21.04 Release Notes
The following table outlines the release particulars:
26 April 2021
New features in the Core Platform
- Introduces a new dashboard for the MITRE ATT&CK framework, which helps better contextualize runtime audits.
- Improves Compliance Explorer to align with industry-accepted reporting standards.
- Introduces new granular access permissions to supplement the current prebuilt, statically-defined roles. You can use access permissions to create fine-tuned custom roles.
- Introduces the ability to run Prisma Cloud Compute Console in AWS Fargate.
- Enhances Prisma Cloud’s capabilities for detecting and blocking malware with Palo Alto Networks WildFire malware analysis engine. Wildfire malware analysis can now be integrated into:
- CI/CD pipelines, with the Jenkins plugin/twistcli.
- Runtime, for both containers and hosts, with Defender.
- Adds support for detecting Go binaries in container image and host file systems, finding and listing module dependencies, and reporting vulnerabilities in Go releases.
- Delivers the API reference as an OpenAPI 3.0 spec file. Spec files can now be downloaded from the Console UI.
- Adds support for deploying single stand-alone Defenders with twistcli.
- Updates support for CIS benchmarks to the latest available versions, specifically:
- CIS Docker benchmark v1.2.
- CIS Kubernetes benchmark v1.6.
- CIS Distribution Independent Linux v2.0.
- Improves how the scanner assesses data in the Intelligence Stream against the resources in your environment.
- Implements standard Palo Alto Networks colors and typography across the product.
- Enables advanced telemetry collection by default. This setting can be disabled.
New features in Container Security
- Introduces the ability to better control which Defenders perform registry scans. You can now utilize collections to select Defenders for registry scanning, setting scope by hostname and AWS tags.
- Implements a more robust runtime protection mechanism for App-Embedded Defenders based on ptrace. App-Embedded Defender protects AWS Fargate tasks, and containers in other Container-as-a-Service offerings, including Azure Container Instance and Google Cloud Run. As part of this change, Prisma Cloud now ships with a default runtime rule for App-Embedded Defenders.
- Adds the ability for App-Embedded Defenders to assess containers in Fargate tasks for vulnerability and compliance issues.
- Enhances the output from twistcli for image scans. When specifying --output-file, twistcli exports scan data to a local JSON file. The schema is now considered stable, and the structure will be maintained in future releases. In order to stabilize for the future, there are some breaking changes in the schema between 21.04 (this release) and 20.12 (the previous release). See the section on breaking changes for full details.
- Introduces a new compliance template for the Docker Enterprise DISA STIG.
- Adds a new control to container runtime rules that detects suspicious privilege escalation by watching for binaries with the setuid bit that are executed in your containers.
New features in Host Security
- Adds the ability to discover VMs in your AWS, Azure, and GCP cloud accounts, and auto-deploy Host Defender to unprotected EC2 instances in your AWS accounts.
- Adds support for host OS-specific compliance benchmarks, specifically:
- Amazon Linux (CIS Amazon Linux Benchmark v2.1.0)
- Amazon Linux 2 (CIS Amazon Linux 2 Benchmark v1.0.0)
- Improved host runtime capabilities:
- All anti-malware and exploit prevention capabilities in a single tab
- Separate effect for all anti-malware, exploit prevention and networking capabilities
- New anti-malware capabilities:
- Detection of non packaged binaries
- Encrypted/packed binaries
- Trusted executables by hash
- Improved cryptominer detection
- WildFire analysis
- Added webshell detection for anti-exploit
- Added allow list for IP and DNS on networking capabilities
New features in Serverless Security
- Improves how you scope the serverless functions to scan. Scan scopes now include all regions in a cloud account, and collections now let you target specific resources by region and tag.
- Enhances handling for AWS Lambda layers. Lambda layers are now also scanned for vulnerability and compliance issues. Scan reports show where issues are found (in the Lambda function itself, or a dependent layer).
New features in Shift Left Security
- Introduces the ability to set and enforce a license policy for package dependencies in code repository scans.
- Adds support for scanning code repositories with twistcli and the Jenkins plugin.
- Adds support for the Go language for code repository scanning.
New features in WAAS
- Improves WAAS’s API protection capabilities. WAAS can now produce a report of discovered API endpoints and usage statistics. The report can be exported as an OpenAPI file, and imported back into WAAS for enforcement.
- Adds custom rules for WAAS, which let you describe and detect discrete conditions in requests and responses.
- Enhances WAAS policy rules:
- Automatically assigning and enforcing unique app IDs for each rule in a WAAS policy.
- Adding support for enabling, disabling, copying, importing, and exporting WAAS rules.
- Adding the ability to export the entire WAAS policy.
- Auditing all triggered alerts.
- DoS protection: separating burst and average rates for alerting and banning.
- Access control: separating denied inbound source IPs and source countries for alert and prevent effects.
- Adding response header names and status code fields to all WAAS events.
- Adding an "Entities in scope" column for host and container rules.
- Adding a "Protection" dimension to the analytics view (supported dimensions: Firewall, DoS, Bot, Custom, Access Control).
- Introduces reCAPTCHA integration for advanced bot detection.
