Prisma Cloud Compute Edition Administrator’s Guide
    : Cloud Native Network Segmentation (CNNS)
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Compute Edition Administrator’s Guide
    5. Firewalls
    6. Cloud Native Network Segmentation (CNNS)
    Download PDF

    Prisma Cloud Compute Edition Administrator’s Guide

    Cloud Native Network Segmentation (CNNS)

    Table of Contents

    Cloud Native Network Segmentation (CNNS)

    Cloud Native Network Segmentation (CNNS) is a Layer 4 container and host-aware virtual firewall and network monitoring tool that enables you to segment your network and compartmentalize communication between the segments as a part of a comprehensive defense strategy.
    CNNS works as an east-west firewall for containers and hosts. When enabled, CNNS automatically displays communications in your environment on Radar. Radar has a container and a host view, where you can view the network topology for your containerized apps and hosts respectively. You can then define rules to enforce what traffic to allow or block across the network entities.
    For all connections that are monitored using policies, you can set up an alert profile to send it to an external integration such as email.

    Get Started with CNNS

    CNNS leverages the Defenders that are deployed on your hosts and containers to monitor how your containers and hosts connect and communicate with each other in real-time.
    The Defender inspects the connection before it is set up. Defender adds iptables rules to observe the TCP three-way handshake and watch for SYN messages required to set up new connections. When SYN messages arrive, Defender evaluates them to track all connections. After a connection is established, traffic flows directly between the source and destination without any further oversight from Defender.
    From the Radar view, you can identify how you want to segment your network, create network objects to represent each entity that is a source or a destination for traffic, and define policies to enforce what is allowed, alerted on, or blocked between these network objects.
    You can then audit the connection events to analyze how the policy is enforced, both for CNNS for Containers and CNNS for Hosts.
    1. Confirm that you have deployed Defenders on your hosts and containers.
      You will need Container Defenders-Windows, for the Windows Hosts.
      And for Linux, Container Defenders-Linux or Defenders-Linux, running on the supported x86_64 and ARM64 Linux OS. See the system requirements.

    Create CNNS Rules

    Prerequisite
    :
    • Enable CNNS for hosts and containers under
      Compute > Radars > Settings
      .
      NOTE: When CNNS is disabled, it displays limited traffic flow data on Radar, including outbound connections to the Internet and connections local to the node itself. You can create CNNS rules for enforcing access on specific ports or protocols for outbound traffic from hosts and containers on which Defenders are deployed.
    • Create Network objects under
      Compute > Radars > Settings
      .
      CNNS policies use Network Objects for defining the source and destination in a rule.
    1. Add CNNS policy from
      Compute > Defend > CNNS
      .
      You can add a maximum of 255 rules.
      • To add a rule for containers:
        1. Select
          Container > Add rule
          .
        2. Select a
          Source
          .
          The source for a container rule must be a network object of type "Image".
        3. Select a
          Destination
          .
          The destination can be another container, subnet or DNS.
        4. Select a port or range of ports.
          For example * for any ports, a specific port number such as 80 or 443, or a range of ports such as 10-100.
        5. Select the
          Effect
          . The actions you can enforce are alert to allow the connection and generate an event, allow the connection, or prevent to deny connection and generate an event from the source to the destination on the specified port or domain name.
        6. Save
           the rule.
      • To add a rule for hosts:
        1. Select
          Host > Add rule
          .
        2. Select a
          Source
          .
          The source for a host rule must be a network object of type host.
        3. Select a
          Destination
          .
          The destination can be another host or subnet.
        4. Select
          Ports
          .
          For example * for any ports, a specific port number such as 80 or 443, or a range of ports such as 10-100.
        5. Select the
          Effect
          . The actions you can enforce are alert, allow, or prevent to deny traffic from the source to the destination on the specified port or domain name.
        6. Save the rule.
          CNNS rules are indicated by dotted lines in the Radar view.

    Monitor CNNS Audit Events

    You can view all connections to the CNNS hosts and containers.
    1. Select
      Compute > Monitor > Events
      .
    2. Filter for
      CNNS for containers
       or
      CNNS for hosts
       to view the relevant connection attempts.
    3. Explore more details on the audit event.
      You can view the runtime model for a container.

    Notifications for CNNS Alerts

    On
    Compute > Manage > Alerts
    , you can add an alert profile to enable alert notifications for CNNS alerts. The first event is sent immediately; all subsequent runtime events are aggregated hourly.

    Recommended For You

    © 2023 Palo Alto Networks, Inc. All rights reserved.