Configuring Prisma Cloud proxy settings
In some environments, access to the internet must go through a proxy and you can configure Prisma Cloud to route requests through your proxy. Proxy settings can either be applied to both Console and Defender containers or separately for each Defender deployment.
The global proxy settings are configured in the UI after Console is installed. Console immediately starts using these settings after saving them. Any Defenders deployed after saving your settings will use your proxy settings, unless you explicitly choose a different proxy when deploying the Defenders. Any Defenders that were deployed before you saved your proxy settings must be redeployed.
Console has a number of connections that might traverse a proxy.
- Retrieving Intelligence Stream updates.
- Connecting to services, such as Slack and JIRA, to push alerts.
Defender has a number of connections that might traverse a proxy.
- Connecting to Console. If you deploy Defenders in a remote region, they might need to connect to Console through a proxy.
- Connecting to external systems, such as Docker Hub or Google Container Registry, for scanning.
- Connecting to your secrets store to retrieve secrets for injection into your containers.
Global proxy settings
A number of settings let you specify how Prisma Cloud interfaces with your proxy.
You can provide a list of addresses that Prisma Cloud can contact directly without connecting through the proxy. Specify DNS names, IP addresses, or a combination of both. Specifying IP addresses in CIDR notation is supported. Specifying DNS names using wildcards is supported.
Console verifies server certificates for all TLS connections. With TLS intercept proxies, the connection from Console to the Internet passes through a proxy, which may be transparent. To facilitate traffic inspection, the proxy terminates the TLS connection and establishes a new connection to the final destination.
If you have a TLS intercept proxy, it will break the Console’s ability to connect to external services, because Console won’t be able to verify the proxy’s certificate. To get Console to trust the proxy, provide the CA certificates for Console to trust.
If egress connections through your proxy require authentication, you can provide the credentials in Prisma Cloud’s proxy settings. Prisma Cloud supports Basic authentication for the Proxy-Authenticate challenge-response framework defined in RFC 7235. When you provide a username and password, Prisma Cloud submits the credentials in the request’s Proxy-Authorization header.
Configuring global proxy settings
Configure your proxy settings in Console.
- Open Console, and go toManage > System > Proxy.
- InHTTP Proxy, enter the address of the web proxy. Specify the address in the following format: <PROTOCOL>://<IP_ADDR|DNS_NAME>:<PORT>, such as http://proxyserver.company.com:8080.
- (Optional) InNo Proxy, enter addresses that Prisma Cloud can access directly without connecting to the proxy. Enter a list of IP addresses and domain names. Specifying IP addresses in CIDR notation is supported. Specifying DNS names using wildcards is supported.
- (Optional) For TLS intercept proxies, enter the root trusted authority certificate, in PEM format, that Console should trust.
- (Optional) If your proxy requires authentication, enter a username and password.
- Redeploy your Defenders to propagate updated proxy settings to them.Console does not need to be restarted. After proxy settings are saved, Console automatically uses the settings the next time it establishes a connection.Any newly deployed Defenders will use your proxy settings.Any already deployed Defenders must be redeployed. For single Container Defenders, uninstall then reinstall. For Defender DaemonSets, regenerate the DaemonSet YAML, then redeploy.$ kubectl apply -f defender.yaml
Configuring per-deployment proxy settings
Prisma Cloud supports setting custom proxy settings for each Defender deployment. This way you can set multiple proxies for Defenders which are deployed in different envir