System requirements

Before installing Prisma Cloud, verify that your environment meets the minimum requirements.
For information about when Prisma Cloud adds and drops support for third party software, see our support lifecycle page.

Hardware

Metal
: Prisma Cloud has the following hardware requirements:
Architecture
: x86_64
  • Console — 
    • When up to 1,000 Defenders are connected, Console requires 4 vCPUs, 8GB of RAM, and 100GB of persistent storage.
    • When 1,001 - 10,000 Defenders are connected, Console requires 8 vCPUs, 30GB of RAM, and 500GB SSD of persistent storage.
    • When more than 10,000 Defenders are connected, Console requires a baseline of 8 vCPUs, 30GB of RAM, and 500GB SSD of persistent storage, with another 4 vCPUS and 10GB of RAM for every increment of 5,000 Defenders. For example, for 20,000 Defenders, Console requires a total of 16 vCPUs, 50GB of RAM and 500GB SSD of persistent storage.
      Console uses cgroups to cap resource usage. When more than 1,000 Defenders are connected, it’s recommended to disable this cap by enabling the DISABLE_CONSOLE_CGROUP_LIMITS flag in twistlock.cfg.
  • Defender — 256MB of RAM and 8GB of host storage.
    Defender uses cgroups to cap resource usage at 512MB of RAM and 900 CPU shares; typical load is ~1-5% CPU and 30-70MB RAM
    Defender stores its data in /var. When allocating disk space for Defender, be sure the required space is available in /var.
    Defenders are designed to be portable containers that collect data. Any data that must be persisted is sent to Console for storage. Defenders themselves do not require persistent storage. Do not deploy persistent storage for Defenders, because it can corrupt Defender files.
  • Defenders providing registry scanning-- 2GB of RAM, 20GB of storage, and 2 CPU cores.
  • CI integration (Jenkins, twistcli) — Required storage space depends on the size of the scanned images. The required disk space is 1.5 times the size of the largest image to be scanned, per executor. For example, if you have a Jenkins instance with two executors, and your largest container image is 500MB, then you need at least 1.5GB of storage space (500MB * 1.5 * 2).
VMs
: Prisma Cloud has been tested on the following hypervisors:
  • Microsoft Hyper-V
  • VirtualBox
  • VMware
Cloud
: Prisma Cloud can run on nearly any cloud IaaS platform. Prisma Cloud has been tested on the following services:
  • Amazon Web Services
  • Google Compute Engine
  • IBM Cloud
  • Microsoft Azure
  • Oracle Cloud

File systems

If you’re deploying Prisma Cloud Console to AWS and you’re using the EFS file system, the following minimum performance characteristics are required:
  • Performance mode:
    General purpose
  • Throughput mode:
    Provisioned. Provision 0.1 MiB/s per deployed Defender. For example, if you plan to deploy 10 Defenders, provision 1 MiB/s of throughput.

Host operating systems

Prisma Cloud is supported on the following host operating systems:
Distro
Version
Bottlerocket OS
Tested version: 1.4.2
Containerd v1.5.8
Kernel version: 5.10.75
Kubelet version: v1.21.6
  • Vulnerability and compliance blocking policies are not supported on Bottlerocket.
  • RunC not supported.
  • Prevent is not supported on containerd runtime.
  • Compliance for containerd not supported.
  • Defenders must to be installed as privileged.
Amazon Linux 2
Latest release
CentOS
CentOS 7, CentOS 8
Debian
Debian 10, Debian 11
GCOOS
Container-Optimized OS on Google Cloud latest
GCOOS is purposefully minimalistic. It doesn’t support installing new packages or writing new bins. Hence, Prisma Cloud’s vulnerability detection on GCOOS only covers Docker and Kubernetes package binary detection.
Runtime prevent capability is supported only for DNS events. Other prevent capablities are not supported.
Red Hat
Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux CoreOS (RHCOS) versions included in supported OpenShift releases
Ubuntu
Ubuntu 20.04 LTS, Ubuntu 18.04 LTS
Windows
Windows Server 2016, Windows Server 2019 Long-Term Servicing Channel (LTSC)
The Console container must be run on a supported Linux operating system. Defender is supported on Windows Server 2016 (vulnerability and compliance scanning), and Windows Server 2019 (vulnerability scanning, compliance scanning, and runtime defense for containers).
VMware
Photon OS 3.0 - Runtime supported with kernel >= 4.19.191-1 and Photon OS 4.0
The following use cases are currently unsupported:
  • Detecting binaries without a package manager.
  • Event / incident for WildFire malware
  • SSHD application in host runtime events and empty SSH events on Host observations
  • Vulnerabilities in Layers view
RHCOS
Openshift v4 versions
SUSE
SLES 12 SP3 - SP5, SLES 15 SP1 - SP4
The following use cases are currently unsupported:
  • runc support for containers
  • Detection of unknown binaries for hosts
  • Detection of OS security updates for host observation
  • Display OS distribution packages for SLES 15

Kernel capabilities

Prisma Cloud Defender requires the following kernel capabilities. More info about each capability can be found on the Linux capabilities man page.