Provision Cloud NGFW Resources to your AWS CFT

Create Cloud NGFW resources and provision them to your AWS CloudFormation template.
The Cloud NGFW provides flexibility to provision resources to your AWS CloudFormation template (CFT) by allowing you to create your own resources.
You must enable Programmatic access before using CloudFormation Registry with the Cloud NGFW.
Use the
PaloAltoNetworks::CloudNGFW::RuleStack
and
PaloAltoNetworks::CloudNGFW::NGFW
schemas to integrate the Cloud NGFW into your AWS CloudFormation template. Use the provided syntax in this document to define Cloud NGFW firewall configuration settings that you can integrate with AWS CloudFormation Registry.

PaloAltoNetworks::CloudNGFW::RuleStack schema

  • JSON
    { "Type" : "PaloAltoNetworks::CloudNGFW::RuleStack", "Properties" : { "RuleStackName" : String, "RuleStack" : RuleStack, "RuleList" : [ Rule, ... ], "SecurityObjects" : SecurityObjects, "CustomSecurityProfiles":CustomSecurityProfiles, “ProgrammaticAccessToken”: String } }
  • YAML
    Type:PaloAltoNetworks::CloudNGFW::RuleStack Properties: RuleStackName: String RuleStack: RuleStack RuleList: - Rule SecurityObjects: SecurityObjects CustomSecurityProfiles: CustomSecurityProfiles ProgrammaticAccessToken: String
Element
Description
RuleStackName
Enter a descriptive
Name
for your rulestack.
JSON
“RuleStackName” : String,
YAML
RuleStackName: String
RuleStack
Enter a
Description
for your rulestack. The description includes:
JSON
{ "Scope" : String, "Profiles" : RuleStackProfiles, "Description" : String "Deploy" : String }
YAML
Scope: String Profiles: RuleStackProfiles Description: String Deploy: String
RuleStackProfiles
Identify
Profiles
for the specified rulestack. Profiles include:
JSON
{ "AntiSpywareProfile" : String, "AntiVirusProfile" : String, "VulnerabilityProfile" : String, "URLFilteringProfile" : String, "FileBlockingProfile" : String, "OutboundTrustCertificate" : String, "OutboundUntrustCertificate" : String }
YAML
AntiSpywareProfile: String AntiVirusProfile: String VulnerabilityProfile: String URLFilteringProfile: String FileBlockingProfile: String OutboundTrustCertificate: String OutboundUntrustCertificate: String
Rule
Establish
Rules
for the rulestack. Rules include:
JSON
{ "RuleName" : String, "Description" : String, "RuleListType" : String, "Priority" : Integer, "Enabled" : Boolean, "Source" : RuleSource, "NegateSource" : Boolean, "Destination" : RuleDestination, "NegateDestination" : Boolean, "Applications" : [ String, ... ], "Category" : UrlCategory, "Protocol" : String, "AuditComment" : String, "Action" : String, "Logging" : Boolean, "DecryptionRuleType" : String, "Tags" : [ Tag, ... ] }
YAML
RuleName: String Description: String RuleListType: String Priority: Integer Enabled: Boolean Source: RuleSource NegateSource: Boolean Destination: RuleDestination NegateDestination: Boolean Applications: - String Category: UrlCategory Protocol: String AuditComment: String Action: String Logging: Boolean DecryptionRuleType: String Tags: - Tag
RuleSource
Set the collection of rules using
RuleSource
. RuleSource includes:
JSON
{ "Cidrs" : [ String, ... ], "PrefixLists" : [ String, ... ], "Countries" : [ String, ... ], "Feeds" : [ String, ... ] // RuleStackname? }
YAML
cidrs: - String PrefixLists: - String Countries: - String Feeds: - String
RuleDestination
Set the
RuleDestination
for the web service supporting the confirmation URL and one or more data collection URLs. RuleDestination includes:
JSON
{ "Cidrs" : [ String, ... ], "FqdnLists" : [ String, ... ], "PrefixLists" : [ String, ... ], "Countries" : [ String, ... ], "Feeds" : [ String, ... ] // RuleStackname? }
YAML
Cidrs: - String FqdnLists: - String PrefixLists: - String Countries: - String Feeds: - String
Tag
Specify a
Tag
for the rulestack. A Tag includes:
JSON
{ "Key" : String, "Value" : String }
YAML
Key: String Value: String
UrlCategory
Use the
UrlCategory
to match criteria in authentication, decryption, QoS, and security policy rules. UrlCategory includes:
JSON
{ "URLCategoryNames" : [ String, ... ], "Feeds" : [ String, ... ] }
YAML
URLCategoryNames: - String Feeds: - String
SecurityObjects
Set the
SecurityObjects
for the rulestack. SecurityObjects include:
JSON
{ "PrefixList" : PrefixList, "FqdnList" : FqdnList, "CustomUrlCategory" : CustomUrlCategory, "IntelligentFeed" : IntelligentFeed, "CertificateList" : CertificateList }
YAML
PrefixList: PrefixList FqdnList: FqdnList CustomUrlCategory: CustomUrlCategory IntelligentFeed: IntelligentFeed CertificateList: CertificateList
CustomSecurityProfiles
Set
CustomSecurityProfiles
to minimize antivirus inspection for traffic between trusted security zones, and to maximize the inspection of traffic received from untrusted zones, such as the internet, as well as the traffic sent to highly sensitive destinations, such as server farms. CustomSecurityProfiles include:
JSON
{ "FileBlocking" : FileBlocking }
YAML
FileBlocking: FileBlocking
PrefixList
Use
PrefixList
to filter routes based on prefixes. By defining an order number and IP prefixes, a branch or a data center ION device can permit or deny routes. The dynamic, auto-generated prefix list is based on what the ION device advertises. Prefixes can be split or non-split. A PrefixList includes:
JSON
{ "Name" : String, "PrefixList" : [ String, ... ], "AuditComment" : String, "Description" : String }
YAML
Name: String PrefixList: - String AuditComment: String Description: String
FqdnList
With the
FqdnList
object, DNS provides the FQDN resolution to the IP addresses, removing the need to know the IP addresses and manually updating them every time the FQDN resolves to a new IP address. FqdnList includes:
JSON
{ "Name" : String, "Description" : String, "FqdnList" : [ String, ... ], "AuditComment" : String }
YAML
Name: String Description: String FqdnList: - String AuditComment: String
CustomUrlCategory
Use
CustomURLCategory
to create a custom URL filtering object to specify exceptions to URL category enforcement, and to create a custom URL category based on multiple URL categories:
  • Define exceptions to URL category enforcement—Create a custom list of URLs that you want to use as match criteria in a Security policy rule. This is a good way to specify exceptions to URL categories, where you’d like to enforce specific URLs differently than the URL category to which they belong.
  • Define a custom URL category based on multiple PAN-DB categories—This allows you to target enforcement for websites that match a set of categories. The website or page must match all the categories defined as part of the custom category.
CustomURLCategory includes:
JSON
{ "URLTargets" : [ String, ... ], "Name" : String, "Description" : String, "Action" : String, "AuditComment" : String }
YAML
URLTargets: - String Name: String Description: String Action: String AuditComment: String
IntelligentFeed
Use
IntelligentFeed
to continually feed the most up-to-date threat intelligence data. IntelligentFeed includes:
JSON
{ "Name" : String, "Description" : String, "Certificate" : String, "FeedURL" : String, "Type" : String, "Frequency" : String, "Time" : Integer, "AuditComment" : String }
YAML
Name: String Description: String Certificate: String FeedURL: String Type: String Frequency: String Time: Integer AuditComment: String
CertificateObject
Use
CertificateObject
to define elements of the certificate. CertificateObject includes:
JSON
{ "Name" : String, "Description" : String, "CertificateSignerArn" : String, "CertificateSelfSigned" : Boolean, "AuditComment" : String }
YAML
Name: String Description: String CertificateSignerArn: String CertificateSelfSigned: Boolean AuditComment: String
FileBlocking
Use
FileBlocking
to identify specific file types that you want to block or monitor. For most traffic (including traffic on your internal network) you will want to block files that are known to carry threats or that have no real use case for upload/download. FileBlocking includes:
JSON
{ "Direction" : String, "FileType" : String, "Description" : String, "Action" : String, "AuditComment" : String }
YAML
Direction: String FileType: String Description: String Action: String AuditComment: String

