Deploy WAAS for Containers Protected By App-Embedded Defender
Table of Contents
Self.Hosted 22.06 (EoL)
Expand all | Collapse all
-
- Getting started
- System Requirements
- Prisma Cloud container images
- Onebox
- Kubernetes
- OpenShift v4
- Console on Fargate
- Amazon ECS
- Alibaba Cloud Container Service for Kubernetes (ACK)
- Azure Kubernetes Service (AKS)
- Amazon Elastic Kubernetes Service (EKS)
- Google Kubernetes Engine (GKE)
- Google Kubernetes Engine (GKE) Autopilot
- IBM Kubernetes Service (IKS)
- Windows
- Defender types
- Cluster Context
-
- Install a single Container Defender
- Automatically Install Container Defender in a Cluster
- App-Embedded Defender
- App-Embedded Defender for Fargate
- Default setting for App-Embedded Defender file system protection
- VMware Tanzu Application Service (TAS) Defender
- Serverless Defender
- Serverless Defender as a Lambda layer
- Auto-defend serverless functions
- Install a single Host Defender
- Auto-defend hosts
- Deploy Prisma Cloud Defender from the GCP Marketplace
- Decommission Defenders
- Redeploy Defenders
- Uninstall Defenders
-
- Rule ordering and pattern matching
- Backup and restore
- Custom feeds
- Configuring Prisma Cloud proxy settings
- Prisma Cloud Compute certificates
- Configure Agentless Scanning
- Agentless Scanning Modes
- Configure scanning
- User certificate validity period
- Enable HTTP access to Console
- Set different paths for Defender and Console (with DaemonSets)
- Authenticate to Console with certificates
- Configure custom certs from a predefined directory
- Customize terminal output
- Collections
- Tags
- Logon settings
- Reconfigure Prisma Cloud
- Subject Alternative Names
- WildFire Settings
- Log Scrubbing
- Clustered-DB
- Permissions by feature
-
- Logging into Prisma Cloud
- Integrating with an IdP
- Integrate with Active Directory
- Integrate with OpenLDAP
- Integrate Prisma Cloud with Open ID Connect
- Integrate with Okta via SAML 2.0 federation
- Integrate Google G Suite via SAML 2.0 federation
- Integrate with Azure Active Directory via SAML 2.0 federation
- Integrate with PingFederate via SAML 2.0 federation
- Integrate with Windows Server 2016 & 2012r2 Active Directory Federation Services (ADFS) via SAML 2.0 federation
- Integrate Prisma Cloud with GitHub
- Integrate Prisma Cloud with OpenShift
- Non-default UPN suffixes
- Compute user roles
- Assign roles
- Credentials store
- Cloud accounts
-
- Prisma Cloud vulnerability feed
- Vulnerability Explorer
- Vulnerability management rules
- Search CVEs
- Scan reports
- Scanning procedure
- Customize image scanning
- Configure Registry Scans
-
- Scan Images in Sonatype Nexus Registry
- Scan images in Alibaba Cloud Container Registry
- Scan images in Amazon EC2 Container Registry (ECR)
- Scan images in Azure Container Registry (ACR)
- Scan images in Docker Registry v2 (including Docker Hub)
- Scan images in Google Artifact Registry
- Scan images in Google Container Registry (GCR)
- Scan images in Harbor Registry
- Scan images in IBM Cloud Container Registry
- Scan images in Artifactory Docker Registry
- Scan images in OpenShift integrated Docker registry
- Trigger registry scans with Webhooks
- Base images
- Configure VM image scanning
- Configure code repository scanning
- Agentless scanning
- Malware scanning
- Vulnerability risk tree
- Vulnerabilities Detection
- CVSS scoring
- Windows container image scanning
- Serverless function scanning
- VMware Tanzu blobstore scanning
- Scan App-Embedded workloads
- Troubleshoot vulnerability detection
-
- Compliance Explorer
- Enforce compliance checks
- CIS Benchmarks
- Prisma Cloud Labs compliance checks
- Serverless functions compliance checks
- Windows compliance checks
- DISA STIG compliance checks
- Custom compliance checks
- Trusted images
- Host scanning
- VM image scanning
- App-Embedded scanning
- Detect secrets
- Cloud discovery
- OSS license management
- API
End-of-Life (EoL)
Deploy WAAS for Containers Protected By App-Embedded Defender
In some environments, Prisma Cloud Defender must be embedded directly inside the container it is protecting. This type of Defender is known as an App-Embedded Defender.
