The Developer’s Guide To Palo Alto Networks Cloud NGFW for AWS Part 3 (CLI access using CloudControl)
A Cloud NGFW resource provides next-generation firewall capabilities for your VPC traffic. This resource has built-in resiliency, scalability and lifecycle management. In the previous blog, we discussed activating Palo Alto Networks Cloud NGFW CloudFormation extensions and using CloudFormation templates to provision Cloud NGFW resources. In this blog, we will discuss using AWS CloudControl CLI to provision Cloud NGFW resources.
AWS Cloud Control API is a set of common application programming interfaces (APIs) that provides API operations for generating, read, update, delete, and list (CRUD-L) resource requests in addition to tracking and managing those requests. With AWS Cloud Control API, developers like you can consistently manage the lifecycle of AWS and third-party resources such as Palo Alto Networks Cloud NGFW. You use the AWS Command Line Interface (AWS CLI) for Cloud Control API operations.
Getting Started
Prerequisites
- Subscribed to Palo Alto Networks Cloud NGFW via the AWS marketplace
- Your AWS account is onboarded to the Cloud NGFW
- Activate CloudNGFW CloudFormation extensions (Follow these steps from this blog to activate CloudFormation extensions)
- Enable programmatic access for your tenant
- Create an execution role for the extensions
- Activate the Cloud NGFW extensions
IAM Role for CloudControl Access
Create an IAM role with your CLI/API user as a trusted entity:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::{account_id}:user/{user_name}"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}Configure a permission policy to allow CloudControl access:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudformation:ListResources",
"cloudformation:GetResource",
"cloudformation:UpdateResource",
"cloudformation:DeleteResource",
"cloudformation:CreateResource"
],
"Resource": "*"
}
]
}Create an AWS profile with temporary credentials by assuming the role created above:
aws sts assume-role - role-arn arn:aws:iam::{account_id}:role/cloudcontrol-role - role-session-name cloudcontrol-accessAWS Architecture
We will focus on securing an architecture similar to what we used in Part 1. Note the unused Firewall Subnet — later, we will deploy the Cloud NGFW endpoints into this subnet and make the necessary routing changes to inspect traffic through the Cloud NGFW.
Creating Your Cloud NGFW RuleStack (policy-as-code)
A RuleStack defines the NGFW traffic filtering behavior, including advanced access control and threat prevention — simply a set of security rules and their associated objects and security profiles.
First, let’s start by creating a simple RuleStack, and we are going to use the BestPractice Anti Spyware profile. The RuleStack will be created with BestPractice security profiles by default. BestPractice profiles are security profiles that come built-in, which will make it easier for you to use security profiles from the start. If required, you can also create custom profiles to meet your demands.
Create a JSON file rulestack_create.json that represents your RuleStack:
{
"RuleStackName": "cloudcontrol-rs",
"RuleStack": {
"Description": "Rulestack created by CloudControl",
"AccountId": "{account_id}"
},
"RuleList": [
{
"RuleListType": "LocalRule",
"RuleName": "allow-web-browsing",
"Description": "Configured by cloudcontrol",
"Action": "Allow",
"Priority": 100,
"Source": {
"Cidrs": [
"any"
]
},
"Destination": {
"Cidrs": [
"10.1.1.0/24"
]
},
"Applications": [
"web-browsing"
],
"Logging": true
}
]
}The RuleStack contains a security rule that only allows HTTP-based traffic . Note that we use the App-ID web-browsing instead of traditional port-based enforcement.
