Document:Prisma Cloud Compute Edition Administrator’s Guide

Update the Intelligence Stream in offline environments

Filter

Welcome
- Releases
- Getting started
- Product architecture
- Support lifecycle
- Security Assurance Policy on Prisma Cloud Compute
- Licensing
- Prisma Cloud Enterprise Edition vs Compute Edition
- Utilities and plugins
Install
- Getting started
- System requirements
- Prisma Cloud container images
- Onebox
- Kubernetes
- OpenShift
- OpenShift
- Console on Fargate
- Docker Swarm
- Amazon ECS
- Windows
- Defender types
- Install Defender
Upgrade
- Support lifecycle for connected components
- Prisma Cloud’s backward compatibility and upgrade process
- Upgrade Onebox
- Kubernetes
- OpenShift
- Helm charts
- Docker Swarm
- Amazon ECS
- Manually upgrade single Container Defenders
- Manually upgrade Defender DaemonSets
- Manually upgrade Defender DaemonSets (Helm)
- Manually upgrade Docker Swarm Defenders
Technology overviews
- Intelligence Stream
- Prisma Cloud Advanced Threat Protection
- App-specific network intelligence
- Container Runtimes
- Radar
- Serverless Radar
- Prisma Cloud Rules Guide - Docker
- Defender architecture
- Host Defender architecture
- Telemetry
Configure
- Rule ordering and pattern matching
- Backup and restore
- Custom feeds
- Configuring Prisma Cloud proxy settings
- Custom certs for Console access
- Configure scanning
- User certificate validity period
- Enable HTTP access to Console
- Set different paths for Defender and Console (with DaemonSets)
- Authenticate to Console with certificates
- Configure custom certs from a predefined directory
- Customize terminal output
- Collections
- Tags
- Logon settings
- Reconfigure Prisma Cloud
- Subject Alternative Names
- WildFire settings
Authentication
- Logging into Prisma Cloud
- Integrate with Active Directory
- Integrate with OpenLDAP
- Integrate Prisma Cloud with Open ID Connect
- Integrate with Okta via SAML 2.0 federation
- Integrate Google G Suite via SAML 2.0 federation
- Integrate with Azure Active Directory via SAML 2.0 federation
- Integrate with PingFederate via SAML 2.0 federation
- Integrate with Windows Server 2016 & 2012r2 Active Directory Federation Services (ADFS) via SAML 2.0 federation
- Integrate Prisma Cloud with GitHub
- Integrate Prisma Cloud with OpenShift
- Non-default UPN suffixes
- Compute user roles
- Assign roles
- Use custom certificates for authorization
- Credentials store
Vulnerability management
- Prisma Cloud vulnerability feed
- Vulnerability Explorer
- Vulnerability management rules
- Search CVEs
- Scan reports
- Scanning procedure
- Customize image scanning
- Configure registry scans
- Registry scanning
  - Scan images in Alibaba Cloud Container Registry
  - Amazon EC2 Container Registry (ECR)
  - Azure Container Registry (ACR)
  - Docker Registry v2
  - Google Container Registry (GCR)
  - Harbor
  - IBM Cloud Container Registry
  - Scan images on Artifactory Docker Registry
  - OpenShift integrated Docker registry
  - Trigger registry scans with webhooks
- Base images
- Configure VM image scanning
- Configure code repository scanning
- Malware scanning
- Vulnerability risk tree
- Detect vulnerabilities in unpackaged software
- CVSS scoring
- Windows container image scanning
- Serverless function scanning
- VMware Tanzu blobstore scanning
- Scan Fargate tasks
- Troubleshoot vulnerability detection
Compliance
- Compliance Explorer
- Enforce compliance checks
- CIS Benchmarks
- Prisma Cloud Labs compliance checks
- Serverless functions compliance checks
- Windows compliance checks
- Docker Enterprise DISA STIG
- Custom compliance checks
- Trusted images
- Host scanning
- VM image scanning
- Fargate scanning
- Detect secrets
- Cloud discovery
- OSS license management
Runtime defense
- Runtime defense for containers
- Runtime defense for hosts
- Runtime defense for App-Embedded
- Custom runtime rules
- Import and export individual rules
- ATT&CK Explorer
- Runtime Audits
- Event Aggregation
- Image analysis sandbox
- Incident Explorer
- Incident types
Access control
- Role-based access control for Docker Engine
- Admission control with Open Policy Agent
Continuous integration
- Jenkins plugin
- Jenkins Freestyle project
- Jenkins Maven project
- Jenkins Pipeline project
- Run Jenkins in a container
- Jenkins pipeline on Kubernetes
- CI plugin policy
- Code repo scanning
WAAS
- Web-Application and API Security (WAAS)
- Deploying WAAS
- Firewall Settings
- API Protection
- DoS protection
- Bot Protection
- WAAS Access Controls
- Advanced Settings
- WAAS Analytics
- API observations
- WAAS custom rules
- Detecting unprotected web apps
- WAAS Log Scrubbing
- WAAS Troubleshooting
Firewalls
- Cloud Native Network Firewall (CNNF)
Secrets
- Secrets manager
- Integrate with secrets stores
- Secrets Stores
- Inject secrets into containers
- Injecting secrets: end-to-end example
Alerts
- Alert mechanism
- AWS Security Hub
- Cortex XSOAR alerts
- Email alerts
- Google Cloud Pub/Sub
- Google Cloud Security Command Center
- IBM Cloud Security Advisor
- JIRA Alerts
- PagerDuty alerts
- ServiceNow alerts
- ServiceNow alerts
- Slack Alerts
- Webhook alerts
Audit
- Event viewer
- Host activity
- Administrative activity audit trail
- Annotate audit event records
- Delete audit logs
- Syslog and stdout integration
- Log rotation
- Throttling audits
- Prometheus
- Kubernetes auditing
Tools
- twistcli
- Scan images with twistcli
- Scan code repos with twistcli
- Install Console with twistcli
- Update the Intelligence Stream in offline environments
Deployment patterns
- Projects
- Migration options for scale projects
- Best practices for DNS and certificate management
- Disk capacity
- Migrating to a SaaS Console
- Performance planning
- Automated deployment
- High Availability and Disaster Recovery guidelines
API
Howto
- Configure an AWS Classic Load Balancer for ECS
- Configure the load balancer type for AWS EKS
- Configure Prisma Cloud Console’s listening ports
- Provision tenant projects in OpenShift
- Disable automatic learning
- Debug data

