System Requirements
Table of Contents
Expand all | Collapse all
-
- Getting started
- System Requirements
- Cluster Context
-
- Prisma Cloud Container Images
- Kubernetes
- Deploy the Prisma Cloud Console on Amazon ECS
- Console on Fargate
- Onebox
- Alibaba Cloud Container Service for Kubernetes (ACK)
- Azure Container Service (ACS) with Kubernetes
- Azure Kubernetes Service (AKS)
- Amazon Elastic Kubernetes Service (EKS)
- IBM Kubernetes Service (IKS)
- OpenShift v4
-
- Defender Types
- Manage your Defenders
- Redeploy Defenders
- Uninstall Defenders
-
- Deploy Orchestrator Defenders on Amazon ECS
- Automatically Install Container Defender in a Cluster
- Deploy Prisma Cloud Defender from the GCP Marketplace
- Deploy Defenders as DaemonSets
- VMware Tanzu Application Service (TAS) Defender
- Deploy Defender on Google Kubernetes Engine (GKE)
- Google Kubernetes Engine (GKE) Autopilot
- Deploy Defender on OpenShift v4
-
- Agentless Scanning Modes
-
- Onboard AWS Accounts for Agentless Scanning
- Onboard Azure Accounts for Agentless Scanning
- Configure Agentless Scanning for Azure
- Onboard GCP Accounts for Agentless Scanning
- Configure Agentless Scanning for GCP
- Onboard Oracle Cloud Infrastructure (OCI) Accounts for Agentless Scanning
- Configure Agentless Scanning for Oracle Cloud Infrastructure (OCI)
- Agentless Scanning Results
-
- Rule ordering and pattern matching
- Backup and Restore
- Custom feeds
- Configuring Prisma Cloud proxy settings
- Prisma Cloud Compute certificates
- Configure scanning
- User certificate validity period
- Enable HTTP access to Console
- Set different paths for Defender and Console (with DaemonSets)
- Authenticate to Console with Certificates
- Configure custom certs from a predefined directory
- Customize terminal output
- Collections
- Tags
- Logon settings
- Reconfigure Prisma Cloud
- Subject Alternative Names
- WildFire Settings
- Log Scrubbing
- Clustered-DB
- Permissions by feature
-
- Logging into Prisma Cloud
- Integrating with an IdP
- Integrate with Active Directory
- Integrate with OpenLDAP
- Integrate Prisma Cloud with Open ID Connect
- Integrate with Okta via SAML 2.0 federation
- Integrate Google G Suite via SAML 2.0 federation
- Integrate with Azure Active Directory via SAML 2.0 federation
- Integrate with PingFederate via SAML 2.0 federation
- Integrate with Windows Server 2016 & 2012r2 Active Directory Federation Services (ADFS) via SAML 2.0 federation
- Integrate Prisma Cloud with GitHub
- Integrate Prisma Cloud with OpenShift
- Non-default UPN suffixes
- Compute user roles
- Assign roles
-
- Prisma Cloud Vulnerability Feed
- Scanning Procedure
- Vulnerability Management Policies
- Vulnerability Scan Reports
- Scan Images for Custom Vulnerabilities
- Base images
- Vulnerability Explorer
- CVSS scoring
- CVE Viewer
-
- Configure Registry Scans
- Scan Images in Alibaba Cloud Container Registry
- Scan Images in Amazon Elastic Container Registry (ECR)
- Scan images in Azure Container Registry (ACR)
- Scan Images in Docker Registry v2 (including Docker Hub)
- Scan Images in GitLab Container Registry
- Scan images in Google Artifact Registry
- Scan Images in Google Container Registry (GCR)
- Scan Images in Harbor Registry
- Scan Images in IBM Cloud Container Registry
- Scan Images in JFrog Artifactory Docker Registry
- Scan Images in Sonatype Nexus Registry
- Scan images in OpenShift integrated Docker registry
- Scan Images in CoreOS Quay Registry
- Trigger Registry Scans with Webhooks
- Configure VM image scanning
- Configure code repository scanning
- Malware scanning
- Windows container image scanning
- Serverless Functions Scanning
- VMware Tanzu Blobstore Scanning
- Scan App-Embedded workloads
- Troubleshoot Vulnerability Detection
-
- Compliance Explorer
- Enforce compliance checks
- CIS Benchmarks
- Prisma Cloud Labs compliance checks
- Serverless functions compliance checks
- Windows compliance checks
- DISA STIG compliance checks
- Custom compliance checks
- Trusted images
- Host scanning
- VM image scanning
- App-Embedded scanning
- Detect secrets
- OSS license management
-
- Alert Mechanism
- AWS Security Hub
- Cortex XDR alerts
- Cortex XSOAR alerts
- Email alerts
- Google Cloud Pub/Sub
- Google Cloud Security Command Center
- IBM Cloud Security Advisor
- JIRA Alerts
- PagerDuty alerts
- ServiceNow alerts for Security Incident Response
- ServiceNow alerts for Vulnerability Response
- Slack Alerts
- Splunk Alerts
- Webhook alerts
- API
System Requirements
Before installing Prisma Cloud, verify that your environment meets the minimum requirements.