Run the following command to create the RuleStack using CloudControl:
aws cloudcontrol create-resource --desired-state file://rulestack_create.json --region {region_id} --profile cloudcontrol-profile --client-token rs-create-token --type-name PaloAltoNetworks::CloudNGFW::RuleStackThis should return a JSON response as follow:
{
"ProgressEvent": {
"TypeName": "PaloAltoNetworks::CloudNGFW::RuleStack",
"Identifier": "cloudcontrol-rs",
"RequestToken": "9286b002-0b39-4d85-8be0-ca1a2ce63f7f",
"Operation": "CREATE",
"OperationStatus": "IN_PROGRESS",
"EventTime": "2024-03-08T13:48:25.168000-08:00"
}
}The same command can be repeated to poll for the OperationStatus to be SUCCESS
Reading Your Cloud NGFW RuleStack
Run the following command to read the created RuleStack:
aws cloudcontrol get-resource --type-name PaloAltoNetworks::CloudNGFW::RuleStack --identifier "cloudcontrol-rs" --region {region_name} --profile cloudcontrol-profileThis should return the created RuleStack as follows:
{
"TypeName": "PaloAltoNetworks::CloudNGFW::RuleStack",
"ResourceDescription": {
"Identifier": "cloudcontrol-rs",
"Properties": "{\"RuleStackState\":\"Running\",\"RuleList\":[{\"Logging\":true,\"Destination\":{\"Cidrs\":[\"10.1.1.0/24\"]},\"Action\":\"Allow\",\"Description\":\"Configured by cloudformation\",\"RuleListType\":\"LocalRule\",\"Applications\":[\"web-browsing\"],\"Priority\":100,\"NegateDestination\":false,\"Enabled\":true,\"Source\":{\"Cidrs\":[\"any\"]},\"NegateSource\":false,\"Protocol\":\"application-default\",\"RuleName\":\"allow-web-browsing\"}],\"RuleStackCandidate\":{\"AccountId\":\"{account_id}\",\"Description\":\"Rulestack created by CloudControl\",\"Scope\":\"Local\",\"Profiles\":{\"VulnerabilityProfile\":\"BestPractice\",\"AntiSpywareProfile\":\"BestPractice\",\"AntiVirusProfile\":\"BestPractice\",\"FileBlockingProfile\":\"BestPractice\",\"URLFilteringProfile\":\"BestPractice\"},\"LookupXForwardedFor\":\"None\",\"MinAppIdVersion\":\"8509-7158\"},\"SecurityObjects\":{\"CustomUrlCategories\":[],\"IntelligentFeeds\":[],\"CertificateObjects\":[],\"PrefixLists\":[],\"FqdnLists\":[]},\"RuleStack\":{\"AccountId\":\"{account_id}\",\"Description\":\"Rulestack created by CloudControl\",\"Scope\":\"Local\",\"Profiles\":{\"VulnerabilityProfile\":\"BestPractice\",\"AntiSpywareProfile\":\"BestPractice\",\"AntiVirusProfile\":\"BestPractice\",\"FileBlockingProfile\":\"BestPractice\",\"URLFilteringProfile\":\"BestPractice\"},\"LookupXForwardedFor\":\"None\",\"MinAppIdVersion\":\"8509-7158\"},\"RuleStackName\":\"cloudcontrol-rs\"}"
}
}Notice theRuleStackState attribute in the response properties is set to Running. This means that the RuleStack can now be associated to Cloud NGFW firewall resources.
Listing Cloud NGFW RuleStacks
Run the following command to list Cloud NGFW RuleStacks:
aws cloudcontrol list-resources --type-name PaloAltoNetworks::CloudNGFW::RuleStack --resource-model "{\"Describe\":\"False\"}" --region {region_name} --profile cloudcontrol-profileThis should return all RuleStacks created under your tenant:
{
"ResourceDescriptions": [
{
"Identifier": "cloudcontrol-rs",
"Properties": "{\"RuleStackName\":\"cloudcontrol-rs\"}"
},
{
"Identifier": "new-rs",
"Properties": "{\"RuleStackName\":\"new-rs\"}"
}
],
"TypeName": "PaloAltoNetworks::CloudNGFW::RuleStack"
}Updating Your Cloud NGFW RuleStack
Create a JSON file rulestack_update.json to define the operations to update your RuleStack:
[
{
"op": "replace",
"path": "/RuleList/0/Description",
"value": "updated by cloudcontrol"
},
{
"op": "add",
"path": "/Tags",
"value": [{
"Key": "foo",
"Value": "bar"
}]
}
]This would update the description of the security rule associated with the RuleStack and add a tag to the RuleStack.
