Install a Single Container Defender
Table of Contents
Install a Single Container Defender
Install Container Defender on each host that you want Prisma Cloud to protect.
Single Container Defenders can be configured in the Console UI, and then deployed with a curl-bash script.
Alternatively, you can use twistcli to configure and deploy Defender directly on a host.
Install a single Container Defender (Console UI)
Configure how a single Container Defender will be installed, and then install it with the resulting curl-bash script.
Prerequisites
:- Your system meets all minimum system requirements.
- Ensure your host can access the Prisma Cloud console the network.
- You have already installed Console.
- Port 8083 is open on the host where Console runs. Port 8083 serves the API. Port 8083 is the default setting, but it is customizable when first installing Console. When deploying Defender you can configure it to communicate to Console via a proxy.
- Port 8084 is open on the host where Console runs. Console and Defender communicate with each other over a web socket on port 8084. Defender initiates the connection. Port 8084 is the default setting, but it is customizable when first installing Console. Defender can also be configured to communicate to Console via a proxy.
- You have sudo access to the host where you want to deploy the Defender.
- Verify that the host machine where you install Defender can connect to the Prisma Cloud console.
- Copy the path to the value underPath to ConsolefromManage > System > Utilities.
- Complete the following command with copied value.curl -sk -D - <PATH-TO-CONSOLE>:8083/api/v1/_pingRun the command on your host system. If curl returns an HTTP response status code of 200, you have connectivity to Console. If you customized the setup when you installed Console, you might need to specify a different port.
- Go toCompute > Manage > Defenders > Deployed Defendersand selectManual deploy.
- UnderDeployment method, selectSingle Defender.
- Select your desiredDefender type
- UnderThe name that Defender will use to connect to this Consoleselect the correct item from the list of IP addresses and hostnames pre-populated in the drop-down list. If none of the items are valid, add a new Subject Alternative Name (SAN) to Prisma Cloud. After adding a SAN, your IP address or hostname will be available in the drop-down list.Selecting an IP address in a evaluation setup is acceptable, but using a DNS name is more resilient. If you select Console’s IP address, and Console’s IP address changes, your Defenders will no longer be able to communicate with Console.
- UnderDefender and Console communicationenter the following optional configuration.
- Set a custom communication port for the Defender to use.
- Set a proxy for the Defender to use for the communication with the Prisma Cloud console.
- UnderAdvanced Settings, you can enter the following additional network configurations.
- Select the listener type. The default setting isNone.
- SetAssign globally unique names to HoststoONwhen you have multiple hosts that can have the same hostname.After setting the toggle toON, Prisma Cloud appends a unique identifier, such as ResourceId, to the host’s DNS name. For example, an AWS EC2 host would have the following name: Ip-171-29-1-244.ec2internal-i-04a1dcee6bd148e2d.
- Copy the install command from theInstallationsidebar. The script is generated according to the options you selected.
- On the host where you want to install Defender, paste the command into a shell window, and run it.
Verify the install
Verify that Defender is installed and connected to Console.
Defender can be deployed and run with full functionality when dockerd is configured with SELinux enabled (--selinux-enabled=true).
All features will work normally and without any additional configuration steps required.
Prisma Cloud automatically detects the SELinux configuration on a per-host basis and self-configures itself as needed.
No action is needed from the user.
- In Console, go toManage > Defenders > Deployed Defenders.Your new Defender should be listed in the table, and the status box should be green and checked.