Prisma Cloud software consists of two components: Console and Defender. Install Prisma Cloud in two steps. First, install Console. Then install Defender.
Console is Prisma Cloud’s management interface. It lets you define policy and monitor your environment. Console is delivered as a container image.
Defender protects your environment according to the policies set in Console. There are a number of Defender types, each designed to protect a specific resource type.
Install one Console per environment. Here, environment is loosely defined because the scope differs from organization to organization. Some will run a single instance of Console for their entire environment. Others will run an instance of Console for each of their prod, staging, and dev environments. Prisma Cloud supports virtually any topology.
The primary concern for most customers getting started with Prisma Cloud is securing their container environment. To do this, install Container Defender on every host that runs containers. Container orchestrators typically provide native capabilities for deploying an agent, such as Defender, to every node in the cluster. Prisma Cloud leverages these capabilities to install Defender. For example, Kubernetes and OpenShift, offer DaemonSets, which guarantee that an agent runs on every node in the cluster. Prisma Cloud Defender, therefore, is deployed in Kubernetes and OpenShift clusters as a DaemonSet.
In this section, you’ll find dedicated install guides for all popular container platforms. Each guide shows how to install Prisma Cloud for that given platform.
As you adopt other cloud-native technologies, Prisma Cloud can be extended to protect those environments too. Deploy the Defender type best suited for the job. For example, today you might use Amazon EKS (Kubernetes) clusters to run your apps. This part of your environment would be protected by Container Defender. Later you might adopt AWS Lambda functions. This part of your environment would be secured by Serverless Defender. Extending Prisma Cloud to protect other types of cloud-native technologies calls for deploying the right Defender type.
All Defenders, regardless of their type, report back to Console, letting you secure hybrid environments with a single tool. The main criteria for installing Defender is that it can connect to Console. Defender connects to Console via websocket to retrieve policies and send data. In Compute Edition (self-hosted), the Defender websocket connects to Console on port 8084 (configurable at install-time). The following diagram shows the key connections in Compute Edition.
Downloading the software
Prisma Cloud Compute Edition software can be downloaded from the Palo Alto Networks Customer Support portal. For more information, see here.
Start your install with one of our dedicated guides.
Prisma Cloud runs on any implementation of Kubernetes, whether you build the cluster from scratch or use a managed solution (also known as Kubernetes as a service). We’ve tested and validated the install on:
In some cases, there is a dedicated section for installing on a specific cloud provider’s managed solution. When there is no dedicated section, use the generic install method.
To install Prisma Cloud, deploy Console to your cluster with a task definition. Then configure the launch configuraration for cluster members to download and run Defenders, guaranteeing that every node is protected.
Install Defender on Windows hosts running containers. Defender is installed using a PowerShell script. Note that while Defenders can run on both Windows and Linux hosts, Console can only run on Linux. Windows Defenders are designed to interoperate with the Linux-based Console to send data and retrieve policy.
All network traffic is encrypted with TLS (https) for user to Console communication. Likewise, all Defender to Console communication is encrypted with TLS (WSS).
The Prisma Cloud database is not encrypted at rest, however all credentials and otherwise secure information is encrypted with AES 256 bit encryption. If you require data at rest to be encrypted, then underlying persistence storage /var/lib/twistlock can be mounted with one of the many options that support this.