Focus
Focus
Table of Contents

System Requirements

Before installing Prisma Cloud, verify that your environment meets the minimum requirements.
For information about when Prisma Cloud adds and drops support for third party software, see our support lifecycle page.
The following sections describe the system requirements in detail.

Hardware

Prisma Cloud supports
x86_64
and
ARM64
architectures. Ensure that your systems meet the following hardware requirements.

Prisma Cloud Console Resource Requirements on x86_64

The Prisma Cloud Console supports running on x86_64 systems. Ensure your system meets the following requirements.
Minimum Without Registry Scanning
Minimum With Registry Scanning
Minimum with WAAS OOB
Less than 1,000 Defenders
1,001 - 10,000 Defenders
More than 10,000
CPU
2 cores
2 cores
4 cores
8 cores
> 8 cores
RAM
256MB
2 GB
4 GB
8 GB
30 GB
> 30 GB
Storage
8GB
20GB
100 GB
500 GB
> 500 GB
Storage per image scanned
Not applicable
1.5 times the size of the largest image to scan times the number of executors
For more than 10,000 Defenders you need 4 vCPUS and 10GB of RAM for every additional 5,000 Defenders For example, 20,000 connected Defenders require a total of 16 vCPUs, 50GB of RAM and 500GB SSD of persistent storage.
The Prisma Cloud Console uses cgroups to cap resource usage and supports cgroups v1 and cgroups v2. When more than 1,000 Defenders are connected, you should disable this cap using the DISABLE_CONSOLE_CGROUP_LIMITS flag in the twistlock.cfg configuration file.

Defender Resource Requirements

Each Defender requires 256MB of RAM and 8GB of host storage.
The Defender uses cgroups v1 or v2 to cap resource usage at 512MB of RAM and 900 CPU shares where a typical load is ~1-5% CPU and 30-70MB RAM.
The Defender stores its data in the /var folder. When allocating disk space for Defender, ensure the required space is available in the /var folder. Defenders are designed to be portable containers that collect data. Any data that must be persisted is sent to the Prisma Cloud Console for storage. Defenders don’t require persistent storage. If you deploy persistent storage for Defenders, it can corrupt Defender files.
If Defenders provide registry scanning they require the following resources:
  • Defenders providing registry scanning--
  • 2GB of RAM
  • 20GB of storage
  • 2 CPU cores Defenders that are part of CI integrations (Jenkins, twistcli) require storage space depending on the size of the scanned images. The required disk space is 1.5 times the size of the largest image to be scanned, per executor. For example, if you have a Jenkins instance with two executors, and your largest container image is 500MB, then you need at least 1.5GB of storage space: 500MB x 1.5 x 2

Virtual Machines (VMs)

Prisma Cloud has been tested on the following hypervisors:
  • VMware for Tanzu Kubernetes Grid Multicloud (TKGM)
  • VMware for Tanzu Kubernetes Grid Integrated (TKGI)

Cloud Platforms

Prisma Cloud can run on nearly any cloud Infrastructure as a Service (IaaS) platform.
Prisma Cloud has been tested on the following services:
  • Amazon Web Services (AWS)
  • Google Cloud Platform
  • IBM Cloud
  • Microsoft Azure
  • Oracle Cloud Infrastructure (OCI)
  • Alibaba Cloud: You can deploy Defenders on VMs, hosts running containers, and clusters on Alibaba Cloud using the instructions for the supported host operating systems and orchestrator versions. Specific deployment instructions for Alibaba Cloud are not documented and Cloud discovery is not supported.

ARM Architecture Requirements

The following setups support Prisma Cloud on ARM64 architecture:
  • Cloud provider
  • Supported Defenders:
    • Orchestrator Defenders on AWS and GCP
    • Host Defenders including auto-defend on AWS
The twistcli is supported on Linux ARM64 instances.
The Prisma Cloud Console doesn’t support running on ARM64 systems.

File Systems

When deploying Prisma Cloud Console to AWS using the EFS file system, you must meet the following minimum performance requirements:
  • Performance mode:
    General purpose
  • Throughput mode:
    Provisioned. Provision 0.1 MiB/s per deployed Defender. For example, if you plan to deploy 10 Defenders, provision 1 MiB/s of throughput.

