🧭 Overview
Firewall Automation is the new-generation framework in OPNsense
for managing firewall and source NAT rules through both the web UI and REST API.
It is designed to eventually replace the classic Firewall → Rules pages,
offering modern, API-driven rule management.
“The automation component offers API access to firewall and source NAT rules.
It only manages rules created within its own interface, not traditional firewall rules.”
⚙️ Architecture & Core Principles
| Concept | Description |
|---|---|
| Automation Component | MVC-based backend for managing API-accessible rules. |
| API + UI Consistency | Every rule created via UI is immediately accessible via API. |
| Scope Limitation | Only rules created inside Automation are visible to this API. |
| Future Integration | Intended as the next-generation rule management interface. |
🧩 Key Capabilities
1️⃣ Centralized Rule Management
Define and manage Firewall + Source NAT rules directly from one place.
2️⃣ Full REST API Control
Automation rules can be created, updated, or deleted via API calls.
3️⃣ Modern MVC Framework
Better integration with other OPNsense modules and external systems.
4️⃣ Preview Feature
Currently marked as a preview, showcasing future rule management direction.
⚡ Use Cases
| Use Case | Example | Note |
|---|---|---|
| Automated Deployment | Use API to auto-create rules during provisioning | Ideal for DevOps setups |
| Centralized NAT Configuration | Programmatically manage Source NAT across subnets | Simplifies large-scale routing |
| External System Integration | Integrate SOC or monitoring tools to push rules | Common in enterprise environments |
| Testing Next-gen Rule Engine | Experiment with Automation API before migration | Preview of future firewall UI |
🧰 API Examples
Create a rule:
curl -X POST -u "apiuser:apitoken" \
https://<firewall-ip>/api/firewall/automation/add \
-H "Content-Type: application/json" \
-d '{
"interface": "lan",
"protocol": "tcp",
"source": "any",
"destination": "192.168.1.10",
"dstport": "22",
"action": "pass",
"description": "Allow SSH via Automation API"
}'
List all rules:
curl -u "apiuser:apitoken" \
https://<firewall-ip>/api/firewall/automation/search
🔒 Limitations
| Item | Description |
|---|---|
| Scope | Only manages rules created inside the Automation module |
| Event Triggers | Does not support dynamic or event-driven rule activation |
| Status | Preview / experimental feature |
| Recommended Use | For testing API integration and automated provisioning |
✅ Summary
Firewall Automation is not an event-driven engine —
it is the new API-based rule management layer for OPNsense.
Key Advantages:
- Native REST API support
- Unified management for firewall + NAT rules
- Foundation for the next-generation rule editor
💡 Think of it as a “Firewall-as-Code” foundation —
structured, API-accessible, and automation-friendly.