: Install a Single Container Defender

Install a Single Container Defender

Table of Contents

Install a Single Container Defender

Install Container Defender on each host that you want Prisma Cloud to protect.
Single Container Defenders can be configured in the Console UI, and then deployed with a curl-bash script. Alternatively, you can use twistcli to configure and deploy Defender directly on a host.

Install a single Container Defender (Console UI)

Configure how a single Container Defender will be installed, and then install it with the resulting curl-bash script.
  • Your system meets all minimum system requirements.
  • Ensure your host can access the Prisma Cloud console the network.
    • You have already installed Console.
    • Port 8083 is open on the host where Console runs. Port 8083 serves the API. Port 8083 is the default setting, but it is customizable when first installing Console. When deploying Defender you can configure it to communicate to Console via a proxy.
    • Port 8084 is open on the host where Console runs. Console and Defender communicate with each other over a web socket on port 8084. Defender initiates the connection. Port 8084 is the default setting, but it is customizable when first installing Console. Defender can also be configured to communicate to Console via a proxy.
  • You have sudo access to the host where you want to deploy the Defender.
  1. Verify that the host machine where you install Defender can connect to the Prisma Cloud console.
    1. Copy the path to the value under
      Path to Console
      Manage > System > Utilities
    2. Complete the following command with copied value.
      curl -sk -D - <PATH-TO-CONSOLE>:8083/api/v1/_ping
    3. Run the command on your host system. If curl returns an HTTP response status code of 200, you have connectivity to Console. If you customized the setup when you installed Console, you might need to specify a different port.
  2. Go to
    Compute > Manage > Defenders > Deployed Defenders
    and select
    Manual deploy
  3. Under
    Deployment method
    , select
    Single Defender
  4. Select your desired
    Defender type
  5. Under
    The name that Defender will use to connect to this Console
    select the correct item from the list of IP addresses and hostnames pre-populated in the drop-down list. If none of the items are valid, add a new Subject Alternative Name (SAN) to Prisma Cloud. After adding a SAN, your IP address or hostname will be available in the drop-down list.
    Selecting an IP address in a evaluation setup is acceptable, but using a DNS name is more resilient. If you select Console’s IP address, and Console’s IP address changes, your Defenders will no longer be able to communicate with Console.
  6. Under
    Defender and Console communication
    enter the following optional configuration.
    1. Set a custom communication port for the Defender to use.
    2. Set a proxy for the Defender to use for the communication with the Prisma Cloud console.
  7. Under
    Advanced Settings
    , you can enter the following additional network configurations.
    1. Select the listener type. The default setting is
    2. Set
      Assign globally unique names to Hosts
      when you have multiple hosts that can have the same hostname.
      After setting the toggle to
      , Prisma Cloud appends a unique identifier, such as ResourceId, to the host’s DNS name. For example, an AWS EC2 host would have the following name: Ip-171-29-1-244.ec2internal-i-04a1dcee6bd148e2d.
  8. Copy the install command from the
    sidebar. The script is generated according to the options you selected.
  9. On the host where you want to install Defender, paste the command into a shell window, and run it.

Verify the install

Verify that Defender is installed and connected to Console.
Defender can be deployed and run with full functionality when dockerd is configured with SELinux enabled (--selinux-enabled=true). All features will work normally and without any additional configuration steps required. Prisma Cloud automatically detects the SELinux configuration on a per-host basis and self-configures itself as needed. No action is needed from the user.
  1. In Console, go to
    Manage > Defenders > Deployed Defenders
    Your new Defender should be listed in the table, and the status box should be green and checked.

Recommended For You