Update the Intelligence Stream in offline environments

Prisma Cloud lets you update Console’s vulnerability and threat data even if it runs in an offline environment.

The Prisma Cloud Intelligence Stream (IS) is a real-time feed that contains vulnerability data and threat intelligence from commercial providers, Prisma Cloud Labs, and the open source community.

When you install Prisma Cloud, Console is automatically configured to connect to intelligence.twistlock.com to download updates. The IS is updated several times per day, and Console continuously checks for updates.

If you run Prisma Cloud in an offline environment, where Console does not have access to the Internet to download updates from the IS, then you can manually download and install IS updates.

Update strategies for offline environments

There are a number of update strategies. The right strategy for you depends on the size of your deployment, and in particular, the number of air-gapped Consoles in your environment.

Basic strategy

Use the basic strategy when you’ve got one or two air-gapped Consoles. The basic strategy for updating the threat data for an isolated, air-gapped Console is:

Download the IS data from an Internet-connected machine.

Move the archived data to a location accessible by the air-gapped environment.

Load the IS data into the offline Console.

Both the download and upload operations use twistcli, so the process can be automated.

If you’ve got a large number of air-gapped Consoles, individually updating each one can be challenging and brittle, especially in dynamic environments. As such, Prisma Cloud lets you scale the basic strategy to any number of Consoles. Each deployed Console can be configured to look for the latest threat data in a central location. From there, each Console will update itself every 24 hours. Your job is to ensure that the central location always serves the latest threat data.

For example, consider how the U.S. Navy would keep a fleet of submarines up-to-date with the latest threat data. When a submarine surfaces and establishes brief connection to its command’s network, the submarine’s Console needs to pull the latest Intelligence Stream updates. For this type of setup, see Scale approach 1 and Scale approach 2.

Scale approach 1

Distribute the latest Intelligence Stream data from an HTTP/S server. Use the basic strategy to keep the data at the endpoint up-to-date. To configure your Console for this approach, see Download the IS from an HTTP server.

Scale approach 2

Distribute the latest Intelligence Stream data from a so-called "relay" Console. Downstream Consoles connect to the relay Console to pull the latest threat data. To keep the relay Console up-to-date:

Use the basic strategy when the relay Console is also isolated in an air-gapped environment.

