Enable Palo Alto Networks API Securityv3.4+
Enable the Palo Alto Networks API Security plugin.
Prerequisites
-
The Palo Alto Networks API Security plugin is installed.
-
The Palo Alto Networks API Security collector is configured and you have an endpoint to send traffic to.
Environment variables
-
YOUR_ENDPOINT
: The full URL of the Palo Alto Networks API Security collector endpoint that was created in your Cortex environment. This is where the plugin will send the traffic data to. -
API_KEY
: The API key used for authenticating requests sent from the plugin to the collector. -
CLOUD_PROVIDER
: The environment (one of AWS, GCP, Azure, or On-prem) where your Kong Gateway is hosted. -
CLOUD_CONTEXT
: The AWS Account ID, GCP Project ID, Azure Subscription, or an appropriate value for on-prem. -
CLOUD_REGION
: The cloud region where your Kong Gateway is hosted.
Add this section to your declarative configuration file:
_format_version: "3.0"
plugins:
- name: panw-apisec-http-log
config:
http_endpoint: ${{ env "DECK_YOUR_ENDPOINT" }}
cortex_api_key: ${{ env "DECK_API_KEY" }}
cloud_provider: ${{ env "DECK_CLOUD_PROVIDER" }}
cloud_context: ${{ env "DECK_CLOUD_CONTEXT" }}
cloud_region: ${{ env "DECK_CLOUD_REGION" }}
Make the following request:
curl -i -X POST http://localhost:8001/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "panw-apisec-http-log",
"config": {
"http_endpoint": "'$YOUR_ENDPOINT'",
"cortex_api_key": "'$API_KEY'",
"cloud_provider": "'$CLOUD_PROVIDER'",
"cloud_context": "'$CLOUD_CONTEXT'",
"cloud_region": "'$CLOUD_REGION'"
}
}
'
Make the following request:
curl -X POST https://.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "panw-apisec-http-log",
"config": {
"http_endpoint": "'$YOUR_ENDPOINT'",
"cortex_api_key": "'$API_KEY'",
"cloud_provider": "'$CLOUD_PROVIDER'",
"cloud_context": "'$CLOUD_CONTEXT'",
"cloud_region": "'$CLOUD_REGION'"
}
}
'
Make sure to replace the following placeholders with your own values:
-
controlPlaneId
: Theid
of the control plane. -
KONNECT_TOKEN
: Your Personal Access Token (PAT) associated with your Konnect account.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
name: panw-apisec-http-log
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
labels:
global: 'true'
config:
http_endpoint: '$YOUR_ENDPOINT'
cortex_api_key: '$API_KEY'
cloud_provider: '$CLOUD_PROVIDER'
cloud_context: '$CLOUD_CONTEXT'
cloud_region: '$CLOUD_REGION'
plugin: panw-apisec-http-log
" | kubectl apply -f -
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_panw_apisec_http_log" "my_panw_apisec_http_log" {
enabled = true
config = {
http_endpoint = var.your_endpoint
cortex_api_key = var.api_key
cloud_provider = var.cloud_provider
cloud_context = var.cloud_context
cloud_region = var.cloud_region
}
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
}
This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value
.
variable "cloud_region" {
type = string
}
Add this section to your declarative configuration file:
_format_version: "3.0"
plugins:
- name: panw-apisec-http-log
service: serviceName|Id
config:
http_endpoint: ${{ env "DECK_YOUR_ENDPOINT" }}
cortex_api_key: ${{ env "DECK_API_KEY" }}
cloud_provider: ${{ env "DECK_CLOUD_PROVIDER" }}
cloud_context: ${{ env "DECK_CLOUD_CONTEXT" }}
cloud_region: ${{ env "DECK_CLOUD_REGION" }}
Make sure to replace the following placeholders with your own values:
-
serviceName|Id
: Theid
orname
of the service the plugin configuration will target.
Make the following request:
curl -i -X POST http://localhost:8001/services/{serviceName|Id}/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "panw-apisec-http-log",
"config": {
"http_endpoint": "'$YOUR_ENDPOINT'",
"cortex_api_key": "'$API_KEY'",
"cloud_provider": "'$CLOUD_PROVIDER'",
"cloud_context": "'$CLOUD_CONTEXT'",
"cloud_region": "'$CLOUD_REGION'"
}
}
'
Make sure to replace the following placeholders with your own values:
-
serviceName|Id
: Theid
orname
of the service the plugin configuration will target.
