Palo Alto Networks API Security

Reinforce your API security by integrating your Kong Gateway with Cortex API Security. You can achieve this by using a dedicated HTTP Log plugin (panw-apisec-http-log) designed for Kong. This plugin simplifies ingestion of API traffic data from your Kong Gateway directly into Cortex API Security.

Using this integration, you can apply comprehensive security measures, including:

• OWASP Top 10 threat detection
• Bot protection
• Access control enforcement
• And more

When the Palo Alto Networks API Security plugin is enabled on a Kong Gateway Service or Route, it intercepts and processes API requests and their corresponding responses.

For each transaction, the plugin collects relevant data, such as:

• Request and response bodies
• HTTP headers
• Query parameters
• Status codes

This collected data is then sent to a designated Palo Alto Networks API Security collector endpoint.

Requests and responses are forwarded as-is without any modifications.

This plugin supports global, service, and route scopes—including combinations of services and routes. Consumer-level configuration is not supported.

You can install the Palo Alto Networks API Security plugin by downloading and mounting its file on Kong Gateway’s system.

Prerequisites

Create a Kong collector on Cortex. Use the download link provided below the collector’s API key to download plugin gzip file. The file includes the handler.lua, utils.lua, and schema.lua files that make up the custom plugin.

Install

-v ".plugin_directory/kong:/tmp/custom_plugins/kong" \
-e "KONG_LUA_PACKAGE_PATH=/tmp/custom_plugins/?.lua" \
-e "KONG_PLUGINS=bundled, panw-apisec-http-log

-e "KONG_NGINX_HTTP_CLIENT_BODY_BUFFER_SIZE=16k"

If you are using the Kong Ingress Controller, the installation differs from a standard setup. Review the custom plugin docs for the Kong Ingress Controller.