Programmatic Access for Cloud NGFW

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Programmatic Access for Cloud NGFW

L0 Member

Where can I find more information about programmatic access for Cloud NGFW? Also can I use AWS Cloudformation Templates to create and manage Cloud NGFW resources?

 

Note that I have already enabled the "Programmatic Access" button in the Cloud NGFW UI.

1 REPLY 1

L2 Linker

Hello hparandekar,

I saw your post and have a few recommendations for you.

 

Programmatic Access: This feature is to provide capability for customers to access the backend API's directly, so that they can create FW resource and rulestacks


 

Flow

 

  1. Customer Enables Programmatic Access from UI
  2. Customer adds Principle Tags to IAM roles in their account
    1. Under TAG add:
      1. Key=NGFWaasRole, Value=CloudFirewallAdmin
      2. Key=NGFWaasRole, Value=CloudRulestackAdmin
    2. Under Trusted Relationship add IAM user
  3. IAM User in customer account can now call sts_client.asume_role(RoleArn="arn:value") → produces a set of keys
  4. These keys can now be used to call API below to get a JWT Token: (keep in mind you must generate a Signature V4 Header to authenticate to this API, see https://docs.aws.amazon.com/general/latest/gr/sigv4-signed-request-examples.html)
    1. GET:/v1/mgmt/tokens/cloudfirewalladmin
    2. GET:/v1/mgmt/tokens/cloudrulestackadmin
  5. Step 4 produces a token-id, this token-id is now good to use on Firewall CRUD API's or Rulestack API's listed below. Must use "Authorization" : "token-id" in header.     

If you want more clarification on programmatic access please go through the below link.

 

https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html

 

Yes you can  use AWS Cloudformation Templates to create and manage Cloud NGFW resources.

 

You can  create a template that describes all the AWS resources that you want (like Amazon EC2 instances or Amazon RDS DB instances), and CloudFormation takes care of provisioning and configuring those resources for you. You don't need to individually create and configure AWS resources and figure out what's dependent on what; CloudFormation handles that.

 

Thanks and Regards,

 

Gopinath Sekar

 

Palo Alto Networks Technical Support Engineer

  • 2200 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!