Run the following command to update your RuleStack:
aws cloudcontrol update-resource --region {region_name} --profile cloudcontrol-profile --type-name PaloAltoNetworks::CloudNGFW::RuleStack --identifier "cloudcontrol-rs" --patch-document file://rulestack_update.json --client-token rs-update-tokenThis should return a response containing the operation status and the expected properties of the updated RuleStack:
{
"ProgressEvent": {
"TypeName": "PaloAltoNetworks::CloudNGFW::RuleStack",
"Identifier": "cloudcontrol-rs",
"RequestToken": "b0d265c1-44dd-4639-83e1-f6f2ba36c795",
"Operation": "UPDATE",
"OperationStatus": "IN_PROGRESS",
"EventTime": "2024-03-08T16:23:18.413000-08:00",
"ResourceModel": "{\"RuleStackState\":\"Running\",\"RuleList\":[{\"Logging\":true,\"Destination\":{\"Cidrs\":[\"10.1.1.0/24\"]},\"Action\":\"Allow\",\"Description\":\"updated by cloudcontrol\",\"RuleListType\":\"LocalRule\",\"Applications\":[\"web-browsing\"],\"Priority\":100,\"NegateDestination\":false,\"Enabled\":true,\"Source\":{\"Cidrs\":[\"any\"]},\"NegateSource\":false,\"Protocol\":\"application-default\",\"RuleName\":\"allow-web-browsing\"}],\"RuleStackCandidate\":{\"AccountId\":\"{account_id}\",\"Scope\":\"Local\",\"Profiles\":{\"VulnerabilityProfile\":\"BestPractice\",\"AntiSpywareProfile\":\"BestPractice\",\"AntiVirusProfile\":\"BestPractice\",\"FileBlockingProfile\":\"BestPractice\",\"URLFilteringProfile\":\"BestPractice\"},\"LookupXForwardedFor\":\"None\",\"MinAppIdVersion\":\"8509-7158\"},\"SecurityObjects\":{\"CustomUrlCategories\":[],\"IntelligentFeeds\":[],\"CertificateObjects\":[],\"PrefixLists\":[],\"FqdnLists\":[]},\"RuleStack\":{\"AccountId\":\"{account_id}\",\"Description\":\"Rulestack created by CloudControl\",\"Scope\":\"Local\",\"Profiles\":{\"VulnerabilityProfile\":\"BestPractice\",\"AntiSpywareProfile\":\"BestPractice\",\"AntiVirusProfile\":\"BestPractice\",\"FileBlockingProfile\":\"BestPractice\",\"URLFilteringProfile\":\"BestPractice\"},\"LookupXForwardedFor\":\"None\",\"MinAppIdVersion\":\"8509-7158\"},\"RuleStackName\":\"cloudcontrol-rs\",\"Tags\":[{\"Value\":\"bar\",\"Key\":\"foo\"}]}"
}
}You can poll for the operation status to be SUCCESS and verify the updated RuleStack by running the read command explained earlier.
Creating Your Cloud NGFW Resource (firewall-as-code)
Cloud NGFW resources are Palo Alto Networks managed resources that provide NGFW capabilities with built-in resilience, scalability, and life-cycle management. You will associate a RuleStack to an NGFW resource when you create one.
Traffic to and from your resources in VPC subnets is routed through to NGFW resources using NGFW endpoints. How you want to create these NGFW endpoints is determined based on the endpoint mode you select when creating the Cloud NGFW resource.
Create a JSON file to defined properties of the Cloud NGFW firewall resource:
{
"EndpointMode": "ServiceManaged",
"FirewallName": "cloudcontrol-demo-fw1",
"AccountId": "{account_id}",
"RuleStackName": "cloudcontrol-rs",
"SubnetMappings": [
{
"SubnetId": "{subnet_id}"
}
],
"VpcId": "{vpc_id}",
"Tags": [
{
"Key": "foo",
"Value": "bar"
}
]
}Notice how we have specified the SubnetMappings property. These are the subnets where your AWS resources live that you want to protect.