Operating Systems for bare-metal Hosts and Virtual Machines

Prisma Cloud is supported on both x86_64 and ARM64

Supported Operating Systems on x86_64

Prisma Cloud is supported on the following host operating systems on x86_64 architecture:
The container running the Prisma Cloud Console must run on a supported Linux operating system.
Distro
Version
Kernel
Supported Kubelet
Supported runtime
Notes
Amazon Linux 2
AMI name: amzn2-ami-hvm-2.0.20220426.0-x86_64-gp2 AMI ID: ami-06eecef118bbf9259
Amazon Linux 2023
AMI ID:ami-02396cdd13e9a1257
Azure Linux docker image
20230426
Bottlerocket OS
1.9.2
1.23.7
containerd 1.6.6
Defenders must be installed as privileged on Bottlerocket. The following features are not available for Bottlerocket: - Vulnerability and compliance blocking policies - RunC - Prevent on containerd runtime - Compliance for containerd
Bottlerocket OS
1.9.2
1.24.9
containerd 1.6.15+bottlerocket
Defenders must be installed as privileged on Bottlerocket. The following features are not available for Bottlerocket: - Vulnerability and compliance blocking policies - RunC - Prevent on containerd runtime - Compliance for containerd
Bottlerocket OS
1.9.2
1.25.5
containerd 1.6.15+bottlerocket
Defenders must be installed as privileged on Bottlerocket. The following features are not available for Bottlerocket: - Vulnerability and compliance blocking policies - RunC - Prevent on containerd runtime - Compliance for containerd
Bottlerocket OS
1.9.2
1.26.2
containerd 1.6.19+bottlerocket
Defenders must be installed as privileged on Bottlerocket. The following features are not available for Bottlerocket: - Vulnerability and compliance blocking policies - RunC - Prevent on containerd runtime - Compliance for containerd
Bottlerocket OS
1.14.1
1.27.1
containerd://1.6.20+bottlerocket
Defenders must be installed as privileged on Bottlerocket. The following features are not available for Bottlerocket: - Vulnerability and compliance blocking policies - RunC - Prevent on containerd runtime - Compliance for containerd
CentOS
7
CentOS
8
Debian
10
Debian
11
GCOOS
latest
GCOOS is purposefully minimalistic. It doesn’t support installing new packages or writing new bins. Hence, Prisma Cloud’s vulnerability detection on GCOOS only covers Docker and Kubernetes package binary detection. Runtime prevent capability is supported only for DNS events. Other prevent capabilities are not supported.
Oracle Enterprise Linux (OEL)
7
Oracle Enterprise Linux (OEL)
8
Oracle Enterprise Linux (OEL)
9
Agentless scanning is not supported for OEL 9. Vulnerabilities are matched by architecture, which leads to ARM images showing x86 relevant vulnerabilities and vice versa.
Red Hat Enterprise Linux (RHEL)
7
Red Hat Enterprise Linux (RHEL)
8
Red Hat Enterprise Linux (RHEL)
9
Red Hat Enterprise Linux CoreOS (RHCOS)
All versions included in OpenShift versions: 4.9, 4.10, and 4.11
Rocky Linux
8
Rocky Linux
9
SUSE
SLES-12 SP5
SUSE
SLES 15 SP1 - SP4
Talos OS
1.3.0
5.15.83-talos
1.25.4
containerd 1.6.12
The following features are not available for Talos OS: - Scanning of underlying hosts - Agentless scanning - Vulnerability and compliance blocking policies - WAAS defense
Talos OS
1.3.3
5.15.89-talos
1.25.4
containerd 1.6.15
The following features are not available for Talos OS: - Scanning of underlying hosts - Agentless scanning - Vulnerability and compliance blocking policies - WAAS defense
Talos OS
1.3.5
5.15.94-talos
1.25.4
containerd 1.6.18
The following features are not available for Talos OS: - Scanning of underlying hosts - Agentless scanning - Vulnerability and compliance blocking policies - WAAS defense
Talos OS
1.4.1
6.1.25-talos
1.26.3
containerd 1.6.20
Agentless scanning is not supported
Ubuntu
22.04 LTS
Ubuntu
20.04 LTS
Ubuntu
18.04 LTS
VMWare Photon OS
3.0
Runtime scanning supported with kernel version >= 4.19.191-1
The following use features are currently not supported in Photon 3.0: - SSHD application in host runtime events and empty SSH events on Host observations - Vulnerabilities in Layers view
VMWare Photon OS
4.0
The following use features are currently not supported in Photon 4.0: - SSHD application in host runtime events and empty SSH events on Host observations - Vulnerabilities in Layers view
Windows
Server 2016
Server 2016 Long-Term Servicing Channel (LTSC) support includes only following features: - Vulnerabilty scanning - Compliance scanning - CNNS defense for container - WAAS defense for hosts - Runtime defense for container
Windows
Server 2019
Server 2019 Long-Term Servicing Channel (LTSC) support includes only following features: - Vulnerabilty scanning - Compliance scanning - CNNS defense for container - WAAS defense for hosts - Runtime defense for container
Windows
Server 2022
Server 2022 Long-Term Servicing Channel (LTSC) support includes only following features: - Vulnerabilty scanning - Compliance scanning - CNNS defense for container - WAAS defense for hosts - Runtime defense for container

