Table of Contents

Deploy WAAS Agentless

WAAS agentless rules inspect HTTP requests and responses through a mirror of the traffic to provide WAAS detections.
WAAS can observe a mirror of HTTP traffic flowing to and from CSP (AWS) instances, even if they are not protected by a Prisma Cloud Compute Defender.
VPC Observer is an EC2 instance running a Host defender for VPC Traffic Mirroring. The target instance is configured on a separate instance within the same VPC to receive Out-Of-Band traffic from the unprotected applications on the source instance. These Observers on the target instance inspect Out-Of-Band traffic and send audits of any events they identify to Prisma console.
To set up WAAS agentless with VPC traffic mirroring, specify the EC2 instances to mirror (exact names or using wildcards or tags) in a VPC, the ports to mirror, and other AWS parameters in a VPC traffic mirroring rule. For each VPC traffic mirroring rule, a VPC Observer will be created in a VPC machine to receive the mirrored traffic (the VPC Observer is an EC2 instance running a host Defender).
Monitoring applications with WAAS agentless through VPC traffic mirroring is subject to limitations, quotas, and checksum offloading as defined in the AWS documentation.


  • To configure WAAS agentless with AWS VPC traffic mirroring, apply the permission template ending in agentless_app_firewall_permissions_template.yaml to AWS CloudFormation console for your account. For detailed instructions on how to apply cloud formation templates, refer to the AWS documentation.
    Amazon EC2 Auto Scaling is integrated with this AWS CloudFormation permission template.
    Edit the template and replace the "USER-agentless-app-firewall" value with the actual username that you want to grant these permissions.
    WAAS agentless permissions policies created in AWS:
    WAAS agentless resources stack deployed in AWS:
  • Create an AWS Cloud account under
    Compute > Manage > Cloud accounts
    using the Access key from your AWS account.
    Cloud accounts require
    Cloud discovery
    to be enabled to discover the EC2 instances to mirror.

Create a WAAS agentless rule for VPC Traffic Mirroring

To deploy WAAS agentless with VPC traffic mirroring, create a new rule, configure VPC, define application endpoints, and select protections.
  1. Create a WAAS rule under
    Defend > WAAS > Agentless > Add rule
  2. Enter a
    Rule Name
    (Optional) for describing the rule.
  3. Add
    VPC Configuration
    to allow the mirrored traffic to flow from the source instance to the Prisma Cloud Observer deployed on the target instance.
    1. Select
      Console address
      as the hostname of the Console to connect to.
    2. Select the credentials for the AWS
      Cloud account
      that you configured under
      Manage > Cloud accounts
    3. Choose the AWS
      where the mirrored VMs are located in.
    4. Enter the
      VPC ID
      to look for instances to mirror and to deploy the Observer in.
    5. Enter the
      VPC Subnet ID
      to look for instances to be mirrored only in the selected Subnet ID, and to deploy the Observer in.
    6. Specify the
      or wildcards identifying the EC2 instances to mirror in any of the following format:
      1. <key:value> = Match tags by key and value pair.
      2. <key:> = Match tags with key and empty value (for example, AWS tags allow just a key, with no value (empty string)).
      3. * = Match all tags.
    7. Enter
      Instance names
      or wildcards to identify the EC2 instances to mirror.
      The instance to mirror is mapped by machine tags:instance names.
    8. Enter the
      to mirror.
      You can enter a maximum of 5 ports. Port ranges are not supported.
    9. Select the
      Observer Instance type
      to use for the VPC Observer instance.
    10. Enable
      Auto scaling
      to automatically scale WAAS Observers to handle a large amount of traffic volume or sudden decrease in traffic volume. You can set a limit of maximum instances between 1 and 10.
    11. Select
      The Deployment will be done using a dynamically constructed AWS CloudFormation template, programmatically with CloudFormation API. The WAAS rule is not immediately applied, there will be stages of the rules as the VPC configuration is being deployed in AWS. You can track the status of the deployment in the AWS CloudFormation stack, and also on Prisma Cloud Console.
  4. (Optional) Toggle to enable
    API endpoint discovery
    When enabled, the Observer inspects the mirrored traffic to and from the remote applications. The Observer reports a list of the endpoints and their resource path in
    Compute > Monitor > WAAS > API discovery
  5. Save
    the rule.
    A scheduled scan runs every hour to check for new and deleted EC2 instances based on the VPC configurations instance names and tags. If a change is found in the list of EC2 instances to mirror, the AWS VPC traffic mirroring setup will be updated.
    To force a scan, you can click

