21.08 Release Notes
The following table outlines the release particulars:
August 30, 2021
New features in the core platform
Extending support for Defender
- Support for Defender versions extended to n-2.
- Defenders can now be up to two versions behind the Console and still provide protection and visibility for your workloads.
- To support environments where you have rigorous testing requirements or tighter maintenance schedules for upgrading Defenders, Defenders are now supported for two releases, which significantly extends the supported time period and backward compatibility.
- This compatibility is automatically enabled and you don’t need to configure it.
Notes about extended support (also known as "backwards compatibility") in 21.08:
- Support for backwards compatibility begins in 21.08. However, 21.08 will only support Defenders from 21.08 and 21.04 (n-1). Starting with the next release (Joule), we’ll offer full n-2 support. That is, Joule will support Defenders from Joule, 21.08 and 21.04.
- In 21.08, twistcli and the Jenkins plugin contain new infrastructure to support backwards compatibility, but don’t offer any backwards compatibility yet. In 21.08, twistcli and the Jenkins plugin can only connect and communicate to a 21.08 Console. Starting in Joule, twistcli and the Jenkins plugin will support both Joule and 21.08 (n-1). Starting in Kepler (the release after Joule), we’ll offer full n-2 backwards compatibility.
- With our new support for backwards compatibility, auto-upgrade has been deprecated.
- Upgrade action from the Console UI for orchestrated Defenders is deprecated, since we are removing auto-upgrade.
- Upgrade action from the Console UI is still supported for single Defenders.
- With each release there will now be a versioned API and the API version is specified in the URI.
- This means that twistcli and automation scripts that use the Prisma Cloud Compute APIs will be associated with a specific version. The versioning will provide consistency for you, as you can specify the version to consume and can update your integration at your schedule.
- This means we can meet the need for rapidly enhancing the product whilst making sure consumers of the API are not impacted by change.
- The versioning is automatically enabled and you don’t need to configure it.
- The v1 version always points to the latest API. You can continue to use v1 if you plan to always keep your integrations up to date with the latest release.
Red Hat Container Security Certification
- Prisma Cloud achieves Red Hat Container Security Certification.
- Expanding our close partnership with Red Hat we are now pleased to announce that Prisma Cloud is a Red Hat Certified Technology Vulnerability Scanner
- This verifies our extensive capabilities and strengthens our interoperability with Red Hat.
- No need to enable it - just yet another product enhancement!
Additional new functionality
- Adds support for unlimited scale! (Only for Compute Edition) Our customers continue to grow and even 10,000 Defenders was too small a number. Now we have a clear ramp up of memory/CPU footprint per block of 5,000 Defenders. Wow!
- Adds support for defining grace periods based on the severity of the vulnerability. 30 days for a low and 15 for a high? No problem! You decide.
- Enhances workflow for configuring Azure AD SAML groups. Adds an option to create an AAD SAML group by OID instead of displayname. The two options are now:
- Get OID automatically - This is the current functionality, where you enter the display name of the group.
- Set OID manually - This is new functionality in 21.08, where you enter the OID manually (without the display name).
- Adds support for JFrog Artifactory webhooks. You can now configure JFrog Artifactory webhooks with Prisma Cloud to scan container images when they’re pushed to the Artifactory registry (alternatively, you can continue using the Docker Registry webhooks for Artifactory).
- Adds a warning label when AWS access keys are more than 90 days old. Aligns with AWS best practices for long term credentials, which should be rotated every 90 days.
- Updates the Intelligence Stream to add coverage for very old Java CVEs (back to year 2000).
- Enhances our support for webhook alerts. Webhook alerts now support:
- Image, container, and host vulnerabilities.
- Image, container, and host compliance issues.
- Specifying collections.
New features in container security
- The forensic blackbox recorder now supports Fargate/ App-Embedded Defenders!
- With our forensic capabilities you get a complete picture into everything that led up to a security incident - even when that incident was automatically blocked.
- We’ve also added more granular runtime support by enabling custom rules for Fargage/App-Embedded Defenders.
- As you adopt new workload types, such as AWS Fargate, Azure Container Instances, and Google Cloud Run, Prisma Cloud Compute supports your ability to secure them with custom runtime rules and our extensive forensic data collection capabilities.
- These capabilities are automatically enabled and you don’t need to configure them.
Image analysis sandbox
- A huge feature! Now the advanced runtime machine learning can take place in an environment of your choosing!
- With image analysis sandboxing, Prisma Cloud runs your third-party container image in an environment of your choosing, leveraging our machine learning to perform deep inspection of processes, file system, and networking activity pre-deployment. This means you have complete visibility and control over all aspects of any image before you bring it into a live environment with detailed analysis results to both the CLI and the Console UI.
- Organizations consume images from many different sources, including container registries maintained by different business units internally, external sources like Docker Hub, or other registries from third-party vendors. This feature means that you have visibliity and control over all images that come into your environment - deep learning to catch malware, cryptominers, and other nasties before they can appear in a live environment.