Run the following command to create a Firewall resource:
aws cloudcontrol create-resource --desired-state file:///Users/ppalkar/Documents/panw/cloudcontrol_demo/data/firewall_create_blog.json --region {region_name}--profile cloudcontrol-profile --client-token create-token-75 --type-name PaloAltoNetworks::CloudNGFW::NGFWAs described earlier, this should return a response and you can poll for the operation to be SUCCESS
At this point, you will have a Cloud NGFW endpoint deployed into your Firewall subnet.
Reading your Cloud NGFW Resource
Run the following command to read the firewall resource that you created earlier:
aws cloudcontrol get-resource --type-name PaloAltoNetworks::CloudNGFW::NGFW --identifier "cloudcontrol-fw|{account_id}" --region {region_name} --profile cloudcontrol-profile{
"TypeName": "PaloAltoNetworks::CloudNGFW::NGFW",
"ResourceDescription": {
"Identifier": "cloudcontrol-fw|675937443412",
"Properties": "{\"LogDestinationConfigs\":[],\"AccountId\":\"{account_ud}}\",\"FirewallName\":\"cloudcontrol-fw\",\"VpcId\":\"{vpc_id}\",\"ReadFirewall\":{\"RuleStackStatus\":\"Success\",\"AccountId\":\"{account_id}\",\"EndpointServiceName\":\"{service_name}\",\"AutomaticUpgradeAppIdVersion\":true,\"EndpointMode\":\"ServiceManaged\",\"AppIdVersion\":\"8509-7158\",\"Attachments\":[{\"Status\":\"ACCEPTED\",\"AccountId\":\"{account_id}\",\"VpcId\":\"{vpc_id}\",\"EndpointId\":\"{endpoint_id}\",\"SubnetId\":\"{subnet_id}\",\"RejectedReason\":\"\"}],\"FirewallStatus\":\"CREATE_COMPLETE\",\"FirewallName\":\"cloudcontrol-fw\",\"VpcId\":\"{vpc_id}\",\"RuleStackName\":\"cloudcontrol-rs\",\"MultiVpcEnable\":false,\"Tags\":[{\"Value\":\"bar\",\"Key\":\"foo\"}],\"SubnetMappings\":[{\"SubnetId\":\"{subnet_id}\"}]},\"AutomaticUpgradeAppIdVersion\":true,\"EndpointMode\":\"ServiceManaged\",\"RuleStackName\":\"cloudcontrol-rs\",\"AppIdVersion\":\"8509-7158\",\"MultiVpcEnable\":false,\"Tags\":[{\"Value\":\"bar\",\"Key\":\"foo\"}],\"SubnetMappings\":[{\"SubnetId\":\"{subnet_id}\"}]}"
}
}The endpoint service name and endpoint IDs are included in the response properties. These can be used to configure the routes to forward traffic to the Cloud NGFW firewall.
Routing Traffic via Cloud NGFW
The final step is to add/update routes to your existing AWS route tables to send traffic via the Cloud NGFW. The new routes are highlighted in the diagram below. Again, you can perform this via AWS::EC2::Route or AWS::EC2::RouteTable CloudFormation resource. CloudControl CLI/API is supported against these resources as well.
Learn more about Cloud NGFW
In this article, we discovered how to deploy Cloud NGFW in the Distributed model. You can also deploy Cloud NGFW in a Centralized model with AWS Transit Gateway. The Centralized model will allow you to run Cloud NGFW in a centralized “inspection” VPC and connect all your other VPCs via Transit Gateway.
We also discovered how to move away from traditional port-based policy enforcement and move towards application-based enforcement. You can find a comprehensive list of available App-IDs here.
There is more you can do with Cloud NGFW.
- Threat prevention — Automatically stop known malware, vulnerability exploits, and command and control infrastructure (C2) hacking with industry-leading threat prevention.
- Advanced URL Filtering — Stop unknown web-based attacks in real-time to prevent patient zero. Advanced URL Filtering analyzes web traffic, categorizes URLs, and blocks malicious threats in seconds.
Cloud NGFW for AWS is a regional service. Currently, it is available in the AWS regions enumerated here. To learn more, visit the documentation and FAQ pages. To get hands-on experience with this, please subscribe via the AWS Marketplace page.