Add an App (policy) to the rule

  1. Select a WAAS rule to add an App in.
  2. Select
    Add app
  3. In the
    App Definition
    tab, enter an
    App ID
    The combination of
    Rule name
    App ID
    must be unique across In-Line and Out-Of-Band WAAS policies for Containers, Hosts, and App-Embedded.
    If you have a Swagger or OpenAPI file, click
    , and select the file to load.
    If you do not have a Swagger or OpenAPI file, manually define each endpoint by specifying the host, port, and path.
    1. In
      Endpoint Setup
      , select
      Add endpoint
    2. Specify an endpoint in your web application that should be protected. Each defined application can have multiple protected endpoints.
    3. Enter
      HTTP host
      (optional, wildcards supported).
      HTTP hostnames are specified in the form of [hostname]:[external port].
      The external port is defined as the TCP port on the host, listening for inbound HTTP traffic. If the value of the external port is "80" for non-TLS endpoints or "443" for TLS endpoints, it can be omitted. Examples: "*", "", "", etc.
    4. Enter
      Base path
      (optional, wildcards supported) for WAAS to match.
      Examples: "/admin", "/" (root path only), "/*", /v2/api", etc.
    5. Enable
      if your application uses the TLS protocol.
    6. Select
    7. To facilitate inspection, after creating all endpoints, select
      View TLS settings
      in the endpoint setup menu.
      WAAS TLS settings:
    8. If your application requires API protection, select the "API Protection" tab and define for each path the allowed methods, parameters, types, etc. See detailed definition instructions in the API protection help page.
  4. Continue to
    App Firewall
    tab, and select the protections as shown in the screenshot below:
    For more information, see App Firewall settings.
  5. Continue to
    DoS protection
    tab and select DoS protection to enable.
  6. Continue to
    Access Control
    tab and select access controls to enable.
  7. Continue to
    Bot protection
    tab, and select the protections as shown in the screenshot below:
    For more information, see Bot protections.
  8. Continue to
    Custom rules
    tab and select Custom rules to enable.
  9. Continue to
    Advanced settings
    tab, and set the options shown in the screenshot below:
    For more information, see Advanced settings.
  10. Select
  11. You should be redirected to the
    Rule Overview
    Select the created new rule to display
    Rule Resources
    and for each application a list of
    protected endpoints
    enabled protections
  12. Test protected endpoint using the following sanity tests.
  13. Go to
    Monitor > Events > WAAS for Agentless
    to observe the events generated.
    For more information, see the WAAS analytics help page

VPC Configuration Status

Once the VPC configuration is saved, a CloudFormation template will be created and deployed in the selected region. You can track the stack deployment stages through Prisma Console.
  • Deploying
    : The WAAS rule is getting ready as the Observer is being deployed in the AWS instance and the session is being established between the Observer and the resources.
    to view the updated deployment status.
  • Ready
    : The WAAS rule is ready to be protecting the selected resources. The Observer will check for new instances (based on the selected tags or instance names) once every hour.
  • Error
    : The rule is in error and the deployment failed. Fix the error, and click
    to reapply the configuration.
  • Deletion in progress
    : The Observer deployment is being torn down, and the session is being terminated.
  • Deletion error
    : Error in tearing down the Observer setup on AWS VPC.
to see the updated status of the rules on the UI.
When the VPC configuration is in
status, an
is allowed to reapply the configuration.
You can
an Agentless rule, that will tear down the entire VPC stack configuration and resources. Once the rule deletion is complete, the rule will disappear from the Console and the Observer will be uninstalled.
The VPC Observer is installed under
Manage > Defenders > Deployed Defenders
. A VPC observer can only be deleted if you delete the rule from the Console.

