Table of Contents

30.00 Release Notes

The following table outlines the release particulars:
Code name
Release date
Apr 23, 2023
Major release
Review the system requirements to learn about the supported operating systems, hypervisors, runtimes, tools, and orchestrators.

CVE Coverage Update

As part of the 30.00 release, Prisma Cloud has rolled out updates to its vulnerability data for Common Vulnerabilities and Exposures (CVEs) in the Intelligence Stream. The new additions are as follows:
  • Fixed CVE-2023-28840 (Severity: high) || Package:
    Fixed by upgrading to docker version v20.10.24.
  • Fixed CVE-2023-27561 (Severity: high) || Package:
    Fixed by upgrading to runc v1.1.5.
  • Fixed CVE-2023-28642 (Severity: moderate) || Package:
    Fixed by upgrading to runc version v1.1.5.
  • Fixed CVE-2023-28841 (Severity: moderate) || Package:
    Fixed by upgrading to docker version v20.10.24.
  • Fixed CVE-2023-28842 Severity: moderate || Package:
    Fixed by upgrading to docker version v20.10.24.
  • Fixed CVE-2023-0361 (Severity: moderate) || Package: gnutls
    Fixed by upgrading the gnutls (RHEL 8 package)
  • Fixed CVE-2023-25809 (Severity: low) || Package:
    Fixed by upgrading to runc version v1.1.5.

UI Enhancements

Tanzu Blobstore Update

Improved the web interface to add and configure a VMWare Tanzu blobstore under
Defend > Access > VMWare Tanzu blobstore

Defender Settings

Improved the web interface for the advanced Defender settings under
Manage > Defenders > Settings


Improved the web interface for Collections (
Manage > Collections and Tags
). You can now view a summary of each collection in the sidecar, which covers resource data and usage data of the collection.

New Features in Agentless Security

Agentless Scanning Support for Windows Hosts

You can now use agentless scanning to scan Windows hosts for vulnerabilities and compliance issues on Amazon Web Services, Google Cloud Platform, and Microsoft Azure. Agentless scanning supports the following versions of Windows.
  • Windows Server 2016
  • Windows Server 2019
  • Windows Server 2022
Agentless scanning is not supported for containers running on Windows hosts.

Support for Bottlerocket

Agentless scanning for vulnerabilities and compliance is now supported on Bottlerocket.

Support for Encrypted Volume Agentless Scanning with AWS Hub Accounts

You can now use agentless scanning with your AWS hub accounts to scan encrypted volumes.

Support for Shared VPC in GCP

Agentless scanning in GCP now supports specifying a shared subnet to communicate back to Prisma Cloud. Using a shared VPC requires you to grant Prisma Cloud additional permissions to create and manage the VPC. If you are not using a shared VPC, you can use the existing permission template to configure agentless scanning.

New Features in Core

New Release Numbering Format

Starting from this release, that is named 30.00.140, the Prisma Cloud versions have a new release numbering format major release.minor The major release is a number 30, in this case, followed by the minor release sequence that will start with 00 (first release), 01 (minor 1), 02 (minor 2), and so on.
For example, the next maintenance release will be, and maintenance update 2 will be

Cloud Radar Improvements

Improved filters and performance in
Radars > Cloud

Runtime Protection Support for Photon OS 4.0 Hosts

Added runtime protection using Defenders for your Photon OS 4.0 hosts.

Support Vulnerability Management for CentOS Stream 9

Added support for CentOS Stream 9 for vulnerability scanning.

Update to Host VM Tags Collection

VM tags are now identified during the platform cloud discovery. You can create new host collections using the tag metadata of the cloud hosts. The tags propagate to your images and containers belonging to the host. Additional tags captured during Defender deployment are appended to the existing tag list and are also available to you when creating new host collections.

User Management Role

You can define two distinct system roles to manage authentication permissions. This change gives you more granular control over these permissions. The permissions of the old Authentication system role are now split into the User Management and Authentication Configuration system roles.

Support .NET NuGet Package

Added support for vulnerability scanning of the NuGet package for .NET for images, functions, and hosts. For hosts, the scan is supported using twistcli only.

Support OEL 7

Added support for Oracle Enterprise Linux 7 on x86.

Support for RHEL 9

Added support for RedHat Enterprise Linux 9 on x86 and on ARM.

New Features in Host Security

Support for CBL-Mariner on Hosts

Added support for CBL-Mariner 2.0 on x86 for vulnerability scanning, compliance scanning, and runtime protection. Prisma Cloud tested CBL-Mariner on AKS running on HCI environment.

New Features in Serverless

Cloud Account Onboarding includes Serverless Scanning

To make it easier to configure serverless scanning, you can now configure serverless scanning when you add a new cloud account (
Manage > Cloud accounts
). To change the serverless configuration go to
Manage > Cloud accounts
, click
, and make the needed changes.

