Document:Prisma Cloud Compute Edition Administrator’s Guide

WAAS Troubleshooting

Filter

Welcome
- Releases
- Getting started
- Product architecture
- Support lifecycle
- Security Assurance Policy on Prisma Cloud Compute
- Licensing
- Prisma Cloud Enterprise Edition vs Compute Edition
- Utilities and plugins
Install
- Getting started
- System requirements
- Prisma Cloud container images
- Onebox
- Kubernetes
- OpenShift
- OpenShift
- Console on Fargate
- Docker Swarm
- Amazon ECS
- Windows
- Defender types
- Install Defender
Upgrade
- Support lifecycle for connected components
- Prisma Cloud’s backward compatibility and upgrade process
- Upgrade Onebox
- Kubernetes
- OpenShift
- Helm charts
- Docker Swarm
- Amazon ECS
- Manually upgrade single Container Defenders
- Manually upgrade Defender DaemonSets
- Manually upgrade Defender DaemonSets (Helm)
- Manually upgrade Docker Swarm Defenders
Technology overviews
- Intelligence Stream
- Prisma Cloud Advanced Threat Protection
- App-specific network intelligence
- Container Runtimes
- Radar
- Serverless Radar
- Prisma Cloud Rules Guide - Docker
- Defender architecture
- Host Defender architecture
- Telemetry
Configure
- Rule ordering and pattern matching
- Backup and restore
- Custom feeds
- Configuring Prisma Cloud proxy settings
- Custom certs for Console access
- Configure scanning
- User certificate validity period
- Enable HTTP access to Console
- Set different paths for Defender and Console (with DaemonSets)
- Authenticate to Console with certificates
- Configure custom certs from a predefined directory
- Customize terminal output
- Collections
- Tags
- Logon settings
- Reconfigure Prisma Cloud
- Subject Alternative Names
- WildFire settings
Authentication
- Logging into Prisma Cloud
- Integrate with Active Directory
- Integrate with OpenLDAP
- Integrate Prisma Cloud with Open ID Connect
- Integrate with Okta via SAML 2.0 federation
- Integrate Google G Suite via SAML 2.0 federation
- Integrate with Azure Active Directory via SAML 2.0 federation
- Integrate with PingFederate via SAML 2.0 federation
- Integrate with Windows Server 2016 & 2012r2 Active Directory Federation Services (ADFS) via SAML 2.0 federation
- Integrate Prisma Cloud with GitHub
- Integrate Prisma Cloud with OpenShift
- Non-default UPN suffixes
- Compute user roles
- Assign roles
- Use custom certificates for authorization
- Credentials store
Vulnerability management
- Prisma Cloud vulnerability feed
- Vulnerability Explorer
- Vulnerability management rules
- Search CVEs
- Scan reports
- Scanning procedure
- Customize image scanning
- Configure registry scans
- Registry scanning
  - Scan images in Alibaba Cloud Container Registry
  - Amazon EC2 Container Registry (ECR)
  - Azure Container Registry (ACR)
  - Docker Registry v2
  - Google Container Registry (GCR)
  - Harbor
  - IBM Cloud Container Registry
  - Scan images on Artifactory Docker Registry
  - OpenShift integrated Docker registry
  - Trigger registry scans with webhooks
- Base images
- Configure VM image scanning
- Configure code repository scanning
- Malware scanning
- Vulnerability risk tree
- Detect vulnerabilities in unpackaged software
- CVSS scoring
- Windows container image scanning
- Serverless function scanning
- VMware Tanzu blobstore scanning
- Scan Fargate tasks
- Troubleshoot vulnerability detection
Compliance
- Compliance Explorer
- Enforce compliance checks
- CIS Benchmarks
- Prisma Cloud Labs compliance checks
- Serverless functions compliance checks
- Windows compliance checks
- Docker Enterprise DISA STIG
- Custom compliance checks
- Trusted images
- Host scanning
- VM image scanning
- Fargate scanning
- Detect secrets
- Cloud discovery
- OSS license management
Runtime defense
- Runtime defense for containers
- Runtime defense for hosts
- Runtime defense for App-Embedded
- Custom runtime rules
- Import and export individual rules
- ATT&CK Explorer
- Runtime Audits
- Event Aggregation
- Image analysis sandbox
- Incident Explorer
- Incident types
Access control
- Role-based access control for Docker Engine
- Admission control with Open Policy Agent
Continuous integration
- Jenkins plugin
- Jenkins Freestyle project
- Jenkins Maven project
- Jenkins Pipeline project
- Run Jenkins in a container
- Jenkins pipeline on Kubernetes
- CI plugin policy
- Code repo scanning
WAAS
- Web-Application and API Security (WAAS)
- Deploying WAAS
- Firewall Settings
- API Protection
- DoS protection
- Bot Protection
- WAAS Access Controls
- Advanced Settings
- WAAS Analytics
- API observations
- WAAS custom rules
- Detecting unprotected web apps
- WAAS Log Scrubbing
- WAAS Troubleshooting
Firewalls
- Cloud Native Network Firewall (CNNF)
Secrets
- Secrets manager
- Integrate with secrets stores
- Secrets Stores
- Inject secrets into containers
- Injecting secrets: end-to-end example
Alerts
- Alert mechanism
- AWS Security Hub
- Cortex XSOAR alerts
- Email alerts
- Google Cloud Pub/Sub
- Google Cloud Security Command Center
- IBM Cloud Security Advisor
- JIRA Alerts
- PagerDuty alerts
- ServiceNow alerts
- ServiceNow alerts
- Slack Alerts
- Webhook alerts
Audit
- Event viewer
- Host activity
- Administrative activity audit trail
- Annotate audit event records
- Delete audit logs
- Syslog and stdout integration
- Log rotation
- Throttling audits
- Prometheus
- Kubernetes auditing
Tools
- twistcli
- Scan images with twistcli
- Scan code repos with twistcli
- Install Console with twistcli
- Update the Intelligence Stream in offline environments
Deployment patterns
- Projects
- Migration options for scale projects
- Best practices for DNS and certificate management
- Disk capacity
- Migrating to a SaaS Console
- Performance planning
- Automated deployment
- High Availability and Disaster Recovery guidelines
API
Howto
- Configure an AWS Classic Load Balancer for ECS
- Configure the load balancer type for AWS EKS
- Configure Prisma Cloud Console’s listening ports
- Provision tenant projects in OpenShift
- Disable automatic learning
- Debug data