For information about when Prisma Cloud adds and drops support for third party software, see our support lifecycle page.
The following sections describe the system requirements in detail.
Hardware
Prisma Cloud supports
x86_64
and ARM64
architectures.
Ensure that your systems meet the following hardware requirements.Prisma Cloud Console Resource Requirements on x86_64
The Prisma Cloud Console supports running on x86_64 systems.
Ensure your system meets the following requirements.
Minimum Without Registry Scanning | Minimum With Registry Scanning | Minimum with WAAS OOB | Less than 1,000 Defenders | 1,001 - 10,000 Defenders | More than 10,000 | |
|---|---|---|---|---|---|---|
CPU | 2 cores | 2 cores | 4 cores | 8 cores | > 8 cores | |
RAM | 256MB | 2 GB | 4 GB | 8 GB | 30 GB | > 30 GB |
Storage | 8GB | 20GB | 100 GB | 500 GB | > 500 GB | |
Storage per image scanned | Not applicable | 1.5 times the size of the largest image to scan times the number of executors |
For more than 10,000 Defenders you need 4 vCPUS and 10GB of RAM for every additional 5,000 Defenders
For example, 20,000 connected Defenders require a total of 16 vCPUs, 50GB of RAM and 500GB SSD of persistent storage.
The Prisma Cloud Console uses cgroups to cap resource usage and supports cgroups v1 and cgroups v2.
When more than 1,000 Defenders are connected, you should disable this cap using the DISABLE_CONSOLE_CGROUP_LIMITS flag in the twistlock.cfg configuration file.
Defender Resource Requirements
Each Defender requires 256MB of RAM and 8GB of host storage.
The Defender uses cgroups v1 or v2 to cap resource usage at 512MB of RAM and 900 CPU shares where a typical load is ~1-5% CPU and 30-70MB RAM.
The Defender stores its data in the /var folder.
When allocating disk space for Defender, ensure the required space is available in the /var folder.
Defenders are designed to be portable containers that collect data.
Any data that must be persisted is sent to the Prisma Cloud Console for storage.
Defenders don’t require persistent storage.
If you deploy persistent storage for Defenders, it can corrupt Defender files.
If Defenders provide registry scanning they require the following resources:
- Defenders providing registry scanning--
- 2GB of RAM
- 20GB of storage
- 2 CPU cores Defenders that are part of CI integrations (Jenkins, twistcli) require storage space depending on the size of the scanned images. The required disk space is 1.5 times the size of the largest image to be scanned, per executor. For example, if you have a Jenkins instance with two executors, and your largest container image is 500MB, then you need at least 1.5GB of storage space: 500MB x 1.5 x 2
Virtual Machines (VMs)
Prisma Cloud has been tested on the following hypervisors:
- VMware for Tanzu Kubernetes Grid Multicloud (TKGM)
- VMware for Tanzu Kubernetes Grid Integrated (TKGI)
Cloud Platforms
Prisma Cloud can run on nearly any cloud Infrastructure as a Service (IaaS) platform.
Prisma Cloud has been tested on the following services:
- Amazon Web Services (AWS)
- Google Cloud Platform
- IBM Cloud
- Microsoft Azure
- Oracle Cloud Infrastructure (OCI)
- Alibaba Cloud: You can deploy Defenders on VMs, hosts running containers, and clusters on Alibaba Cloud using the instructions for the supported host operating systems and orchestrator versions. Specific deployment instructions for Alibaba Cloud are not documented and Cloud discovery is not supported.
