Update the Intelligence Stream in offline environments
Table of Contents
Self.Hosted 30.xx
Expand all | Collapse all
-
- Getting started
- System Requirements
- Cluster Context
-
- Prisma Cloud Container Images
- Kubernetes
- Deploy the Prisma Cloud Console on Amazon ECS
- Console on Fargate
- Onebox
- Alibaba Cloud Container Service for Kubernetes (ACK)
- Azure Container Service (ACS) with Kubernetes
- Azure Kubernetes Service (AKS)
- Amazon Elastic Kubernetes Service (EKS)
- IBM Kubernetes Service (IKS)
- OpenShift v4
-
- Defender Types
- Manage your Defenders
- Redeploy Defenders
- Uninstall Defenders
-
- Deploy Orchestrator Defenders on Amazon ECS
- Automatically Install Container Defender in a Cluster
- Deploy Prisma Cloud Defender from the GCP Marketplace
- Deploy Defenders as DaemonSets
- VMware Tanzu Application Service (TAS) Defender
- Deploy Defender on Google Kubernetes Engine (GKE)
- Google Kubernetes Engine (GKE) Autopilot
- Deploy Defender on OpenShift v4
-
- Agentless Scanning Modes
-
- Onboard AWS Accounts for Agentless Scanning
- Onboard Azure Accounts for Agentless Scanning
- Configure Agentless Scanning for Azure
- Onboard GCP Accounts for Agentless Scanning
- Configure Agentless Scanning for GCP
- Onboard Oracle Cloud Infrastructure (OCI) Accounts for Agentless Scanning
- Configure Agentless Scanning for Oracle Cloud Infrastructure (OCI)
- Agentless Scanning Results
-
- Rule ordering and pattern matching
- Backup and restore
- Custom feeds
- Configuring Prisma Cloud proxy settings
- Prisma Cloud Compute certificates
- Configure scanning
- User certificate validity period
- Enable HTTP access to Console
- Set different paths for Defender and Console (with DaemonSets)
- Authenticate to Console with Certificates
- Configure custom certs from a predefined directory
- Customize terminal output
- Collections
- Tags
- Logon settings
- Reconfigure Prisma Cloud
- Subject Alternative Names
- WildFire Settings
- Log Scrubbing
- Clustered-DB
- Permissions by feature
-
- Logging into Prisma Cloud
- Integrating with an IdP
- Integrate with Active Directory
- Integrate with OpenLDAP
- Integrate Prisma Cloud with Open ID Connect
- Integrate with Okta via SAML 2.0 federation
- Integrate Google G Suite via SAML 2.0 federation
- Integrate with Azure Active Directory via SAML 2.0 federation
- Integrate with PingFederate via SAML 2.0 federation
- Integrate with Windows Server 2016 & 2012r2 Active Directory Federation Services (ADFS) via SAML 2.0 federation
- Integrate Prisma Cloud with GitHub
- Integrate Prisma Cloud with OpenShift
- Non-default UPN suffixes
- Compute user roles
- Assign roles
-
- Prisma Cloud Vulnerability Feed
- Scanning Procedure
- Vulnerability Management Policies
- Vulnerability Scan Reports
- Scan Images for Custom Vulnerabilities
- Base images
- Vulnerability Explorer
- CVSS scoring
- CVE Viewer
-
- Configure Registry Scans
- Scan images in Alibaba Cloud Container Registry
- Scan images in Amazon Elastic Container Registry (ECR)
- Scan images in Azure Container Registry (ACR)
- Scan images in Docker Registry v2 (including Docker Hub)
- Scan Images in GitLab Container Registry
- Scan images in Google Artifact Registry
- Scan images in Google Container Registry (GCR)
- Scan images in Harbor Registry
- Scan images in IBM Cloud Container Registry
- Scan Images in JFrog Artifactory Docker Registry
- Scan Images in Sonatype Nexus Registry
- Scan images in OpenShift integrated Docker registry
- Scan Images in CoreOS Quay Registry
- Trigger registry scans with Webhooks
- Configure VM image scanning
- Configure code repository scanning
- Malware scanning
- Windows container image scanning
- Serverless Functions Scanning
- VMware Tanzu Blobstore Scanning
- Scan App-Embedded workloads
- Troubleshoot Vulnerability Detection
-
- Compliance Explorer
- Enforce compliance checks
- CIS Benchmarks
- Prisma Cloud Labs compliance checks
- Serverless functions compliance checks
- Windows compliance checks
- DISA STIG compliance checks
- Custom compliance checks
- Trusted images
- Host scanning
- VM image scanning
- App-Embedded scanning
- Detect secrets
- OSS license management
-
- Alert mechanism
- AWS Security Hub
- Cortex XDR alerts
- Cortex XSOAR alerts
- Email alerts
- Google Cloud Pub/Sub
- Google Cloud Security Command Center
- IBM Cloud Security Advisor
- JIRA Alerts
- PagerDuty alerts
- ServiceNow alerts for Security Incident Response
- ServiceNow alerts for Vulnerability Response
- Slack Alerts
- Splunk Alerts
- Webhook alerts
- API
Update the Intelligence Stream in offline environments
Prisma Cloud lets you update Console’s vulnerability and threat data even if it runs in an offline environment.