Updating VPC Configurations

You can edit the VPC configurations only to update the Tags, Instance names, Ports, and Observer instance type. This will update the AWS CloudFormation template, and AWS will create/destroy only the updated AWS resources.
If you update the instance type of the VPC Observer, then AWS will recreate the EC2 instance and there will be a downtime.
Edit the fields and
to reapply the configurations.

WAAS Actions for Out-Of-Band traffic

The following actions are applicable for the HTTP requests or responses related to the
Out-Of-Band traffic
  • Alert
    - An audit is generated for visibility.
  • Disable
    - The WAAS action is disabled.


Limitations for setting traffic mirroring imposed by AWS
  • Not all AWS instance types support traffic mirroring, for example, T2 is not supported (relevant for both source and target EC2 instances).
  • Some regions don’t currently support the 'm5n.2xlarge' and 'm5n.4xlarge' instance types, so these types cannot be used for VPC Observer (For example, Paris).
TLS Limitations
  • TLS settings for agentless support TLS 1.0, 1.1, and 1.2.
  • Only the following RSA Key Exchange cipher suites are supported:
    • TLS_RSA_WITH_RC4_128_SHA
  • TLS connections using extended_master_secret(23) in the negotiation are not supported as part of this feature.
  • Out-Of-Band does not support HTTP/2 protocol.
  • DHKE is not supported due to a lack of information required to generate the encryption key.
  • The full handshake process must be captured. Partial transmission or session resumption process inspection won’t be decrypted.
  • Same VPC configuration cannot be used to inspect both HTTP and HTTPS traffic, you must create two different Agentless rules, one for each HTTP and HTTPS traffic monitoring.
    You must upgrade the VPC Observer through
    Manage > Defenders
WAAS Agentless Limitations
  • An EC2 instance can only be attached to one agentless rule.
  • An agentless rule can only inspect machines from one VPC and Subnet combination.
  • Each agentless rule can only have a maximum of 5 ports in the VPC configuration.
  • Changing the VPC observer instance types involves downtime.
  • Once the AWS setup is created/updated in the agentless rule, the Observer status is only available on
    Manage > Defenders > Deployed defenders

Troubleshooting VPC traffic mirroring

When the configuration status shows the following error, as shown in the screenshot below, check the AWS CloudFormation stack events for the error.
Some scenarios in the AWS CloudFormation that may lead to the above error are as follows:

You are not authorized to perform this operation

This is because the selected AWS cloud account doesn’t have enough permissions for deployment.
  1. Modify the account with the correct permissions as mentioned in the agentless_app_firewall_permissions_template.json file, and select
    to retry the deployment.
  2. Delete the rule in error and create a new rule in the AWS Cloud account with the permissions as mentioned in the agentless_app_firewall_permissions_template.json file to AWS CloudFormation console for your account.

SessionNumber 1 already in use for eni-*

Trying to mirror an already mirrored EC2 instance (either by WAAS or another product).
  1. Edit the VPC configuration and remove the instance from the tags or instance names list, and click
    to retry the deployment.
  2. Remove the mirroring from the machine from the other rule/other product, and click
    to retry the deployment.

WaitCondition received failed message: 'Defender deployment failed' for uniqueid: i-xxxx.

AWS CloudFormation stack failed to deploy the WAAS agentless resources because Prisma Console is not accessible from AWS.
  1. Make sure that the IP address of Prisma Console in the VPC configuration is public.
  2. Check if the Defender instance has a public IP address.
  3. Check if AWS account can connect with the Prisma Cloud Console with Console URL that you selected in the VPC configuration.
    1. If the Console is not reachable, delete the rule and create a new rule with a valid Prisma Cloud Console URL.
    2. If the Console is not reachable due to a firewall rule or other blocking rules, fix the rule to allow the connectivity to the Console, and click
      to retry the deployment.
    3. Ensure that the Console’s IP address and the ports are reachable by the Defender. Also, the firewall is open with the relevant port and source IPs.

Failed to find VMs to mirror

The security token included in the request is invalid.
  1. Edit Configuration
    to ensure that the AWS cloud account exists for the user, and also ensure that a correct secret key is used,
    the configuration.
  2. Click
    to reapply the configuration.

Recommended For You