- Adds the ability to customize the page WAAS displays in response to a block action. You can customize the page template (HTTP) and response code.
- Improves the usability of the WAAS audit timeline graph. You can now dynamically adjust the date filter by clicking and selecting the area of interest.
DISA STIG scan findings and justifications
Every release, we perform an SCAP scan of the Prisma Cloud Compute Console and Defender images. The process is based upon the U.S. Air Force’s Platform 1 "Repo One" OpenSCAP scan of the Prisma Cloud Compute images. We compare our scan results to IronBank’s latest approved UBI8-minimal scan findings. Any discrepancies are addressed or justified.
Be aware of the following breaking changes when upgrading to 21.04:
- For Fargate and App-Embedded Defenders: Until this release, Prisma Cloud kept the task running if the connectivity to Console failed because of corrupt installation bundles (we just log and run the task anyway). Now, if a task is failing or is in an error state, Prisma Cloud doesn’t allow connections back to Console.
- Compliance Explorer has been refactored to make it easier to understand how your environments, and segments of your environment, comply to policy. Because the structure of the data has changed, existing compliance statistics will be deleted on upgrade. Also:
- CSV export for the main table have changed according to the new table structure.
- CSV export for the compliance check dialog table have changed. The CSV will be taken from the download API for images, containers, hosts, and serverless pages.
- Compliance metrics in Radar’s sidebar have been updated to align with the new data and structure in Compliance Explorer.
- Istio compliance checks opened from Compliance explorer don’t have a list of affected resources in the dialog.
- Prometheus compliance fields have changed. Up until this release, Prisma Cloud had metrics by impacted resources (e.g. images_critical_compliance). Now we provide the total number of failed checks by severity. The new metrics are:
- The JSON file output from twistcli image scans has the following schema changes:
- Publish date - name changed, date format instead of days.
- Discovered date - name changed, date format instead of days.
- Risk factors - string array instead of an empty JSON format.
- If you’re using Kubernetes auditing, you must redeploy the AuditSink after upgrading. Console’s certificate might be renewed during upgrade, so your cluster won’t be able to send audits to Prisma Cloud Console.
- Starting with this release, only users with the administrator role can download debug logs and create backups. The operator and auditor roles can no longer perform these actions. The artifacts from these actions contain sensitive information that could be used to escalate privileges in Prisma Cloud. Only admins can:
- Download debug logs fromManage > Logs > Console.
- Create backups fromManage > System > Backup & restore.
- The Access User role lost all of its permissions, except access to some generally available API endpoints that are open to all authenticated users. Access Users will no longer be able to login to the Console UI. This role will be removed in the next release. As a reminder, the Access User role was originally designed for users to install certificates as part of a mechanism to control access to Docker commands.
- Defender Manager user role (Mapped to "Cloud Provisioning Admin" permission group on SaaS) will no longer be able to perform CI scans.
- As part of the work to introduce the new ATT&CK dashboard, all audits will be discarded on upgrade.
- Installations using legacy host based licensing will not have the WAAS feature available
- Due to reuse of network ranges in customer VPCs defenders on different clusters have the same name therefore host names were renamed. Therefore, upon defender upgrade the old defender will appear at console as disconnected until automatically removed by the console. The upgraded defender will appear under it’s new format name. Note: if the old defender(s) was specifically selected for registry scan, it will be needed to be reselected with their updated name New format names listed below:
- AWS format: hostname ⇒ hostname-unique AWS instance ID For example: ip-172-31-80-18.ec2.internal ⇒ ip-172-31-80-18.ec2.internal-i-07dca3f58ecf1e48a
- Azure format: hostname ⇒ hostname-custom resource group name-subscription ID For example: aks-agentpool-16678185-vmss000000 ⇒ aks-agentpool-16678185-vmss000000-MC_alexs-aks_alexs-aks_eastus-ae02981e-e1bd-49ec-ad81-801f157a944e
- Customers using automatic upgrade of defender may see vulnerabiliteis reported on their defenders. This is due to the fact that the automatic upgrade replaces the binary during while the vulenabilit(ies) exist on the base layer. In order to fix this, manual upgrade of the defenders will need to be performed
Breaking changes in the API
For complete information about breaking changes and deprecated endpoints in the API, see the 21.04 API porting guide.
Deprecated this release
- The Registry scanner role for Defenders has been deprecated and removed. Starting this release, Defenders are selected to perform registry scanning based on collections. To determine which Defenders are part of the scanner pool, filter the table inManage > Defenders > Manage > Defendersby collection.
- TheRolescolumn in the table inManage > Defenders > Manage > Defendershas been deprecated and removed. Defenders can no longer have theRegistry scannerrole (see above). Also, the table already contains data to show if a Defender has theDocker proxyrole. See theListerner typecolumn in the table inManage > Defenders > Manage > Defenders. If listener type is set toTCP Socket, Defender acts as a Docker proxy.
- As part of the work to improve runtime support for App-Embedded Defenders, explicitly denied lists in App-Embedded runtime rules have been deprecated. By default, everything is denied unless explicitly allow-listed.
- TheAccess Userrole will be deprecated in the next release (code-named Iverson).
Recommended For You
Recommended videos not found.