>
    Create Traffic Objects for Zone-Based Security
    Focus
    Download PDF
    Focus
    1. Home
    2. AI Runtime Security
    3. Prevent Network Security Threats with Security Policies
    4. Create Traffic Objects for Zone-Based Security
    Download PDF
    AI Runtime Security

    Create Traffic Objects for Zone-based Security

    Table of Contents

    Create Traffic Objects for Zone-Based Security

    Create traffic objects to specify cloud entities within specific clusters or VPC endpoints to enforce customized security policy rules.
    This page helps you to create a traffic object with specific cloud assets and map the traffic object to a zone. Attach the zone to a security policy to enforce the policy rules on the AI traffic sourced from this zone.
    This feature is part of the
    AI Runtime Security
     licensing. The AI traffic from the zone is routed to the
    AI Runtime Security
     instance for inspection.
    Where Can I Use This?
    What Do I Need?
    • AI Runtime Security
    Prerequisites
    • Download the deployment Terraform template and navigate to the
      <unzipped-folder>/architecture/helm
       folder and install the Helm chart. Refer Configure SCM to Protect VM Workloads and Kubernetes Clusters.
    • Configure a Cluster ID in the K8s environment and configure PAN-CNI plugin on a K8s cluster to allocate the network interfaces on each pod. To configure the PAN-CNI plugin for your Kubernetes cluster, you will need three YAML files: `pan-cni-configmap.yaml`, `pan-cni.yaml`, and `pan-cni-multus.yaml`. These files are essential for setting up and managing the PAN-CNI plugin to secure your Kubernetes clusters with AI Runtime Security instance.
    1. Log in to SCM.
    2. Select
      Manage
      → Configuration
      → NGFW and Prisma Access
      .
    3. From the top menu, select
      Objects
      → Traffic Objects
      .
    4. Select
      Add Traffic Object
      .
      1. Enter a
        Name
         for the Traffic Object.
      2. Write a
        Description
        .
      3. Select the
        Type
        as
        K8s Cluster ID
         or
        VPC Endpoint ID
        .
      4. In the
        Traffic Object ID
        , enter the K8s Cluster ID or the VPC Endpoint ID.
        • If the type is
          K8s Cluster ID
          , the traffic object ID values can be between 1-2048.
        • If the type is
          VPC Endpoint ID
          , the Traffic Object ID format is:
          vpc-xxxxxxxxxxxxxxxxx (with 17 alphanumeric characters)
      5. Select the existing ingress
        Zone
         for the traffic object or create a new zone.
      6. Select the
        Router
        . Refer to the section on how to configure a Static Route.
    5. Select
      Save
       to create the traffic object.
      This creates a sub-interface using the zone and the K8s Cluster ID and we map the sub-interface to the zone. This zone is used to define granular security policies on the cloud assets within a zone.
    6. Select
      Manage
      → Configuration
      → NGFW and Prisma Access
      → Security Services
      → Security Policy
       and
      create a security policy
       rule.
      Attach the zone to the policy rule to enforce the security rule to all the cloud entities enclosed within the traffic object.

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.