- Use this from the CLI (twistcli) and see results appear there and in Console.
New features in host security
Auto-defend hosts running across AWS, GCP, and Azure
- Hosts without a Defender in AWS, Azure, or GCP can now be auto-defended.
- With our last Cloud Workload Protection release, we proudly announced our auto-detect and auto-defend capabilities for AWS EC2 instances. Now, Prisma Cloud host security expands and enhances its capabilities to provide auto-defend functionality for virtual machines on Azure and Google Cloud. Now organizations can be confident that workloads they have running across these cloud service providers will have advanced protection capabilities automatically deployed.
- Regardless of how hosts come to run in your environment, Prisma Cloud can protect them even if they weren’t bundled with a Defender. This means that you can have confidence across your entire estate - regardless of whether it’s in AWS, GCP, Azure, or all three.
- You can enable this inManage > Defenders > Deploy > Host auto-defend.
Additional new functionality
- Expands the types of alerts that you can configure - in this release we’ve increased the options with:
- Host vulnerabilities: email, Jira, and webhooks.
- Host compliance issues: Jira and webhooks.
- Improves AMI scanning.
- Adds customization support, you can now scan the AMIs in a VPC and Subnet of your choice.
- Adds support for encrypted AMIs, where the keys are part of KMS.
- Updates scan configuration. You can now choose the EC2 instance type to spin up for scanning. We recommend not to pick the nano or micro instances.
- Supports specifying a custom port for communication between twistcli and Console.
New features in serverless security
- Our auto-defend functionality continues to improve.
- Largely behind the scenes update, but now customers will have a better experience with proxies, changing the scope of auto-defend to specific labels, delete rules in bulk - the type of things that are small but make a big difference in day to day life.
- As serverless is used more and more, we think it’s important to continue enhancing the usability of the product. This update just makes life easier for our customers and means that serverless auto-defend will continue to expand.
- No need to enable this, it’s just part of the product. Head toManage > Defenders > Deploy > Serverless auto-defendto configure it.
Additional new functionality
- Introduces streamline credit consumption model for serverless. Six defended functions now consume one credit, where a defended function is secured at runtime OR scanned for vulnerabilities and compliance.
- Adds support for Ruby 2.5 and 2.7 in Serverless Defender.
New features in shift left security
Automated Github PRs
- Pull requests for vulnerabilities can now be automatically raised.
- You can now configure the vulnerabiltity rule to raise a PR for vulnerabitlities with fixes. Upon scan Prisma will automatically will create PRs when there are vulnerabilities found in a code repository.
- This is really exciting - not only can you get on demand scans with twistcli or have regular scans through our UI but pull requests can now be automatically raised! The PR contains all the information necessary including the CVE, the fixed version, and more!
- Head toDefende > Vulnerabilities > Code Repositoriesto add a rule and configure it.
- Also adds Slack and Jira as alert providers for vulnerabilities found in code repos.
- Head toManage > Alerts > Manageto configure it.
Additional new functionality
- Enhances the vulnerabilities feed for Red Hat products.
- Users get standardized vulnerability information for RedHat products, including direct links to the RedHat security advisories.
- Enhances frontend integrations, like improved Okta integration amongst others.
- Adds support for scanning code repos in GitHub Enterprise (in addition to current support for GitHub).
- Makes Jenkins plugin proxy-aware - configure it with existing proxy settings from your Console or custom ones in Jenkins.
- Expands the Intelligence Stream, building on our Autofocus integrations with more DNS improvements.
New features in WAAS
API security health monitor
- Using the Console UI or API you can now directly see the health status of your API
- Prisma Cloud Compute now shows you the traffic traversing WAAS, how it was sent to your endpoint and the response code returned from your application.
- Now you have the visibility into your network, not just that it’s being secured but everything that passes through WAAS even down to how your application responds. Concerned whether an issue is at the application level, or the WAAS level, or even beyond? Well now you can have direct visibility of each part, showing traffic received, performance, how its handled, and how your application responded. You can get this aggregated hourly or on demand - you’re in control.
- As always with Prisma Cloud releases this information ties into alerting:
- Certificate no longer valid
- Incoming requests with no origin responses (multiple timeouts)
- Multiple 5XX responses received from the application in a short space of time
- slow responses, WAAS dropping requests, even if WAAS is listening on a non-exposed port
- If you’re already using WAAS you’ll see this information in the Radar when you click on a node protected by WAAS.
Service mesh integration
- WAAS now seamlessly interoperates with Istio and Linkerd.
- When deploying WAAS, Prisma Cloud identifies the pods with the labels identifying the service mesh sidecars, and injects the appropriate routing to allow WAAS traffic protection features.
- This feature is enabled automatically in your environment - no additional configuration from you!
Protecting logs from PII/sensitive information
- Your application may involve sensitive information in query or the message body. Now you can filter this sensitive information and ensure that it is not included in logs.
