Update the Intelligence Stream in offline environments

Prisma Cloud lets you update Console’s vulnerability and threat data even if it runs in an offline environment.
The Prisma Cloud Intelligence Stream (IS) is a real-time feed that contains vulnerability data and threat intelligence from commercial providers, Prisma Cloud Labs, and the open source community.
When you install Prisma Cloud, Console is automatically configured to connect to intelligence.twistlock.com to download updates. The IS is updated several times per day, and Console continuously checks for updates.
If you run Prisma Cloud in an offline environment, where Console does not have access to the Internet to download updates from the IS, then you can manually download and install IS updates.

Update strategies for offline environments

There are a number of update strategies. The right strategy for you depends on the size of your deployment, and in particular, the number of air-gapped Consoles in your environment.

Basic strategy

Use the basic strategy when you’ve got one or two air-gapped Consoles. The basic strategy for updating the threat data for an isolated, air-gapped Console is:
  • Download the IS data from an Internet-connected machine.
  • Move the archived data to a location accessible by the air-gapped environment.
  • Load the IS data into the offline Console.
Both the download and upload operations use twistcli, so the process can be automated.
If you’ve got a large number of air-gapped Consoles, individually updating each one can be challenging and brittle, especially in dynamic environments. As such, Prisma Cloud lets you scale the basic strategy to any number of Consoles. Each deployed Console can be configured to look for the latest threat data in a central location. From there, each Console will update itself every 24 hours. Your job is to ensure that the central location always serves the latest threat data.
For example, consider how the U.S. Navy would keep a fleet of submarines up-to-date with the latest threat data. When a submarine surfaces and establishes brief connection to its command’s network, the submarine’s Console needs to pull the latest Intelligence Stream updates. For this type of setup, see Scale approach 1 and Scale approach 2.

Scale approach 1

Distribute the latest Intelligence Stream data from an HTTP/S server. Use the basic strategy to keep the data at the endpoint up-to-date. To configure your Console for this approach, see Download the IS from an HTTP server.

Scale approach 2

Distribute the latest Intelligence Stream data from a so-called "relay" Console. Downstream Consoles connect to the relay Console to pull the latest threat data. To keep the relay Console up-to-date:
  • Use the basic strategy when the relay Console is also isolated in an air-gapped environment.
  • Let the relay Console update itself by connecting to the Intelligence Stream over the Internet.
To configure your Console for this approach, see Download the IS from another Console.


By default, projects utilize the distribution mechanism described in