Prisma Cloud Compute Edition Administrator’s Guide
    : Configure Agentless Scanning for GCP
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Compute Edition Administrator’s Guide
    5. Agentless Scanning
    6. Onboard Accounts for Agentless Scanning
    7. Configure Agentless Scanning for GCP
    Download PDF

    Prisma Cloud Compute Edition Administrator’s Guide

    Configure Agentless Scanning for GCP

    Table of Contents

    Configure Agentless Scanning for GCP

    1. Log in to your Prisma Cloud Compute Console.
    2. Go to
      Manage > Cloud
       Accounts.
    3. Click
      +Add account
      .
    4. Enter the following information for the hub account in the
      Account config
       page.
      1. Select Cloud provider
        : GCP
      2. Account ID:
         Enter your Google project ID for the hub account.
      3. Description:
         Provide an optional string.
      4. Service account:
         Paste the contents of the downloaded service account key file for the hub account.
      5. API token:
         Leave blank.
    5. Click
      Next
      .
    6. In the Agentless scanning page, complete the following steps.
      1. Enable
        Agentless scanning
        .
      2. Set the
        Console URL
         and
        Port
         to the address of your Prisma Cloud console that can be reached from the internet. To create an address or FQDN reachable from the internet, complete the Subject Alternative Names procedure.
    7. Hub account
      : Enable the toggle to configure this account as a hub account.
    8. Expand the
      Advanced settings
      .
      1. Select where to scan
        : For GCP accounts, you can decide between two scanning modes.
        1. Same Account
          : Perform the agentless scanning process using this account.
        2. Hub Account
          : Perform the agentless scanning process using a centralized hub account. Select another account from the list to use as the centralized hub account to scan this account. on the target accounts. If you wish Prisma Cloud to scan encrypted volumes on the target accounts, follow the steps on encrypted volumes.
      2. Auto-scale scanning
        : Automatically create the required amount of scanners to scan all of the hosts within a region, up to a limit of 50 scanners. To use a different limit specify the
        Max number of scanners
        .
      3. Max number of scanners
        : Enter the upper limit of scanners that Prisma Cloud can automatically spin up within a region in your account for faster results.
      4. Enforce permissions check
        : In case of failure to validate the appropriate permissions, this account won’t be scanned. If this is a hub account, the associated target accounts won’t be scanned as well.
      5. Enter a
        Proxy
         value if traffic leaving your GCP tenant uses a proxy.
      6. Custom labels
        : Apply custom labels to any resources Prisma Cloud creates during agentless scanning.
      7. Under
        Scan scope
         you can refine the scope of the scanning by
        Regions
         or using labels.
        1. All regions
          : Scan in all GCP regions.
        2. Custom regions
          : Specify the GCP regions, which you want scanned.
        3. Scan non running hosts
          : Choose whether or not to scan hosts that aren’t running.
        4. Exclude hosts by labels
          : Select a subset of hosts which you want to exclude from the scan process
          You can use wildcards to specify a range of labels in both keys and values following these examples:
          "abcd*"
"*abcd"
"abcd"
"*"
"*abcd*"
        5. Include hosts by labels
          : Select a subset of hosts to scan
          You can use wildcards to specify a range of labels in both keys and values following these examples:
          "abcd*"
"*abcd"
"abcd"
"*"
"*abcd*"
      8. Network resources
        : Configure custom network resources for agentless scanning
        1. Subnet
          : If left blank, agentless scanning uses the default networking infrastructure and assigns scanners with a public IP. Specify a subnet name to use an existing subnet in your environment and to use a private IP. The subnet must be unique and identical across all regions. If you are configuring a hub account, this requirement only applies to the hub account and not for the targets.
        2. Shared VPC
          : If you are using a shared VPC, enter the shared VPC path in this field with the following convention. Replace {host_project_name} with the ID of the project that owns the shared VPC.
          projects/{host_project_name}/regions/{region_name}/subnetworks/{subnet_name}
          Using a shared VPC requires additional permissions on the shared VPC host project. Refer to the GCP documentation to learn more about shared VPCs.
    9. Click Next.
    10. Leave the
      Server scan
       toggle unchanged.
    11. Click Next.
    12. Leave the
      Discovery features
       toggle unchanged.
    13. Click
      Save
      .

    Scan Encrypted Volumes When Using Hub Mode

    When you use hub and target projects, you can configure your hub project to access the encrypted volumes of the target accounts. To use encrypted volumes the service account of Google Compute Engine needs to have the cloudkms.cryptoKeyEncrypterDecrypter role. Without it, the service agent of the the hub project can’t access the KMS keys.
    The Compute Engine service agent for your hub project is labeled with the following convention. service-PROJECT_NUMBER@compute-system.iam.gserviceaccount.com Replace PROJECT_NUMBER with the number of your hub project.
    1. Use the following command to apply the grant the role and permissions to the Compute Engine service agent.
      gcloud projects add-iam-policy-binding KMS_PROJECT_ID \
    --member serviceAccount:service-PROJECT_NUMBER@compute-system.iam.gserviceaccount.com \
    --role roles/cloudkms.cryptoKeyEncrypterDecrypter
    2. Replace KMS_PROJECT_ID with any project you need to use. The KMS project isn’t required to be the hub account or the target accounts you wish to scan.

    Start an Agentless Scan

    Agentless scans start immediately after onboarding the cloud account. By default, agentless scans are performed every 24 hours, but you can change the interval on the
    Manage > System > Scan
     page under
    Scheduling > Agentless
    .
    To manually start a scan, complete the following steps.
    1. Go to
      Manage > Cloud accounts
      .
    2. Click the scan icon on the top right corner of the accounts table.
    3. Click
      Start Agentless scan
      .
    4. Click the scan icon in the top right corner of the console to view the scan status.
    5. View the results.
      1. Go to
        Monitor > Vulnerabilities > Hosts
         or
        Monitor > Vulnerabilities > Images
        .
      2. Click on the
        Filter hosts
         text bar.
      3. Select the
        Scanned by
         filter.
      4. Select the
        Agentless
         filter.

    Recommended For You

    © 2023 Palo Alto Networks, Inc. All rights reserved.