- PII sanitization is important for protecting user privacy as well as to ensure that logs comply with relevant regulations (PCI, GDPR, HIPAA, amongst others). Now you logs will have any sensitive data censored but still have the right level of logging.
- Tailor this to headers, query params, body parameters (raw/form-data/XML/JSON), cookeis, or even provide a regex for any part of the captured payload or event/audit!
- Head toDefend > WAASto see the options now available.
- Prisma Cloud WAAS module has been expanded to cover Microsoft Windows hosts.
- Take a look atDefend > WAASto get started.
Unprotected web app report
- Adds a new page in Console that lists all unprotected web apps that Prisma Cloud has detected.
- Go toMonitor > WAAS > Unprotected web apps.
Additional new functionality
- Extends WAAS custom rules to offer the same functionality to resp.body as it does for req.body. WAAS can also now match on specific content type headers.
- Allows adding policy exceptions from the event viewer based on specific audits.
- Displays a banner notification at the top of Console when a new WAAS virtual patch (custom rule) has been pushed from Prisma Cloud Labs to your Console.
- Adds ability to enforce minimum TLS version to prevent downgrade attacks.
- Adds support for HTTP Strict Transport Security (HSTS) (RFC 6797) enforcement.
- Provides the ability to view certificates that have been uploaded to an app config, so you can confirm what’s been uploaded and monitor its expiration.
- Enhances the UI to alert customers when a certificate is about to expire or has already expired.
- Adds support for inspecting REST path parameters.
DISA STIG scan findings and justifications
Every release, we perform an SCAP scan of the Prisma Cloud Compute Console and Defender images. The process is based upon the U.S. Air Force’s Platform 1 "Repo One" OpenSCAP scan of the Prisma Cloud Compute images. We compare our scan results to IronBank’s latest approved UBI8-minimal scan findings. Any discrepancies are addressed or justified.
Be aware of the following breaking changes when upgrading to 21.08:
- Starting in 21.08, the following audit collections in the database that weren’t previously capped are now capped. As part of this change, this audit data in these collections will be dropped on upgrade to 21.08. The impacted collections are:
- App-Embedded runtime audits - max of 25,000 entries or 50 MB, whichever limit is hit first.
- Trust audits - max of 25,000 entries or 50 MB, whichever limit is hit first.
- Container network firewall audits - max of 25,000 entries or 50 MB, whichever limit is hit first.
- Host network firewall audits - max of 25,000 entries or 50 MB, whichever limit is hit first.
Breaking changes in the API
The following endpoint has been deprecated in 21.08: DELETE api/audits/runtime/app-embedded
- After upgrading from 21.04 to 21.08, hosts with old Defenders (n-1) will not be displayed on Host observations. Only hosts with Defenders that match Console’s version are displayed. To resolve the issue, re-scan images and hosts after upgrading.
- Email alerts show the Prisma Cloud logo. The logo is an image file hosted on our CDN. If you don’t have Internet access, the logo won’t be displayed.
- Fixes Defender name collisions in AWS. Due to reuse of network ranges in the customer VPCs, Defenders in different EKS clusters had the same name, which caused an issue for registry scanning. Although this issue has been fixed, customers who encountered this issue and who explicitly selected specific Defenders for registry scanning, will need to reselect Defenders for registry scanning.
- If you have the same custom compliance rule in use in a host policy (effect: alert) and a container policy (effect: block), the rules will enforce your policy (as expected), but the audit message for a blocked container will incorrectly refer to the host policy and host rule name.
- There’s an outstanding issue for custom compliance checks for Kubernetes and OpenShift on CRIO. When "Reported results" is configured to show both passed and failed checks, if a check doesn’t run, Prisma Cloud still reports it as "passed".
- In 'Code Repository' scan feature, as we updated to include Github Enterprise Server support, the URL links in the scan results for the existing Github Cloud repositories scans got removed. To get the links active, delete the current Git repository scan scopes and recreate a new one.
- The /util/twistcli endpoint for downloading the twistcli binary from the API is missing from the OpenAPI spec file and the documentation. This endpoint is supported. Work to fix the issue is scheduled.
Deprecated this release
- Removes support for auto-upgrade on Defenders in both Compute Edition and Prisma Cloud Enterprise Edition.
- After Compute SaaS upgrade to Iverson, the minimum audit aggregation period inManage > Alerts > Alert providerswill be changed from seconds to 10 minutes in Compute. Support for "seconds" and "minute" aggregation will be deprecated. All previous alert policies targeting audit aggregation period of "seconds" or "minute" will be migrated to 10 minutes.
- After Compute SaaS upgrade to Iverson, Auto-upgrade of defenders will be deprecated in favor of backward compatibility starting this release.
- Both docs.prismacloudcompute.com and docs.twistlock.com will be deprecated shortly. All Prisma Cloud Compute docs will be hosted on docs.paloaltonetworks.com only.
Recommended For You
Recommended videos not found.