Palo Alto Networks API Security: Enable Palo Alto Networks API Security - Plugin

Enable Palo Alto Networks API Securityv3.4+

Enable the Palo Alto Networks API Security plugin.

Prerequisites

The Palo Alto Networks API Security plugin is installed.
The Palo Alto Networks API Security collector is configured and you have an endpoint to send traffic to.

Environment variables

YOUR_ENDPOINT: The full URL of the Palo Alto Networks API Security collector endpoint that was created in your Cortex environment. This is where the plugin will send the traffic data to.
API_KEY: The API key used for authenticating requests sent from the plugin to the collector.
CLOUD_PROVIDER: The environment (one of AWS, GCP, Azure, or On-prem) where your Kong Gateway is hosted.
CLOUD_CONTEXT: The AWS Account ID, GCP Project ID, Azure Subscription, or an appropriate value for on-prem.
CLOUD_REGION: The cloud region where your Kong Gateway is hosted.

Set up the plugin

Add this section to your declarative configuration file:

_format_version: "3.0"
plugins:
  - name: panw-apisec-http-log
    config:
      http_endpoint: ${{ env "DECK_YOUR_ENDPOINT" }}
      cortex_api_key: ${{ env "DECK_API_KEY" }}
      cloud_provider: ${{ env "DECK_CLOUD_PROVIDER" }}
      cloud_context: ${{ env "DECK_CLOUD_CONTEXT" }}
      cloud_region: ${{ env "DECK_CLOUD_REGION" }}

Make the following request:

curl -i -X POST http://localhost:8001/plugins/ \
    --header "Accept: application/json" \
    --header "Content-Type: application/json" \
    --data '
    {
      "name": "panw-apisec-http-log",
      "config": {
        "http_endpoint": "'$YOUR_ENDPOINT'",
        "cortex_api_key": "'$API_KEY'",
        "cloud_provider": "'$CLOUD_PROVIDER'",
        "cloud_context": "'$CLOUD_CONTEXT'",
        "cloud_region": "'$CLOUD_REGION'"
      }
    }
    '

Make the following request:

curl -X POST https://.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/plugins/ \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer $KONNECT_TOKEN" \
    --data '
    {
      "name": "panw-apisec-http-log",
      "config": {
        "http_endpoint": "'$YOUR_ENDPOINT'",
        "cortex_api_key": "'$API_KEY'",
        "cloud_provider": "'$CLOUD_PROVIDER'",
        "cloud_context": "'$CLOUD_CONTEXT'",
        "cloud_region": "'$CLOUD_REGION'"
      }
    }
    '

Make sure to replace the following placeholders with your own values:

controlPlaneId: The id of the control plane.
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.

See the Konnect API reference to learn about region-specific URLs and personal access tokens.

echo "
apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
  name: panw-apisec-http-log
  namespace: kong
  annotations:
    kubernetes.io/ingress.class: kong
  labels:
    global: 'true'
config:
  http_endpoint: '$YOUR_ENDPOINT'
  cortex_api_key: '$API_KEY'
  cloud_provider: '$CLOUD_PROVIDER'
  cloud_context: '$CLOUD_CONTEXT'
  cloud_region: '$CLOUD_REGION'
plugin: panw-apisec-http-log
" | kubectl apply -f -

Prerequisite: Configure your Personal Access Token

terraform {
  required_providers {
    konnect = {
      source  = "kong/konnect"
    }
  }
}

provider "konnect" {
  personal_access_token = "$KONNECT_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

Add the following to your Terraform configuration to create a Konnect Gateway Plugin:

resource "konnect_gateway_plugin_panw_apisec_http_log" "my_panw_apisec_http_log" {
  enabled = true

  config = {
    http_endpoint = var.your_endpoint
    cortex_api_key = var.api_key
    cloud_provider = var.cloud_provider
    cloud_context = var.cloud_context
    cloud_region = var.cloud_region
  }

  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
}

This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.

variable "cloud_region" {
  type = string
}

Add this section to your declarative configuration file:

_format_version: "3.0"
plugins:
  - name: panw-apisec-http-log
    service: serviceName|Id
    config:
      http_endpoint: ${{ env "DECK_YOUR_ENDPOINT" }}
      cortex_api_key: ${{ env "DECK_API_KEY" }}
      cloud_provider: ${{ env "DECK_CLOUD_PROVIDER" }}
      cloud_context: ${{ env "DECK_CLOUD_CONTEXT" }}
      cloud_region: ${{ env "DECK_CLOUD_REGION" }}

Make sure to replace the following placeholders with your own values:

serviceName|Id: The id or name of the service the plugin configuration will target.

Make the following request:

curl -i -X POST http://localhost:8001/services/{serviceName|Id}/plugins/ \
    --header "Accept: application/json" \
    --header "Content-Type: application/json" \
    --data '
    {
      "name": "panw-apisec-http-log",
      "config": {
        "http_endpoint": "'$YOUR_ENDPOINT'",
        "cortex_api_key": "'$API_KEY'",
        "cloud_provider": "'$CLOUD_PROVIDER'",
        "cloud_context": "'$CLOUD_CONTEXT'",
        "cloud_region": "'$CLOUD_REGION'"
      }
    }
    '

Make sure to replace the following placeholders with your own values:

serviceName|Id: The id or name of the service the plugin configuration will target.