Supported Operating Systems on ARM64

Prisma Cloud supports host Defenders on the following host operating systems on ARM64 architecture in AWS.
Distro
Version
Kernel
Supported Kubelet
Supported runtime
Notes
Amazon Linux 2
AMI Image: amzn-ami-hvm-2018.03.0.20220315.0-x86_64-gp2 AMI ID: ami-0f7691f59fd7c47af
5.10.96-90.460.amzn2.aarch64
CentOS
8
Debian
10
Redhat Enterprise Linux (RHEL)
8
Redhat Enterprise Linux (RHEL)
9
Ubuntu
18
Ubuntu
20
Oracle Enterprise Linux (OEL)
8
Oracle Enterprise Linux (OEL)
9

Kernel Capabilities

Prisma Cloud Defender requires the following kernel capabilities. Refer to the the Linux capabilities man page for more details on each capability.
  • CAP_NET_ADMIN
  • CAP_NET_RAW
  • `CAP_SYS_ADMIN
  • CAP_SYS_PTRACE
  • CAP_SYS_CHROOT
  • CAP_MKNOD
  • CAP_SETFCAP
  • CAP_IPC_LOCK
The Prisma Cloud App-Embedded Defender requires CAP_SYS_PTRACE only.
When running on a Docker host, Prisma Cloud Defender uses the following files/folder on the host:
  • /var/run/docker.sock — Required for accessing Docker runtime.
  • /var/lib/twistlock — Required for storing Prisma Cloud data.
  • /dev/log — Required for writing to syslog.

Docker Engine

Prisma Cloud supports only the versions of the Docker Engine supported by Docker itself. Prisma Cloud supports only the following official mainstream Docker releases and later versions.
Edition
Version
Community Edition (CE)
18.06.1
Community Edition (CE)
20.10.7
Community Edition (CE)
20.10.13
Enterprise Edition (EE)
19.03.4
Enterprise Edition (EE)
19.03.8
The following storage drivers are supported: * overlay2 * overlay * devicemapper are supported.
For more information, review Docker’s guide to select a storage driver.
The versions of Docker Engine listed apply to versions you independently install on a host. The versions shipped as a part of an orchestrator, such as Red Hat OpenShift, might defer. Prisma Cloud supports the version of Docker Engine that ships with any Prisma Cloud-supported version of the orchestrator.

Container Runtimes

Prisma Cloud supports several container runtimes depending on the orchestrator. Supported versions are listed in the orchestration section

Podman

Podman is a daemon-less container engine for developing, managing, and running OCI containers on Linux. The twistcli tool can use the preinstalled Podman binary to scan CRI images.
Podman v1.6.4, v3.4.2, v4.0.2

Helm

Helm is a package manager for Kubernetes that allows developers and operators to more easily package, configure, and deploy applications and services onto Kubernetes clusters.
Helm v3.10, v3.10.3, and 3.11 are supported.

Orchestrators

Prisma Cloud is supported on the following orchestrators. We support the following versions of official mainline vendor/project releases.