Make the following request:
curl -X POST https://.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/services/{serviceId}/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "panw-apisec-http-log",
"config": {
"http_endpoint": "'$YOUR_ENDPOINT'",
"cortex_api_key": "'$API_KEY'",
"cloud_provider": "'$CLOUD_PROVIDER'",
"cloud_context": "'$CLOUD_CONTEXT'",
"cloud_region": "'$CLOUD_REGION'"
}
}
'
Make sure to replace the following placeholders with your own values:
-
controlPlaneId
: Theid
of the control plane. -
KONNECT_TOKEN
: Your Personal Access Token (PAT) associated with your Konnect account. -
serviceId
: Theid
of the service the plugin configuration will target.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: panw-apisec-http-log
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
config:
http_endpoint: '$YOUR_ENDPOINT'
cortex_api_key: '$API_KEY'
cloud_provider: '$CLOUD_PROVIDER'
cloud_context: '$CLOUD_CONTEXT'
cloud_region: '$CLOUD_REGION'
plugin: panw-apisec-http-log
" | kubectl apply -f -
Next, apply the KongPlugin
resource by annotating the service
resource:
kubectl annotate -n kong service SERVICE_NAME konghq.com/plugins=panw-apisec-http-log
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_panw_apisec_http_log" "my_panw_apisec_http_log" {
enabled = true
config = {
http_endpoint = var.your_endpoint
cortex_api_key = var.api_key
cloud_provider = var.cloud_provider
cloud_context = var.cloud_context
cloud_region = var.cloud_region
}
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
service = {
id = konnect_gateway_service.my_service.id
}
}
This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value
.
variable "cloud_region" {
type = string
}
Add this section to your declarative configuration file:
_format_version: "3.0"
plugins:
- name: panw-apisec-http-log
route: routeName|Id
config:
http_endpoint: ${{ env "DECK_YOUR_ENDPOINT" }}
cortex_api_key: ${{ env "DECK_API_KEY" }}
cloud_provider: ${{ env "DECK_CLOUD_PROVIDER" }}
cloud_context: ${{ env "DECK_CLOUD_CONTEXT" }}
cloud_region: ${{ env "DECK_CLOUD_REGION" }}
Make sure to replace the following placeholders with your own values:
-
routeName|Id
: Theid
orname
of the route the plugin configuration will target.
Make the following request:
curl -i -X POST http://localhost:8001/routes/{routeName|Id}/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "panw-apisec-http-log",
"config": {
"http_endpoint": "'$YOUR_ENDPOINT'",
"cortex_api_key": "'$API_KEY'",
"cloud_provider": "'$CLOUD_PROVIDER'",
"cloud_context": "'$CLOUD_CONTEXT'",
"cloud_region": "'$CLOUD_REGION'"
}
}
'
Make sure to replace the following placeholders with your own values:
-
routeName|Id
: Theid
orname
of the route the plugin configuration will target.
Make the following request:
curl -X POST https://.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/routes/{routeId}/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "panw-apisec-http-log",
"config": {
"http_endpoint": "'$YOUR_ENDPOINT'",
"cortex_api_key": "'$API_KEY'",
"cloud_provider": "'$CLOUD_PROVIDER'",
"cloud_context": "'$CLOUD_CONTEXT'",
"cloud_region": "'$CLOUD_REGION'"
}
}
'
Make sure to replace the following placeholders with your own values:
-
controlPlaneId
: Theid
of the control plane. -
KONNECT_TOKEN
: Your Personal Access Token (PAT) associated with your Konnect account. -
routeId
: Theid
of the route the plugin configuration will target.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: panw-apisec-http-log
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
config:
http_endpoint: '$YOUR_ENDPOINT'
cortex_api_key: '$API_KEY'
cloud_provider: '$CLOUD_PROVIDER'
cloud_context: '$CLOUD_CONTEXT'
cloud_region: '$CLOUD_REGION'
plugin: panw-apisec-http-log
" | kubectl apply -f -
Next, apply the KongPlugin
resource by annotating the httproute
or ingress
resource:
kubectl annotate -n kong httproute konghq.com/plugins=panw-apisec-http-log
kubectl annotate -n kong ingress konghq.com/plugins=panw-apisec-http-log
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_panw_apisec_http_log" "my_panw_apisec_http_log" {
enabled = true
config = {
http_endpoint = var.your_endpoint
cortex_api_key = var.api_key
cloud_provider = var.cloud_provider
cloud_context = var.cloud_context
cloud_region = var.cloud_region
}
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
route = {
id = konnect_gateway_route.my_route.id
}
}
This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value
.
variable "cloud_region" {
type = string
}