Use Google Notebooks to create policy rules using Prisma Access APIs

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
L4 Transporter
No ratings

 

Prisma SASE offers a suite of cloud-delivered products that provide network configuration and network security services. This suite of software offers network security for an enterprise's users, no matter where they might be physically located, be it in the office or from a remote location.

The Prisma SASE APIs enable automation and integration solutions for Prisma SASE products and services. Currently, Prisma SASE offers the following APIs:

Most SASE APIs use a common authentication mechanism and base URL for API requests. (Prisma Access Insights is the exception.) The authentication mechanism is oAuth2. To authenticate SASE API requests, you must:

  1. Identify or create the TSG that you want to use for the scope of the access token. From the TSG, you can find your TSG_ID that you use for the access token's scope.
  2. Either identify or create the service account that you want to use for the request. This gives you the Client ID and Client Secret that you use to obtain the access token.
  3. Using the Client ID, Client Secret, and your TSG_ID, create an access token.

Once you have an access token, you can make requests against the tenants that are within the scope of your access token. Provide the access token using the Authorization header, with the Bearer keyword, on your HTTPS request.

Note: At this point you can mechanically make a request, but you still need to assign one or more roles to the service account. Without at least one role, the service account will not have permissions to perform any actions on the SASE product or service.

 

This article will go over how Prisma Access APIs can easily be integrated into Google Notebooks,  an application used by several Prisma Access Customers. For example, this Google Notebook can be used to clone policy rules from a source tenant to a destination tenant or can be used to create a specific policy rule.

Once you launch the Google Notebook, follow the steps below to clone rules or create a new policy rule.

 

Step 1: Install libraries.

Click on the Run button on the Install and Import Libraries block. This will install the packages needed to execute the playbook in a Google VM used by the Google Notebook. 

 

step1.png

 

Step 2: Configure Service Accounts

Once you’ve generated the service accounts for both the source and destination tenants using the steps described above, configure the values in the Google Notebook form. Make sure the appropriate access token or role is assigned to the service account.

 

step2.png

 

Once the form is filled, hit run (highlighted in red). This step will generate the JWT token which is used for all subsequent API calls.

 

Step 3: Create custom rules

The next block in the notebook lists an example for creating a rule against a user group allowing it access to a specific application, microsoft-outlook in the example below. When this block is executed, a custom pre-rule is created.

 

step3.png

 

This is an example of how rule creation can be simplified and many of the objects can be abstracted out. Users can easily update the notebook form to include parameters they need to customize the rule they need to create.

 

Step 4: Clone Rules

To clone rules from a source tenant to a destination tenant, use the block titled Clone Rules. This notebook allows the user to control if both pre and post rules need to be cloned. If set to True, the rule group will be cloned from the source to the destination tenant.

 

step4.png

 

This notebook also offers a block to delete rules from the source or destination tenant. Users can choose to delete both pre and post rules using this block. As any delete operation, use this block with caution.

 

lastimage.png

 

The sample in this notebook is one example of how customers can use the Prisma SASE APIs to create custom rules and clone rules from one tenant to another.  More information on the Prisma SASE APIs can be found on our API documentation site, pan.dev.

 

 

Rate this article:
  • 2767 Views
  • 0 comments
  • 1 Likes
Register or Sign-in
Contributors
Article Dashboard
Version history
Last Updated:
‎11-01-2022 04:46 PM
Updated by: