Cloud NGFW for AWS
    : Provision Cloud NGFW Resources to your AWS CFT
    Focus
    Download PDF
    Focus
    1. Home
    2. AWS
    3. Cloud NGFW for AWS
    4. Getting Started with Cloud NGFW for AWS
    5. Provision Cloud NGFW Resources to your AWS CFT
    Download PDF

    Cloud NGFW for AWS

    Provision Cloud NGFW Resources to your AWS CFT

    Table of Contents

    Provision Cloud NGFW Resources to your AWS CFT

    Create Cloud NGFW resources and provision them to your AWS CloudFormation template.
    The Cloud NGFW provides flexibility to provision resources to your AWS CloudFormation template (CFT) by allowing you to create your own resources.
    You must enable Programmatic access before using CloudFormation Registry with the Cloud NGFW.
    Use the
    PaloAltoNetworks::CloudNGFW::RuleStack
     and
    PaloAltoNetworks::CloudNGFW::NGFW
     schemas to integrate the Cloud NGFW into your AWS CloudFormation template. Use the provided syntax in this document to define Cloud NGFW firewall configuration settings that you can integrate with AWS CloudFormation Registry.

    PaloAltoNetworks::CloudNGFW::RuleStack schema

    • JSON
      {
  "Type" : "PaloAltoNetworks::CloudNGFW::RuleStack",
  "Properties" : {
        "RuleStackName" : String,
        "RuleStack" : RuleStack,
        "RuleList" : [ Rule, ... ],
        "SecurityObjects" : SecurityObjects,
        "CustomSecurityProfiles":CustomSecurityProfiles,
        “ProgrammaticAccessToken”: String
    }
}
    • YAML
      Type:PaloAltoNetworks::CloudNGFW::RuleStack
Properties:
    RuleStackName: String
    RuleStack: RuleStack
    RuleList: 
      - Rule
    SecurityObjects: SecurityObjects
    CustomSecurityProfiles: CustomSecurityProfiles
    ProgrammaticAccessToken: String
    Element
    Description
    RuleStackName
    Enter a descriptive
    Name
     for your rulestack.
    JSON
    “RuleStackName” : String,
    YAML
    RuleStackName: String
    RuleStack
    Enter a
    Description
     for your rulestack. The description includes:
    JSON
    {
    "Scope" : String,
    "Profiles" : RuleStackProfiles,
    "Description" : String
    "Deploy" : String
}
    YAML
    Scope: String
Profiles: RuleStackProfiles
Description: String
Deploy: String
    RuleStackProfiles
    Identify
    Profiles
     for the specified rulestack. Profiles include:
    JSON
    {
    "AntiSpywareProfile" : String,
    "AntiVirusProfile" : String,
    "VulnerabilityProfile" : String,
    "URLFilteringProfile" : String,
    "FileBlockingProfile" : String,
    "OutboundTrustCertificate" : String,
    "OutboundUntrustCertificate" : String
}
    YAML
    AntiSpywareProfile: String
AntiVirusProfile: String
VulnerabilityProfile: String
URLFilteringProfile: String
FileBlockingProfile: String
OutboundTrustCertificate: String
OutboundUntrustCertificate: String
    Rule
    Establish
    Rules
     for the rulestack. Rules include:
    JSON
    {
    "RuleName" : String,
    "Description" : String,
    "RuleListType" : String,
    "Priority" : Integer,
    "Enabled" : Boolean,
    "Source" : RuleSource,
    "NegateSource" : Boolean,
    "Destination" : RuleDestination,
    "NegateDestination" : Boolean,
    "Applications" : [ String, ... ],
    "Category" : UrlCategory,
    "Protocol" : String,
    "AuditComment" : String,
    "Action" : String,
    "Logging" : Boolean,
    "DecryptionRuleType" : String,
    "Tags" : [ Tag, ... ]
}
    YAML
    RuleName: String
Description: String
RuleListType: String
Priority: Integer
Enabled: Boolean
Source: RuleSource
NegateSource: Boolean
Destination: RuleDestination
NegateDestination: Boolean
Applications: 
      - String
Category: UrlCategory
Protocol: String
AuditComment: String
Action: String
Logging: Boolean
DecryptionRuleType: String
Tags: 
             - Tag
    RuleSource
    Set the collection of rules using
    RuleSource
    . RuleSource includes:
    JSON
    {
    "Cidrs" : [ String, ... ],
    "PrefixLists" : [ String, ... ],
    "Countries" : [ String, ... ],
    "Feeds" : [ String, ... ]
  // RuleStackname?
  }
    YAML
    cidrs: 
      - String
PrefixLists: 
      - String
Countries: 
      - String
Feeds: 
            - String
    RuleDestination
    Set the
    RuleDestination
     for the web service supporting the confirmation URL and one or more data collection URLs. RuleDestination includes:
    JSON
    {
    "Cidrs" : [ String, ... ],
    "FqdnLists" : [ String, ... ],
    "PrefixLists" : [ String, ... ],
    "Countries" : [ String, ... ],
    "Feeds" : [ String, ... ]
  // RuleStackname?
  }
    YAML
    Cidrs: 
      - String
FqdnLists: 
      - String
PrefixLists: 
      - String
Countries: 
      - String
Feeds: 
      - String
    Tag
    Specify a
    Tag
     for the rulestack. A Tag includes:
    JSON
    {
    "Key" : String,
    "Value" : String
}
    YAML
    Key: String
Value: String
    UrlCategory
    Use the
    UrlCategory
     to match criteria in authentication, decryption, QoS, and security policy rules. UrlCategory includes:
    JSON
    {
    "URLCategoryNames" : [ String, ... ],
    "Feeds" : [ String, ... ]
}
    YAML
    URLCategoryNames: 
      - String
Feeds: 
      - String
    SecurityObjects
    Set the
    SecurityObjects
     for the rulestack. SecurityObjects include:
    JSON
    {
  "PrefixList" : PrefixList,
  "FqdnList" : FqdnList,
  "CustomUrlCategory" : CustomUrlCategory,
  "IntelligentFeed" : IntelligentFeed,
  "CertificateList" : CertificateList
}
    YAML
    PrefixList: PrefixList
FqdnList: FqdnList
CustomUrlCategory: CustomUrlCategory
IntelligentFeed: IntelligentFeed
CertificateList: CertificateList
    CustomSecurityProfiles
    Set
    CustomSecurityProfiles
     to minimize antivirus inspection for traffic between trusted security zones, and to maximize the inspection of traffic received from untrusted zones, such as the internet, as well as the traffic sent to highly sensitive destinations, such as server farms. CustomSecurityProfiles include:
    JSON
    {
    "FileBlocking" : FileBlocking
}
    YAML
    FileBlocking: FileBlocking
    PrefixList
    Use
    PrefixList
     to filter routes based on prefixes. By defining an order number and IP prefixes, a branch or a data center ION device can permit or deny routes. The dynamic, auto-generated prefix list is based on what the ION device advertises. Prefixes can be split or non-split. A PrefixList includes:
    JSON
    {
    "Name" : String,
    "PrefixList" : [ String, ... ],
    "AuditComment" : String,
    "Description" : String
}
    YAML
    Name: String
PrefixList: 
   - String
AuditComment: String
Description: String
    FqdnList
    With the
    FqdnList
     object, DNS provides the FQDN resolution to the IP addresses, removing the need to know the IP addresses and manually updating them every time the FQDN resolves to a new IP address. FqdnList includes:
    JSON
    {
    "Name" : String,
    "Description" : String,
    "FqdnList" : [ String, ... ],
    "AuditComment" : String
}
    YAML
    Name: String
Description: String
FqdnList: 
     - String
AuditComment: String
    CustomUrlCategory
    Use
    CustomURLCategory
     to create a custom URL filtering object to specify exceptions to URL category enforcement, and to create a custom URL category based on multiple URL categories:
    • Define exceptions to URL category enforcement—Create a custom list of URLs that you want to use as match criteria in a Security policy rule. This is a good way to specify exceptions to URL categories, where you’d like to enforce specific URLs differently than the URL category to which they belong.
    • Define a custom URL category based on multiple PAN-DB categories—This allows you to target enforcement for websites that match a set of categories. The website or page must match all the categories defined as part of the custom category.
    CustomURLCategory includes:
    JSON
    {
    "URLTargets" : [ String, ... ],
    "Name" : String,
    "Description" : String,
    "Action" : String,
    "AuditComment" : String
}
    YAML
    URLTargets: 
      - String
Name: String
Description: String
Action: String
AuditComment: String
    IntelligentFeed
    Use
    IntelligentFeed
     to continually feed the most up-to-date threat intelligence data. IntelligentFeed includes:
    JSON
    {
    "Name" : String,
    "Description" : String,
    "Certificate" : String,
    "FeedURL" : String,
    "Type" : String,
    "Frequency" : String,
    "Time" : Integer,
    "AuditComment" : String
}
    YAML
    Name: String
Description: String
Certificate: String
FeedURL: String
Type: String
Frequency: String
Time: Integer
AuditComment: String
    CertificateObject
    Use
    CertificateObject
     to define elements of the certificate. CertificateObject includes:
    JSON
    {
    "Name" : String,
    "Description" : String,
    "CertificateSignerArn" : String,
    "CertificateSelfSigned" : Boolean,
    "AuditComment" : String
}
    YAML
    Name: String
Description: String
CertificateSignerArn: String
CertificateSelfSigned: Boolean
AuditComment: String
    FileBlocking
    Use
    FileBlocking
     to identify specific file types that you want to block or monitor. For most traffic (including traffic on your internal network) you will want to block files that are known to carry threats or that have no real use case for upload/download. FileBlocking includes:
    JSON
    {
    "Direction" : String,
    "FileType" : String,
    "Description" : String,
    "Action" : String,
    "AuditComment" : String
}
    YAML
    Direction: String
FileType: String
Description: String
Action: String
AuditComment: String