Supported Orchestrators on x86_64

Orchestrator
Version
Operating System
Image
Runtime
Kernel
Tested in
Notes
Azure Kubernetes Service (AKS)
1.23
Linux
-
containerd://1.6.15
-
30.00
Azure Kubernetes Service (AKS)
1.24
Linux
-
containerd://1.6.18
-
30.00
Azure Kubernetes Service (AKS)
1.25
Linux
-
containerd://1.6.18
-
30.00
Azure Kubernetes Service (AKS) - Azure Linux
1.25.6
Linux
202304.20.0
containerd://1.6.18
-
30.01
Azure Kubernetes Service (AKS)
1.26.0
Linux
-
containerd://1.6.15
-
30.00
Azure Kubernetes Service (AKS)
1.26.0
Windows
-
containerd://1.6.14
-
30.00
Azure Kubernetes Service (AKS)
1.26.3
Windows
containerd://1.6.14
30.01
Azure Kubernetes Service (AKS)
1.26.3
Windows
containerd://1.6.14
30.02
Azure Kubernetes Service (AKS)
1.27.1
Windows
containerd://1.6.21+azure
30.03
Azure Kubernetes Service (AKS)
1.26.3
Linux
containerd://1.6.18
-
30.01
Azure Kubernetes Service (AKS)
1.26.3
Linux
containerd://1.6.18
-
30.02
Azure Kubernetes Service (AKS)
1.27.1
Linux
containerd://1.7.1+azure-1
-
30.03
Elastic Kubernetes Service (EKS)
1.22
-
-
container://1.6.6
-
30.00
Elastic Kubernetes Service (EKS)
1.23
-
-
containerd://1.6.6
-
30.00
Elastic Kubernetes Service (EKS)
1.24
-
-
containerd://1.6.6
-
30.00
Elastic Kubernetes Service (EKS)
1.25.6
-
-
containerd://1.6.6
-
30.00
Elastic Kubernetes Service (EKS)
1.26.2
-
-
containerd://1.6.19
-
30.01
Elastic Kubernetes Service (EKS)
1.26.3
-
-
containerd://1.6.6
-
30.01
Elastic Kubernetes Service (EKS)
1.27.1
-
-
containerd://1.6.19
-
30.02
Elastic Kubernetes Service (EKS)
1.27.1
-
-
containerd://1.6.19
-
30.03
Elastic Kubernetes Service (EKS) Bottlerocket
1.24
-
-
containerd://1.6.19+bottlerocket
-
30.00
Elastic Kubernetes Service (EKS) Bottlerocket
1.25.5
-
-
containerd://1.6.15+bottlerocket
-
30.00
Elastic Kubernetes Service (EKS) Bottlerocket
1.26.2
-
-
containerd://1.6.19+bottlerocket
-
30.01
Elastic Kubernetes Service (EKS) Bottlerocket
1.27.1
-
-
containerd://1.6.20+bottlerocket
-
30.02
Elastic Kubernetes Service (EKS) Bottlerocket
1.27.1
-
-
containerd://1.6.20+bottlerocket
-
30.03
Elastic Container Service (ECS)
1.68
-
AMI-ID: ami-0ac7415dd546fb485
Docker version: 20.10.17
-
30.00
Elastic Container Service (ECS)
1.69
-
AMI-ID: ami-083cd4eb32643c8a0
Docker version: 20.10.17
-
30.00
Elastic Container Service (ECS)
1.70
-
AMI-Name:amzn2-ami-ecs-hvm-2.0.20230314-x86_64-ebs
Docker version: 20.10.17
-
30.00
Elastic Container Service (ECS)
1.71
-
AMI-ID:ami-090310a05d8eae025
Docker version: 20.10.22
-
30.01
Elastic Container Service (ECS)
1.71.2
AMI-Name: al2023-ami-ecs-hvm-2023.0.20230530-kernel-6.1-x86_64
Docker version: 20.10.17
-
30.02
Elastic Container Service (ECS)
1.72.0
AMI-Name: al2023-ami-ecs-hvm-2023.0.20230530-kernel-6.1-x86_64
Docker version: 20.10.23
-
30.03
Google Kubernetes Engine (GKE)
1.23.9-gke.3200
-
containerd://1.6.9
-
30.00
Google Kubernetes Engine (GKE)
1.24.9-gke.3200
-
-
containerd://1.6.9
-
30.00
Google Kubernetes Engine (GKE)
1.25.6
-
-
containerd://1.6.12