo-alto-networks-create-nat
      description: Palo Alto Networks Create NAT Rule
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: palo-alto-pan-os-rest-policies.createnatrule
      with:
        name: tools.name
        body: tools.body
      outputParameters:
      - type: object
        mapping: $.
    - name: palo-alto-networks-update-nat
      description: Palo Alto Networks Update NAT Rule
      hints:
        readOnly: false
        destructive: false
        idempotent: true
      call: palo-alto-pan-os-rest-policies.updatenatrule
      with:
        name: tools.name
        body: tools.body
      outputParameters:
      - type: object
        mapping: $.
    - name: palo-alto-networks-delete-nat
      description: Palo Alto Networks Delete NAT Rule
      hints:
        readOnly: false
        destructive: true
        idempotent: true
      call: palo-alto-pan-os-rest-policies.deletenatrule
      with:
        name: tools.name
      outputParameters:
      - type: object
        mapping: $.
    - name: palo-alto-networks-list-qos
      description: Palo Alto Networks List QoS Rules
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: palo-alto-pan-os-rest-policies.listqosrules
      with:
        name: tools.name
      outputParameters:
      - type: object
        mapping: $.
    - name: palo-alto-networks-create-qos
      description: Palo Alto Networks Create QoS Rule
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: palo-alto-pan-os-rest-policies.createqosrule
      with:
        name: tools.name
        body: tools.body
      outputParameters:
      - type: object
        mapping: $.
    - name: palo-alto-networks-update-qos
      description: Palo Alto Networks Update QoS Rule
      hints:
        readOnly: false
        destructive: false
        idempotent: true
      call: palo-alto-pan-os-rest-policies.updateqosrule
      with:
        name: tools.name
        body: tools.body
      outputParameters:
      - type: object
        mapping: $.
    - name: palo-alto-networks-delete-qos
      description: Palo Alto Networks Delete QoS Rule
      hints:
        readOnly: false
        destructive: true
        idempotent: true
      call: palo-alto-pan-os-rest-policies.deleteqosrule
      with:
        name: tools.name
      outputParameters:
      - type: object
        mapping: $.
    - name: palo-alto-networks-list-security
      description: Palo Alto Networks List Security Rules
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: palo-alto-pan-os-rest-policies.listsecurityrules
      with:
        name: tools.name
      outputParameters:
      - type: object
        mapping: $.
    - name: palo-alto-networks-create-security
      description: Palo Alto Networks Create Security Rule
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: palo-alto-pan-os-rest-policies.createsecurityrule
      with:
        name: tools.name
        body: tools.body
      outputParameters:
      - type: object
        mapping: $.
    - name: palo-alto-networks-update-security
      description: Palo Alto Networks Update Security Rule
      hints:
        readOnly: false
        destructive: false
        idempotent: true
      call: palo-alto-pan-os-rest-policies.updatesecurityrule
      with:
        name: tools.name
        body: tools.body
      outputParameters:
      - type: object
        mapping: $.
    - name: palo-alto-networks-delete-security
      description: Palo Alto Networks Delete Security Rule
      hints:
        readOnly: false
        destructive: true
        idempotent: true
      call: palo-alto-pan-os-rest-policies.deletesecurityrule
      with:
        name: tools.name
      outputParameters:
      - type: object
        mapping: $.