Make the following request:

curl -X POST https://.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/services/{serviceId}/plugins/ \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer $KONNECT_TOKEN" \
    --data '
    {
      "name": "panw-apisec-http-log",
      "config": {
        "http_endpoint": "'$YOUR_ENDPOINT'",
        "cortex_api_key": "'$API_KEY'",
        "cloud_provider": "'$CLOUD_PROVIDER'",
        "cloud_context": "'$CLOUD_CONTEXT'",
        "cloud_region": "'$CLOUD_REGION'"
      }
    }
    '

Make sure to replace the following placeholders with your own values:

controlPlaneId: The id of the control plane.
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.
serviceId: The id of the service the plugin configuration will target.

See the Konnect API reference to learn about region-specific URLs and personal access tokens.

echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: panw-apisec-http-log
  namespace: kong
  annotations:
    kubernetes.io/ingress.class: kong
config:
  http_endpoint: '$YOUR_ENDPOINT'
  cortex_api_key: '$API_KEY'
  cloud_provider: '$CLOUD_PROVIDER'
  cloud_context: '$CLOUD_CONTEXT'
  cloud_region: '$CLOUD_REGION'
plugin: panw-apisec-http-log
" | kubectl apply -f -

Next, apply the KongPlugin resource by annotating the service resource:

kubectl annotate -n kong service SERVICE_NAME konghq.com/plugins=panw-apisec-http-log

Prerequisite: Configure your Personal Access Token

terraform {
  required_providers {
    konnect = {
      source  = "kong/konnect"
    }
  }
}

provider "konnect" {
  personal_access_token = "$KONNECT_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

Add the following to your Terraform configuration to create a Konnect Gateway Plugin:

resource "konnect_gateway_plugin_panw_apisec_http_log" "my_panw_apisec_http_log" {
  enabled = true

  config = {
    http_endpoint = var.your_endpoint
    cortex_api_key = var.api_key
    cloud_provider = var.cloud_provider
    cloud_context = var.cloud_context
    cloud_region = var.cloud_region
  }

  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
  service = {
    id = konnect_gateway_service.my_service.id
  }
}

This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.

variable "cloud_region" {
  type = string
}

Add this section to your declarative configuration file:

_format_version: "3.0"
plugins:
  - name: panw-apisec-http-log
    route: routeName|Id
    config:
      http_endpoint: ${{ env "DECK_YOUR_ENDPOINT" }}
      cortex_api_key: ${{ env "DECK_API_KEY" }}
      cloud_provider: ${{ env "DECK_CLOUD_PROVIDER" }}
      cloud_context: ${{ env "DECK_CLOUD_CONTEXT" }}
      cloud_region: ${{ env "DECK_CLOUD_REGION" }}

Make sure to replace the following placeholders with your own values:

routeName|Id: The id or name of the route the plugin configuration will target.

Make the following request:

curl -i -X POST http://localhost:8001/routes/{routeName|Id}/plugins/ \
    --header "Accept: application/json" \
    --header "Content-Type: application/json" \
    --data '
    {
      "name": "panw-apisec-http-log",
      "config": {
        "http_endpoint": "'$YOUR_ENDPOINT'",
        "cortex_api_key": "'$API_KEY'",
        "cloud_provider": "'$CLOUD_PROVIDER'",
        "cloud_context": "'$CLOUD_CONTEXT'",
        "cloud_region": "'$CLOUD_REGION'"
      }
    }
    '

Make sure to replace the following placeholders with your own values:

routeName|Id: The id or name of the route the plugin configuration will target.

Make the following request:

curl -X POST https://.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/routes/{routeId}/plugins/ \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer $KONNECT_TOKEN" \
    --data '
    {
      "name": "panw-apisec-http-log",
      "config": {
        "http_endpoint": "'$YOUR_ENDPOINT'",
        "cortex_api_key": "'$API_KEY'",
        "cloud_provider": "'$CLOUD_PROVIDER'",
        "cloud_context": "'$CLOUD_CONTEXT'",
        "cloud_region": "'$CLOUD_REGION'"
      }
    }
    '

Make sure to replace the following placeholders with your own values:

controlPlaneId: The id of the control plane.
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.
routeId: The id of the route the plugin configuration will target.

See the Konnect API reference to learn about region-specific URLs and personal access tokens.

echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: panw-apisec-http-log
  namespace: kong
  annotations:
    kubernetes.io/ingress.class: kong
config:
  http_endpoint: '$YOUR_ENDPOINT'
  cortex_api_key: '$API_KEY'
  cloud_provider: '$CLOUD_PROVIDER'
  cloud_context: '$CLOUD_CONTEXT'
  cloud_region: '$CLOUD_REGION'
plugin: panw-apisec-http-log
" | kubectl apply -f -

Next, apply the KongPlugin resource by annotating the httproute or ingress resource:

kubectl annotate -n kong httproute  konghq.com/plugins=panw-apisec-http-log

kubectl annotate -n kong ingress  konghq.com/plugins=panw-apisec-http-log

Prerequisite: Configure your Personal Access Token

terraform {
  required_providers {
    konnect = {
      source  = "kong/konnect"
    }
  }
}

provider "konnect" {
  personal_access_token = "$KONNECT_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

Add the following to your Terraform configuration to create a Konnect Gateway Plugin:

resource "konnect_gateway_plugin_panw_apisec_http_log" "my_panw_apisec_http_log" {
  enabled = true

  config = {
    http_endpoint = var.your_endpoint
    cortex_api_key = var.api_key
    cloud_provider = var.cloud_provider
    cloud_context = var.cloud_context
    cloud_region = var.cloud_region
  }

  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
  route = {
    id = konnect_gateway_route.my_route.id
  }
}

This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.

variable "cloud_region" {
  type = string
}

Palo Alto Networks API Security

Enable Palo Alto Networks API Securityv3.4+

Prerequisites

Environment variables

Set up the plugin

Help us make these docs great!

Still need help