The Prisma Cloud Intelligence Stream (IS) is a real-time feed that contains vulnerability data and threat intelligence from commercial providers, Prisma Cloud Labs, and the open source community.
When you install Prisma Cloud, Console is automatically configured to connect to intelligence.twistlock.com to download updates.
The IS is updated several times per day, and Console continuously checks for updates.
If you run Prisma Cloud in an offline environment, where Console does not have access to the Internet to download updates from the IS, then you can manually download and install IS updates.
Update strategies for offline environments
There are a number of update strategies.
The right strategy for you depends on the size of your deployment, and in particular, the number of air-gapped Consoles in your environment.
Basic strategy
Use the basic strategy when you’ve got one or two air-gapped Consoles.
The basic strategy for updating the threat data for an isolated, air-gapped Console is:
- Download the IS data from an Internet-connected machine.
- Move the archived data to a location accessible by the air-gapped environment.
- Load the IS data into the offline Console.
Both the download and upload operations use twistcli, so the process can be automated.
If you’ve got a large number of air-gapped Consoles, individually updating each one can be challenging and brittle, especially in dynamic environments.
As such, Prisma Cloud lets you scale the basic strategy to any number of Consoles.
Each deployed Console can be configured to look for the latest threat data in a central location.
From there, each Console will update itself every 24 hours.
Your job is to ensure that the central location always serves the latest threat data.
For example, consider how the U.S. Navy would keep a fleet of submarines up-to-date with the latest threat data.
When a submarine surfaces and establishes brief connection to its command’s network, the submarine’s Console needs to pull the latest Intelligence Stream updates.
For this type of setup, see Scale approach 1 and Scale approach 2.
Scale approach 1
Distribute the latest Intelligence Stream data from an HTTP/S server.
Use the basic strategy to keep the data at the endpoint up-to-date.
To configure your Console for this approach, see Download the IS from an HTTP server.
Scale approach 2
Distribute the latest Intelligence Stream data from a so-called "relay" Console.
Downstream Consoles connect to the relay Console to pull the latest threat data.
To keep the relay Console up-to-date:
- Use the basic strategy when the relay Console is also isolated in an air-gapped environment.
- Let the relay Console update itself by connecting to the Intelligence Stream over the Internet.
To configure your Console for this approach, see Download the IS from another Console.
Projects
By default, projects utilize the distribution mechanism described in Scale approach 2.
Central Console connects to https://intelligence.twistlock.com to retrieve the latest threat data.
All tenant projects connect to Central Console to get the latest threat data.
Central Console itself can be configured for manual threat feed updates, Scale approach 1, or Scale approach 2.
To force Central Console to push Intelligence Stream updates down to all tenants, go to
Manage > System > Intelligence
in the Central Console and click Update Now
.Download the IS data with twistcli
Before starting, ensure the Internet-connected host to where you will initially download the data can access the Intelligence Stream.
The most reliable way to test connectivity is to ping the Intelligence Stream.
This following curl command verifies that name resolution and any intermediary HTTP proxies are functioning properly.
$ curl -k \ --silent \ --output /dev/null \ --write-out "%{http_code}\n" \ https://intelligence.twistlock.com/api/v1/_ping
If you’ve got connectivity, you’ll get back a 200 (Successful) response code.
