The Developer’s Guide To Palo Alto Networks Cloud NGFW for AWS Part 2 (CloudFormation)

Photo by orbtal media on Unsplash

A Cloud NGFW resource provides next-generation firewall capabilities for your VPC traffic. This resource has built-in resiliency, scalability and lifecycle management. In the last blog, we covered the firewall-as-a-code and policy-as-a-code aspects of Cloud NGFW using Terraform. In this blog, we will discuss the same aspects using AWS Cloud Formation.

Customers like you expressed interest in using AWS CloudFormation as a single infrastructure as code (IaC) tool to automate provisioning of your AWS native resources and Cloud NGFW resources. To enable your automation, Palo Alto Networks has now published PaloAltoNetworks::CloudNGFW::NGFW and PaloAltoNetworks::CloudNGFW::RuleStack extensions to AWS Cloud formation registry.

Getting Started

Prerequisites

• Subscribed to Palo Alto Networks Cloud NGFW via the AWS marketplace
• Your AWS account is onboarded to the Cloud NGFW

Enable Programmatic Access

To use these CloudFormation extensions, you must first enable the Programmatic Access for your Cloud NGFW tenant. You can check this by navigating to the Settings section of the Cloud NGFW console. The steps to do this can be found here.

You will authenticate against your Cloud NGFW by assuming roles in your AWS account that are allowed to make API calls to the AWS API Gateway service. The associated tags with the roles dictate the type of Cloud NGFW programmatic access granted — Firewall Admin, RuleStack Admin, or Global Rulestack Admin.

The following CloudFormation configuration will create an AWS role which we will utilize later when activating the PaloAltoNetworks::CloudNGFW CloudFormation extensions.

AWSTemplateFormatVersion: 2010-09-09

Resources:
  CFRRole:
    Type: AWS::IAM::Role
    Properties:
      Tags:
        - Key: CloudNGFWFirewallAdmin
          Value: "Yes"
        - Key: CloudNGFWRuleStackAdmin
          Value: "Yes"
        - Key: CloudNGFWGlobalRuleStackAdmin
          Value: "Yes"
      RoleName: CFRExecutionRole
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service: resources.cloudformation.amazonaws.com
            Action: sts:AssumeRole
            Condition:
              StringEquals:
                aws:SourceAccount: !Ref "AWS::AccountId"
              StringLike:
                aws:SourceArn: !Join ["", ["arn:aws:cloudformation:*:", !Ref "AWS::AccountId" , ":type/resource/PaloAltoNetworks-CloudNGFW-NGFW/*"] ]
          - Effect: Allow
            Principal:
              Service: resources.cloudformation.amazonaws.com
            Action: sts:AssumeRole
            Condition:
              StringEquals:
                aws:SourceAccount: !Ref "AWS::AccountId"
              StringLike:
                aws:SourceArn: !Join ["", ["arn:aws:cloudformation:*:", !Ref "AWS::AccountId", ":type/resource/PaloAltoNetworks-CloudNGFW-RuleStack/*"] ]
      Policies:
        - PolicyName: CFRPolicy
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                - execute-api:Invoke
                - execute-api:ManageConnections
                Resource: arn:aws:execute-api:*:*:*

Activating the CloudFormation Extensions

Cloud NGFW Rulestack and Firewall resource CloudFormation extensions are third-party extensions that allow deploying resources using CloudFormation templates.

In this step, we will activate the CloudNGFW RuleStack and Firewall resource extensions.

The extensions can be found in the CloudFormation registry under published third party extensions.

Select the extension that needs to be activated. Select the latest version from the dropdown and activate the extension.

Configure an execution role for the extension. This should be the ARN of the IAM role created earlier.

Repeat the steps to activate the rulestack resource extension.

AWS Architecture

We will focus on securing an architecture similar to what we used in Part 1. Note the unused Firewall Subnet — later, we will deploy the Cloud NGFW endpoints into this subnet and make the necessary routing changes to inspect traffic through the Cloud NGFW.

AWS Architecture

Deploying Your Cloud NGFW Rulestack (policy-as-code)

A rulestack defines the NGFW traffic filtering behavior, including advanced access control and threat prevention — simply a set of security rules and their associated objects and security profiles.

First, let’s start by creating a simple rulestack, and we are going to use the BestPractice Anti Spyware profile. The rulestack will be created with BestPractice security profiles by default. BestPractice profiles are security profiles that come built-in, which will make it easier for you to use security profiles from the start. If required, you can also create custom profiles to meet your demands.

The rulestack contains a security rule that only allows HTTP-based traffic . Note that we use the App-ID web-browsing instead of traditional port-based enforcement.