PaloAltoNetworks::CloudNGFW::NGFW schema

  • JSON
    { "Type": "PaloAltoNetworks::CloudNGFW::NGFW", "Properties" : { "Description" : String, "EndpointMode" : String, "FirewallName" : String, "RuleStackName" : String, "RuleStackName" : String, "SubnetMappings" : [ String, ... ], "Tags" : [ Map, ... ], "VpcId" : String, "UpdateToken" : String, "LogDestinationConfigs" : [ LogProfileConfig, ... ], "CloudWatchMetricNamespace" : String, "ProgrammaticAccessToken" : String }
  • YAML
    Type: PaloAltoNetworks::CloudNGFW::NGFWProperties: AppIdVersion: String AutomaticUpgradeAppIdVersion: Boolean Description: String EndpointMode: String FirewallName: String RuleStackName: String RuleStackName: String SubnetMappings: - String Tags: - Map VpcId: String UpdateToken: String LogDestinationConfigs: - LogProfileConfig CloudWatchMetricNamespace: String ProgrammaticAccessToken: String
Element
Description
LogProfileConfig
Use
LogProfileConfig
to display entries for change to the firewall configuration.
JSON
{ "LogDestination" : String, "LogDestinationType" : String, "LogType" : String}
YAML
LogDestination: String LogDestinationType: String LogType: String

Activate public extensions

Activate both the
PaloAltoNetworks::CloudNGFW::NGFW
and
PaloAltoNetworks::CloudNGFW::RuleStack
public extensions for your account:
Create an execution role ARN for the extensions. Both extensions can use the same role. Establish trust relationships in the role to consume the Cloud Formation templates:
After establishing the trust relationship, activate the extensions:
To ship logs in AWS CloudWatch, Configure Logging for Cloud NGFW on AWS.

Recommended For You