200
- Open Console.
- Go toManage > System > Intelligence.
- Copy the access token.
- Download twistcli. You have several options:
- Download twistcli from the Console UI. Go toManage > System > Utilities.
- Download twistcli from the API. Use /api/v1/util/twistcli for the Linux binary or /api/v1/util/osx/twistcli for the macOS binary..
- Get a copy from the release tarball.
- Download the the Intelligence Stream data.Open a shell window, and run the following command:$ ./linux/twistcli intelligence download --token <ACCESS-TOKEN>All data is downloaded and saved in a file named twistlock_feed_<random_string>.tar.gz
Upload IS data to Console with twistcli
Use the twistcli tool to upload the Intelligence Stream archive to your Prisma Cloud Console.
Prerequisite:
You’ve disabled over-the-Internet updates for your air-gapped Console.
Go to Manage > System > Intelligence
and set Update the Intelligence Stream from Prisma Cloud over the Internet
to Off
.- Download twistcli. You have several options:
- Download twistcli from the Console UI. Go toManage > System > Utilities.
- Download twistcli from the API. Use /api/v1/util/twistcli for the Linux binary or /api/v1/util/osx/twistcli for the macOS binary..
- Get a copy from the release tarball.
- Run the following command:$ ./linux/twistcli intelligence upload \ --address \https://<COMPUTE-CONSOLE>:8083 \ --user <USER> \ --password <PASSWORD> \ --tlscacert <PATH-TO-CERT> \ <FEED-ARCHIVE>Where:
- URL for the air-gapped Console.
- Credentials for a user with a minimum role of Vulnerability Manager.
- (Optional) Path to to Prisma Cloud’s CA certificate file. With the CA cert, a secure connection is used to upload the intelligence data to Console. For example, /var/lib/twistlock/certificates/console-cert.pem.
- File generated from downloading an archive of the IS with twistcli. For example, twistlock_feed_1524655717.tar.gz.Sometimes after Console is restarted, you might see an error on the login page that says "failed to query license". This is by design, and it’s not a bug. It happens because a Console restart triggers a user auth token renewal. For more information, see long-lived tokens.
Download the IS from an HTTP server
Configure Console to download the IS archive file from a custom HTTPS location.
When enabled, Console downloads the file from this location every 24 hours.
If the download fails, Console retries every 1 hour until it’s successful, then waits for 24 hours until the next download.
In this strategy, you must get the latest IS data with twistcli and copy the archive file to the HTTP/S server, where the air-gapped Console(s) will retrieve it.
- Open Console.
- Go toManage > System > Intelligence.
- SetUpdate the Intelligence Stream from a custom locationtoOn.
- InAddress, specify the full URL to the HTTP/S endpoint where the archive is served.
- If credentials are required to access this endpoint, create them.
- (Optional) Configure a certificate chain for trusting the HTTPS endpoint.
- ClickSave.Console immediately attempts to load the IS data from the specified endpoint. Assuming, Console is successful, it schedules subsequent updates every 24 hours. ClickUpdate Nowto force an immediate update.
Download the IS from another Console
You can configure a Console to retrieve the latest Intelligence Stream data from another Console.
In this configuration, you have a single relay Console, and all other deployed Consoles connect to it to retrieve the latest Intelligence Stream data.
When enabled, Console downloads the file from this location every 24 hours.
If the download fails, Console retries every 1 hour until it’s successful, then waits for 24 hours until the next download.
In this strategy, you must implement a method for the relay Console to get a copy of the latest Intelligence Stream data.
- Open Console.
- Go toManage > System > Intelligence.
- SetUpdate the Intelligence Stream from a custom locationtoOn.
- InAddress, specify the full URL to the relay Console.https://<COMPUTE-CONSOLE>:8083/api/v1/feeds/bundleWhere:
- URL for the relay Console.
- InCredential, create basic auth credentials for a user that has a minimum role of Vulnerability Manager.
- Enter a certificate to trust the HTTPS endpoint.
- Copy the relay Console’s certificate from /var/lib/twistlock/certificates/ca.pem, and paste it here.
- ClickSave.Console immediately attempts to load the IS data from the specified endpoint. Assuming, Console is successful, it schedules subsequent updates every 24 hours. ClickUpdate Nowto force an immediate update.