https://live.paloaltonetworks.com/t5/cloud-ngfw-for-aws-discussions/programmatic-access-for-cloud-ngfw/m-p/478170#M273 <P>Where can I find more information about programmatic access for Cloud NGFW? Also can I use AWS Cloudformation Templates to create and manage Cloud NGFW resources?</P> <P>&nbsp;</P> <P>Note that I have already enabled the "<SPAN>Programmatic Access" button in the Cloud NGFW UI.</SPAN></P> Tue, 05 Apr 2022 01:27:47 GMT hparandekar 2022-04-05T01:27:47Z https://live.paloaltonetworks.com/t5/cloud-ngfw-for-aws-discussions/programmatic-access-for-cloud-ngfw/m-p/478170#M273 <P>Where can I find more information about programmatic access for Cloud NGFW? Also can I use AWS Cloudformation Templates to create and manage Cloud NGFW resources?</P> <P>&nbsp;</P> <P>Note that I have already enabled the "<SPAN>Programmatic Access" button in the Cloud NGFW UI.</SPAN></P> Tue, 05 Apr 2022 01:27:47 GMT https://live.paloaltonetworks.com/t5/cloud-ngfw-for-aws-discussions/programmatic-access-for-cloud-ngfw/m-p/478170#M273 hparandekar 2022-04-05T01:27:47Z https://live.paloaltonetworks.com/t5/cloud-ngfw-for-aws-discussions/programmatic-access-for-cloud-ngfw/m-p/478228#M274 <P><SPAN>Hello hparandekar,</SPAN><BR /><BR /><SPAN>I saw your post and have a few recommendations for you.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Programmatic Access: This feature is to provide capability for customers to access the backend API's directly, so that they can create FW resource and rulestacks</SPAN></P> <P><BR />&nbsp;</P> <P><SPAN>Flow</SPAN></P> <P>&nbsp;</P> <OL> <LI><SPAN>Customer Enables Programmatic Access from UI</SPAN></LI> <LI><SPAN>Customer adds Principle Tags to IAM roles in their account</SPAN> <OL> <LI><SPAN>Under TAG add:</SPAN> <OL> <LI><SPAN>Key=NGFWaasRole, Value=CloudFirewallAdmin</SPAN></LI> <LI><SPAN>Key=NGFWaasRole, Value=CloudRulestackAdmin</SPAN></LI> </OL> </LI> <LI><SPAN>Under Trusted Relationship add IAM user</SPAN></LI> </OL> </LI> <LI><SPAN>IAM User in customer account can now call sts_client.asume_role(RoleArn="arn:value") → produces a set of keys</SPAN></LI> <LI><SPAN>These keys can now be used to call API below to get a JWT Token: (keep in mind you must generate a Signature V4 Header to authenticate to this API, see <A href="https://docs.aws.amazon.com/general/latest/gr/sigv4-signed-request-examples.html" target="_blank" rel="noopener">https://docs.aws.amazon.com/general/latest/gr/sigv4-signed-request-examples.html</A>)</SPAN> <OL> <LI><SPAN>GET:/v1/mgmt/tokens/cloudfirewalladmin</SPAN></LI> <LI><SPAN>GET:/v1/mgmt/tokens/cloudrulestackadmin</SPAN></LI> </OL> </LI> <LI><SPAN>Step 4 produces a token-id, this token-id is now good to use on Firewall CRUD API's or Rulestack API's listed below. Must use "Authorization" : "token-id" in header. &nbsp; &nbsp;&nbsp;</SPAN></LI> </OL> <P><SPAN>If you want more clarification on programmatic access please go through the below link.</SPAN></P> <P>&nbsp;</P> <P><A href="https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html" target="_blank" rel="noopener"><SPAN>https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html</SPAN></A></P> <P>&nbsp;</P> <P><SPAN><STRONG>Yes you can &nbsp;use AWS Cloudformation Templates to create and manage Cloud NGFW resources.</STRONG></SPAN></P> <P>&nbsp;</P> <P><SPAN>You can &nbsp;create a template that describes all the AWS resources that you want (like Amazon EC2 instances or Amazon RDS DB instances), and CloudFormation takes care of provisioning and configuring those resources for you. You don't need to individually create and configure AWS resources and figure out what's dependent on what; CloudFormation handles that.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Thanks and Regards,</SPAN></P> <P>&nbsp;</P> <P><SPAN>Gopinath Sekar</SPAN></P> <P>&nbsp;</P> <P><SPAN>Palo Alto Networks Technical Support Engineer</SPAN></P> Wed, 06 Apr 2022 17:36:54 GMT https://live.paloaltonetworks.com/t5/cloud-ngfw-for-aws-discussions/programmatic-access-for-cloud-ngfw/m-p/478228#M274 gsekar 2022-04-06T17:36:54Z