    PaloAltoNetworks::CloudNGFW::NGFW schema

    • JSON
      {
   "Type": "PaloAltoNetworks::CloudNGFW::NGFW",
    "Properties" : {
        "Description" : String,
        "EndpointMode" : String,
        "FirewallName" : String,
        "RuleStackName" : String,
        "RuleStackName" : String,
        "SubnetMappings" : [ String, ... ],
        "Tags" : [ Map, ... ],
        "VpcId" : String,
        "UpdateToken" : String,
        "LogDestinationConfigs" : [     LogProfileConfig, ... ],
        "CloudWatchMetricNamespace" : String,
        "ProgrammaticAccessToken" : String
}
    • YAML
      Type: PaloAltoNetworks::CloudNGFW::NGFWProperties:
    AppIdVersion: String
    AutomaticUpgradeAppIdVersion: Boolean
    Description: String
    EndpointMode: String
    FirewallName: String
    RuleStackName: String
    RuleStackName: String
    SubnetMappings: 
      - String
    Tags: 
      - Map
    VpcId: String
    UpdateToken: String     
    LogDestinationConfigs: 
      - LogProfileConfig
    CloudWatchMetricNamespace: String
    ProgrammaticAccessToken: String
    Element
    Description
    LogProfileConfig
    Use
    LogProfileConfig
     to display entries for change to the firewall configuration.
    JSON
    {
    "LogDestination" : String,
    "LogDestinationType" : String,
    "LogType" : String}
    YAML
    LogDestination: String
LogDestinationType: String
LogType: String

    Activate public extensions

    Activate both the
    PaloAltoNetworks::CloudNGFW::NGFW
     and
    PaloAltoNetworks::CloudNGFW::RuleStack
     public extensions for your account:
    Create an execution role ARN for the extensions. Both extensions can use the same role. Establish trust relationships in the role to consume the Cloud Formation templates:
    After establishing the trust relationship, activate the extensions:
    To ship logs in AWS CloudWatch, Configure Logging for Cloud NGFW on AWS.

    Recommended For You

    © 2023 Palo Alto Networks, Inc. All rights reserved.