Let the relay Console update itself by connecting to the Intelligence Stream over the Internet.

To configure your Console for this approach, see Download the IS from another Console.

Projects

By default, projects utilize the distribution mechanism described in Scale approach 2. Central Console connects to https://intelligence.twistlock.com to retrieve the latest theat data. All tenant projects connect to Central Console to get the latest threat data. Central Console itself can be configured for manual threat feed updates, Scale approach 1, or Scale approach 2.

To force Central Console to push Intelligence Stream updates down to all tenants, go to Manage > System > Intelligence
in the Central Console and click Update Now
.

Download the IS data with twistcli

Before starting, ensure the Internet-connected host to where you will initially download the data can access the Intelligence Stream. The most reliable way to test connectivity is to ping the Intelligence Stream. This following curl command verifies that name resolution and any intermediary HTTP proxies are functioning properly.

$ curl -k \
  --silent \
  --output /dev/null \
  --write-out "%{http_code}\n" \
  https://intelligence.twistlock.com/api/v1/_ping

If you’ve got connectivity, you’ll get back a 200 (Successful) response code.

Open Console.

Go to Manage > System > Intelligence
.

Copy the access token.

Download twistcli. You have several options:

Download twistcli from the Console UI. Go to Manage > System > Utilities
.

Download twistcli from the API. Use /api/v1/util/twistcli for the Linux binary or /api/v1/util/osx/twistcli for the macOS binary..

Get a copy from the release tarball.

Download the the Intelligence Stream data.

Open a shell window, and run the following command:

$ ./linux/twistcli intelligence download --token <ACCESS-TOKEN>

All data is downloaded and saved in a file named twistlock_feed_<random_string>.tar.gz

Upload IS data to Console with twistcli

Use the twistcli tool to upload the Intelligence Stream archive to your Prisma Cloud Console.

Prerequisite:
You’ve disabled over-the-Internet updates for your air-gapped Console. Go to Manage > System > Intelligence
and set Update the Intelligence Stream from Prisma Cloud over the Internet
to Off
.

Download twistcli. You have several options:

Download twistcli from the Console UI. Go to Manage > System > Utilities
.

Download twistcli from the API. Use /api/v1/util/twistcli for the Linux binary or /api/v1/util/osx/twistcli for the macOS binary..

Get a copy from the release tarball.

Run the following command:

$ ./linux/twistcli intelligence upload \
  --address \https://<COMPUTE-CONSOLE>:8083 \
  --user <USER> \
  --password <PASSWORD> \
  --tlscacert <PATH-TO-CERT> \
  <FEED-ARCHIVE>

Where:

<COMPUTE-CONSOLE>
--

URL for the air-gapped Console.

<USER>, <PASSWD>
--

Credentials for a user with a minumum role of Vulnerability Manager.

<PATH-TO-CERT>
--

(Optional) Path to to Prisma Cloud’s CA certificate file. With the CA cert, a secure connection is used to upload the intelligence data to Console. For example, /var/lib/twistlock/certificates/console-cert.pem.

<FEED-ARCHIVE>
--

File generated from downloading an archive of the IS with twistcli. For example, twistlock_feed_1524655717.tar.gz.

Sometimes after Console is restarted, you might see an error on the login page that says "failed to query license". This is by design, and it’s not a bug. It happens because a Console restart triggers a user auth token renewal. For more information, see long-lived tokens.

Download the IS from an HTTP server

Configure Console to download the IS archive file from a custom HTTPS location.

When enabled, Console downloads the file from this location every 24 hours. If the download fails, Console retries every 1 hour until it’s successful, then waits for 24 hours until the next download.

In this strategy, you must get the latest IS data with twistcli and copy the archive file to the HTTP/S server, where the air-gapped Console(s) will retrieve it.

Open Console.

Go to Manage > System > Intelligence
.

Set Update the Intelligence Stream from a custom location
to On
.

In Address
, specify the full URL to the HTTP/S endpoint where the archive is served.

Document:Prisma Cloud Compute Edition Administrator’s Guide

Update the Intelligence Stream in offline environments

Table of Contents

Update the Intelligence Stream in offline environments

Update strategies for offline environments

Basic strategy

Scale approach 1

Scale approach 2

Projects

Download the IS data with twistcli

Upload IS data to Console with twistcli

Download the IS from an HTTP server