App-Embedded Defender can secure these types of containers with all WAAS protection capabilities.
The only difference is that App-Embedded Defender runs as a reverse proxy to the container it’s protecting.
As such, when you set up WAAS for App-Embedded, you must specify the exposed external port where App-Embedded Defender can listen, and the port (not exposed to the Internet) where your web application listens.
WAAS for App-Embedded forwards the filtered traffic to your application’s port - unless an attack is detected and you set your WAAS for App-Embedded rule to
Prevent
.When testing your Prisma Cloud-protected container, be sure you update the security group’s inbound rules to permit TCP connections on the external port you entered in the WAAS rule. This is the exposed port that allows you to access your web application’s container.
To disable WAAS protection, disable the WAAS rule, and re-expose the application’s real port by modifying the security group’s inbound rule.
To embed App-Embedded WAAS into your container or Fargate task:
Create a rule for App-Embedded
- Open Console, and go toDefend > WAAS > *App-Embedded.
- ClickAdd rule.
- Enter aRule NameandNotes(Optional) for describing the rule.
- Choose the ruleScopeby specifying the resource collection(s) to which it applies.Collections define a combination of App IDs to which WAAS should attach itself to protect the web application:
- Savethe rule.
Add an App (policy) for App-Embedded
- Select a WAAS App-Embedded rule to add an App in.
- ClickAdd app.
- In the App Definition tab, specify the endpoints in your web application that should be protected. Each defined application can have multiple protected endpoints. If you have a Swagger or OpenAPI file, click Import, and select the file to load. Otherwise, skip to the next step to manually define your app’s endpoints.
- If you don’t have a Swagger or OpenAPI file, manually define each endpoint by specifying the host, port, and path.
- In theEndpoint Setuptab, click onAdd Endpoint.
- Specify endpoint details:
- EnterApp port (required)Specify the TCP port protected app listens on, WAAS sends traffic to your app over this port.
- EnterWAAS Port (required).The external port is the TCP port for the App-Embedded Defender to listen on for inbound HTTP traffic.
- EnterHTTP host(optional, wildcards supported).HTTP host names are specified in the form of [hostname]:[external port].The external port is defined as the TCP port on the host, listening for inbound HTTP traffic. If the value of the external port is "80" for non-TLS endpoints or "443" for TLS endpoints it can be omitted. Examples: "*.example.com", "docs.example.com", "www.example.com:8080", etc.
- EnterBase path(optional, wildcards supported):Base path for WAAS to match on when applying protections.Examples: "/admin/", "/" (root path only), "/*", /v2/api/", etc.
- If your application uses TLS, setTLStoOn.WAAS must be able to decrypt and inspect HTTPS traffic to function properly.To facilitate that, after creating all endpoints click onView TLS settingsin the endpoint setup menuTLS settings:
- Certificate- Copy and paste your server’s certificate and private key into the certificate input box (e.g. cat server-cert.pem server-key > certs.pem).
- Minimum TLS version- A minimum version of TLS can be enforced by WAAS to prevent downgrading attacks (the default value is "1.2").
- HSTS- The HTTP Strict-Transport-Security (HSTS) response header lets web servers tell browsers to use HTTPS only, not HTTP. When enabled, WAAS adds the HSTS response header to all HTTPS server responses (if not already present) with the preconfigured directives - max-age, includeSubDomains, and preload.
- max-age=<expire-time> - The time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS.
- includeSubDomains (optional) - If selected this HSTS protection applies to all of the site’s subdomains as well.
- If your application uses gRPC, setgRPCtoOn.
- If your application uses HTTP/2, setHTTP/2toOn.
- ClickCreate Endpoint
- If your application requires API protection, select the "API Protection" tab and define for each path allowed methods, parameters, types, etc. See detailed definition instructions in the API protection help page.
- Click on theResponse headerstab to add or override HTTP response headers in responses sent from the protected application.
- Continue toAccess Controltab and select access controls to enable.
- Continue toDoS protectiontab and configure DoS protection thresholds.
- Continue toBot protectiontab and select bot protections to enable.
- ClickSave.
- You should be redirected to theRule Overviewpage.Select the new rule to displayRule Resourcesand for each application a list ofprotected endpointsandenabled protections.
- Test protected container using the following sanity tests.
- Go toMonitor > Events, click onWAAS for App-Embeddedand observe the events generated.For more information please see the WAAS analytics help page