WAAS connectivity monitor

WAAS connectivity monitor monitors the connection between WAAS and the protected application.

WAAS connectivity monitor aggregates data on pages served by WAAS and the application responses.

In addition, it provides easy access to WAAS related errors registered in the Defender logs (Defenders sends logs to the Console every hour).

The monitor tab becomes available when you click on an image or host protected by WAAS.

Last updated
- Most recent time when WAAS monitoring data was sent from the Defenders to the Console (Defender logs are sent to the Console on an hourly basis). By clicking on the refresh
button users can initiate sending of newer data.

Aggregation start time
- Time when data aggregation began. By clicking on the reset
button users can reset all counters.

WAAS errors
- To view recent errors related to a monitored image or host, click the View recent errors
link.

WAAS statistics:

Incoming requests - Count of HTTP requests inspected by WAAS since the start of aggregation.

Forwarded requests - Count of HTTP requests forwarded by WAAS to the protected application.

Interstitial pages served - Count of interstitial pages served by WAAS (interstitial pages are served once Prisma Sessions Cookies are enabled).

reCAPTCHAs served - Count of reCAPTCHA challenges served by WAAS (when enabled as part of bot protection).

Application statistics

Count of server responses returned from the protected application to WAAS grouped by HTTP response code prefix

Count of timeouts (a timeout is counted when a request is forwarded by WAAS to the protected application with no response received within the set timeout period).

Existing WAAS and application statistics counts will be lost once users reset the aggregation start time. Reset
will not
affect WAAS errors and will not cause recent errors to be lost.

For further details on WAAS deployment, monitoring and troubleshooting please refer to the WAAS deployment page

Troubleshooting Container or Host Rules

Follow these steps to troubleshoot WAAS issues using the table below:

Ensure the protected container or host is protected by WAAS - a green firewall icon should appear next to the workload’s radar entity and a "WAAS" tab should appear when clicked.

Click on the workload in the rader and open WAAS connectivity monitor by clicking on the WAAS tab.

Click on Reset to reset all counters.

Send one or more HTTP requests to the protected application

Click on Refresh and match changes in the request counters to the Connectivity Monitor Indications column in the table below

If the WAAS errors counter has been incremented, click on View recent errors to view errors.

Application is not responding

Possible reasons	Connectivity Monitor Indications	Solution
A problem with the protected application	- Timeouts is incremented.	Disable WAAS rule and check if the problem persists.
	- WAAS Errors counter incremented.
Prisma Sesssion Cookies is enabled and client accessing the application does not support both cookies and Javascript.	- None of the Application Statistics counters is incremented.	Please see Prisma Session Cookies section for more details.
reCAPTCHA is enabled and clients and preventing clients from reaching the protected application.	- None of the Application Statistics counters is incremented.	Please see reCAPTCHA section for more details.

Application is responding as expected yet WAAS protections do not trigger

Possible reasons	Connectivity Monitor Indications	Solution
WAAS port is not properly configured.	Incoming requests is not incremented	The App port should be set to the port on which the protected application is listening. For containers the app port should be set to the exposed port on the container (not necesarily the same as the publically exposed port).
Workload is not included in rule scope.	The workload radar entity does not have a firewall icon next to it, and the WAAS tab is not available when clicked.	Verify the workload is not in scope and adjust scope to include it.
Workload is included in the scope of two WAAS rules (only first by order will match).	The workload radar entity does not have a firewall icon next to it, and the WAAS tab is not available when clicked.	Ensure that the desired rule matches first by altering rule scope collections or reordering rules.
HTTP hostname is included in the scope of two or more apps under the same WAAS rules (only first app by order will match).	- Application statistics counters are incremented.	Whenever multiple apps are defined in the same rule only the first app by order will match.
Request URL is not included in the list of protected endpoints.	None of the counters is getting incremented	- Verify base path ends with an * to include all subpaths - Verify HTTP hostname in the request matches the listed HTTP hostnames - Verify scheme in the request matches the scheme in the protected endpoints list (TLS is enabled/disabled accordingly)

Application is responding with HTTP errors (3XX, 4XX, 5XX)

Possible reasons	Connectivity Monitor Indications	Solution
Errors are generated by WAAS (requests are not forwarded to the protected application)	- WAAS Errors counter incremented.
Errors are generatethe the protected application	- Application statistics 3XX, 4XX or 5XX counters are incremented.	Check the protected application logs for errors.

WAAS is blocking legitimate requests

Possible reasons	Connectivity Monitor Indications	Solution
False positive	- Application statistics counters are incremented.	Add

Document:Prisma Cloud Compute Edition Administrator’s Guide

WAAS Troubleshooting

Table of Contents

WAAS Troubleshooting

WAAS connectivity monitor

Troubleshooting Container or Host Rules

Application is not responding

Application is responding as expected yet WAAS protections do not trigger

Application is responding with HTTP errors (3XX, 4XX, 5XX)

WAAS is blocking legitimate requests