---
AWSTemplateFormatVersion: 2010-09-09
Description: >-
  Rulestack resource with PaloAltoNetworks::CloudNGFW::RuleStack
Parameters:
  RuleStackName:
    Description: Enter the Rulestack name
    Type: String

Resources:
  RuleStackResource:
    Type: 'PaloAltoNetworks::CloudNGFW::RuleStack'
    Properties:
      RuleStackName: !Ref RuleStackName
      RuleStack:
        Description: Rulestack created by Cloudformation
        AccountId: !Ref "AWS::AccountId"          
      RuleList:
        - RuleListType: LocalRule
          RuleName: allow-web-browsing
          Description: "Configured by cloudformation"
          Action: Allow
          Priority: '100'
          Source:
            Cidrs:
              - any
          Destination:
            Cidrs:
              - 10.1.1.0/24
          Applications:
            - web-browsing
          Logging: true

Next step would be to create a CloudFormation stack with this rulestack resource template. This can be done via AWS console.

Deploying Your Cloud NGFW Resource (firewall-as-code)

Cloud NGFW resources are Palo Alto Networks managed resources that provide NGFW capabilities with built-in resilience, scalability, and life-cycle management. You will associate a rulestack to an NGFW resource when you create one.

Traffic to and from your resources in VPC subnets is routed through to NGFW resources using NGFW endpoints. How you want to create these NGFW endpoints is determined based on the endpoint mode you select when creating the Cloud NGFW resource.

Notice how we have specified the SubnetMappings property. These are the subnets where your AWS resources live that you want to protect.

---
AWSTemplateFormatVersion: 2010-09-09
Description: >-
  FWaaS resource with PaloAltoNetworks::CloudNGFW::NGFW
Parameters:
  RuleStackName:
    Description: Enter the Rulestack name
    Type: String

  FirewallName:
    Description: Enter your Firewall resource Name
    Type: String

  VPCID:
    Description: Enter the ID of the VPC
    Type: String

  SubnetID:
    Description: Enter the ID of the subnet
    Type: String

Resources:
  FirewallResource:
    Type: 'PaloAltoNetworks::CloudNGFW::NGFW'
    Properties:
      EndpointMode: ServiceManaged
      RuleStackName: !Ref RuleStackName
      FirewallName: !Ref FirewallName
      AccountId: !Ref "AWS::AccountId"
      SubnetMappings:
        - SubnetId: !Ref SubnetID
      VpcId: !Ref VPCID

Outputs:
  VPCId:
    Value: !GetAtt FirewallResource.ReadFirewall.VpcId
  EndpointServiceName:
    Value: !GetAtt FirewallResource.ReadFirewall.EndpointServiceName

At this point, you will have a Cloud NGFW endpoint deployed into your Firewall subnet. The stack output will contain the VPC ID and endpoint service name created by the firewall resource. The output can be extended to access other firewall resource attributes.

You can retrieve the NGFW endpoint ID to Firewall Subnet mapping via FirewallResource.ReadFirewall.Attachments attribute as part of the stack output. This information is required during route creation in the next step. Other firewall resource attributes are available to be read via the FirewallResource.ReadFirewall attribute.

Routing Traffic via Cloud NGFW

The final step is to add/update routes to your existing AWS route tables to send traffic via the Cloud NGFW. The new routes are highlighted in the diagram below. Again, you can perform this via AWS::EC2::Route or AWS::EC2::RouteTable CloudFormation resource.

Learn more about Cloud NGFW

In this article, we discovered how to deploy Cloud NGFW in the Distributed model. You can also deploy Cloud NGFW in a Centralized model with AWS Transit Gateway. The Centralized model will allow you to run Cloud NGFW in a centralized “inspection” VPC and connect all your other VPCs via Transit Gateway.

We also discovered how to move away from traditional port-based policy enforcement and move towards application-based enforcement. You can find a comprehensive list of available App-IDs here.

For more information you can visit the official Cloud NGFW CloudFormation documentation.

There is more you can do with Cloud NGFW.

• Threat prevention — Automatically stop known malware, vulnerability exploits, and command and control infrastructure (C2) hacking with industry-leading threat prevention.
• Advanced URL Filtering — Stop unknown web-based attacks in real-time to prevent patient zero. Advanced URL Filtering analyzes web traffic, categorizes URLs, and blocks malicious threats in seconds.

Cloud NGFW for AWS is a regional service. Currently, it is available in the AWS regions enumerated here. To learn more, visit the documentation and FAQ pages. To get hands-on experience with this, please subscribe via the AWS Marketplace page.