New Features in WAAS

Customizable CAPTCHA page for WAAS Bot protection

You can now embed a custom reCAPTCHA page branded to fit your application and protect your website from spam and abuse. The WAAS Bot Protection is available on
Defend > WAAS > Active Bot Detection

Amazon EC2 Auto Scaling support in WAAS Agentless

The agentless app firewall permissions template for AWS has been revised to include a policy to support Auto Scaling of EC2 instances. To enable Auto Scaling, you must update your AWS CloudFormation permission template.

API Changes and New APIs

Supports Amazon EC2 Auto Scaling in WAAS agentless deployment

WAAS agentless deployment now supports automatic scaling of WAAS observers to handle a large amount of network traffic or sudden increase of traffic volume.
By default, the feature is disabled. You can enable the feature by using the PUT method in the following API endpoint:
  • autoScalingEnabled: Enables the auto scaling using Amazon EC2 Auto Scaling feature for a VPC observer handling multiple network instances.
    Default: False
  • autoScalingMaxInstances: Specifies the maximum deployed instances for autoscaling deployment.
    Values: 1 - 10. Default: 0

Breaking Changes in API

Cloud Discovery API Endpoint Updates for Response Pagination

GET, /api/vVERSION/cloud/discovery
API endpoint now returns a paginated response instead of all results in a single response.
This change is implemented in n-2 versions and applies to 30.00, 22.12, and 22.06.
The request and response schema of this API have been updated to implement this change. The entities object in
GET, /api/vVERSION/cloud/discovery
is moved to another endpoint
GET, /api/v1/cloud/discovery/entities
You must update your scripts to use the
parameters to get more than 50 results in a single response.

DISA STIG Scan Findings and Justifications

Every release, we perform an SCAP scan of the Prisma Cloud Compute Console and Defender images. The process is based upon the U.S. Air Force’s Platform 1 "Repo One" OpenSCAP scan of the Prisma Cloud Compute images. We compare our scan results to IronBank’s latest approved UBI8-minimal scan findings. Any discrepancies are addressed or justified.

Addressed Issues

  • Fixed false "Passed" result caused when both alert threshold and failure threshold are off, with exceptions for specific CVEs. Exceptions set to fail now fail as expected, even when the thresholds are off.
  • Fixed a bug in the App-embedded Defender scan results filtering to avoid showing the removed or disconnected instances of the images.
  • Fixed Missing Vulnerabilities of JARs on non-Maven Packages.
  • Fixed an issue with the missing paths for the ruby packages in the scan results. The package path in
    Monitor > Vulnerabilities/Compliance > Images
    is useful in identifying where the package is installed in your environment.
  • Fixed Missing Vulnerabilities for Oracle Linux.
  • Fixed an issue on the AWS US Gov region to enable successful forwarding of alerts to the AWS Security Hub integration.

Backward Compatibility for New Features

Feature name
Unsupported Component (Defender/twistcli)
Customizable CAPTCHA page for WAAS Bot protection
Previous versions of Defenders will not support customizing eCAPTCHA for WAAS Bot protection.

End of Support Notifications

Ends support for the serverless scan API endpoint

API route is no longer supported.

Change in Behavior

Upgrade Defender based on a collection filter

The API endpoint
supports upgrading to all the eligible Defenders by filtering based on the query parameter
that are assigned to your user role.
This change was introduced in 22.12.694 build. If you are upgrading from a version earlier than 22.12.694 to 30.00, this behavior will now be in effect.

Change in API versioning

Starting with version 30.xx, each maintenance release (like 30.01, 30.02, and so on) may contain new features and improvements. As a result, the URLs for the APIs will be updated to reflect the version.
You can use different
versions of the API at the same time for your automation requirements as we continue to support backward compatibility for two major including minor (maintenance) release versions behind the current one (n-2). For example, while on build 30.01, you can continue to use the API paths such as
, and
due to backward compatibility.
Though we recommend you to update scripts to use the current or new API paths, you won’t need to worry about making changes to your code immediately when a new major or minor (maintenance) release is announced.

API Discovery Retention Policy

On the WAAS API Discovery database, if the database has reached its storage capacity and new path entries are added for API endpoints, the Console utilizes the 'Last Observed' date to remove older entries and improve the utilization of the available resources. When an image or an API endpoint is deleted from the database, an alert is generated, and the details are written to the Console logs.
This change was introduced in 22.12.582. If you are upgrading from a version earlier than 22.12.582 to 30.00, this retention policy will now be in effect.

Changed the name resolution in AKS clusters.

Previous versions show the value of the server field of the cluster kubeconfig file with the node running the Defender. Now, daemonset Defenders report the same cluster name displayed in the Azure portal in their scans. This change only applies to nodes in resource groups using the default format Azure assigns to AKS node resource groups. If you have a custom name for the AKS node resource group or the name can’t be resolved, the value of the server field of the cluster kubeconfig file is shown.

Recommended For You