ARM Architecture Requirements
The following setups support Prisma Cloud on ARM64 architecture:
- Cloud provider
- AWSGraviton2 processors
- GCPGKE on ARM using the Tau T2A machine series
- Supported Defenders:
- Orchestrator Defenders on AWS and GCP
- Host Defenders including auto-defend on AWS
The twistcli is supported on Linux ARM64 instances.
Learn more in the Supported Operating Systems on ARM64 and Supported Orchestrators on ARM64 sections.
The Prisma Cloud Console doesn’t support running on ARM64 systems.
File Systems
When deploying Prisma Cloud Console to AWS using the EFS file system, you must meet the following minimum performance requirements:
- Performance mode:General purpose
- Throughput mode:Provisioned. Provision 0.1 MiB/s per deployed Defender. For example, if you plan to deploy 10 Defenders, provision 1 MiB/s of throughput.
Operating Systems for bare-metal Hosts and Virtual Machines
Prisma Cloud is supported on both x86_64 and ARM64
Supported Operating Systems on x86_64
Prisma Cloud is supported on the following host operating systems on x86_64 architecture:
The container running the Prisma Cloud Console must run on a supported Linux operating system.
Distro | Version | Kernel | Supported Kubelet | Supported runtime | Notes |
|---|---|---|---|---|---|
Amazon Linux 2 | AMI name: amzn2-ami-hvm-2.0.20230727.0-x86_64-gp2
AMI ID: ami-09748abeb7370d1bc | 4.14.322-244.536.amzn2.x86_64 | |||
Amazon Linux 2023 | AMI ID:ami-02396cdd13e9a1257 | 6.1.23-36.46.amzn2023.x86_64 | |||
Azure Linux docker image | 20230426 | ||||
Bottlerocket OS | 1.9.2 | 1.23.7 | containerd 1.6.6 | Defenders must be installed as privileged on Bottlerocket.
The following features are not available for Bottlerocket:
- Vulnerability and compliance blocking policies
- RunC
- Prevent on containerd runtime
- Compliance for containerd | |
Bottlerocket OS | 1.9.2 | 1.24.9 | containerd 1.6.15+bottlerocket | Defenders must be installed as privileged on Bottlerocket.
The following features are not available for Bottlerocket:
- Vulnerability and compliance blocking policies
- RunC
- Prevent on containerd runtime
- Compliance for containerd | |
Bottlerocket OS | 1.9.2 | 1.25.5 | containerd 1.6.15+bottlerocket | Defenders must be installed as privileged on Bottlerocket.
The following features are not available for Bottlerocket:
- Vulnerability and compliance blocking policies
- RunC
- Prevent on containerd runtime
- Compliance for containerd | |
Bottlerocket OS | 1.9.2 | 1.26.2 | containerd 1.6.19+bottlerocket | Defenders must be installed as privileged on Bottlerocket.
The following features are not available for Bottlerocket:
- Vulnerability and compliance blocking policies
- RunC
- Prevent on containerd runtime
- Compliance for containerd | |
Bottlerocket OS | 1.14.1 | 1.27.1 | containerd://1.6.20+bottlerocket | Defenders must be installed as privileged on Bottlerocket.
The following features are not available for Bottlerocket:
- Vulnerability and compliance blocking policies
- RunC
- Prevent on containerd runtime
- Compliance for containerd | |
Bottlerocket OS | 1.14.2 | 1.27.3 | containerd://1.6.20+bottlerocket | Defenders must be installed as privileged on Bottlerocket.
The following features are not available for Bottlerocket:
- Vulnerability and compliance blocking policies
- RunC
- Prevent on containerd runtime
- Compliance for containerd | |
Bottlerocket OS | 1.14.3 | 1.27.3 | containerd://1.6.20+bottlerocket | Defenders must be installed as privileged on Bottlerocket.
The following features are not available for Bottlerocket:
- Vulnerability and compliance blocking policies
- RunC
- Prevent on containerd runtime
- Compliance for containerd | |
CentOS | 7 | ||||
CentOS | 8 | ||||
CentOS | 9 | ||||
Debian | 10 | ||||
Debian | 11 | ||||
Debian | 12 | ||||
GCOOS | latest | GCOOS is purposefully minimalistic. It doesn’t support installing new packages or writing new bins. Hence, Prisma Cloud’s vulnerability detection on GCOOS only covers Docker and Kubernetes package binary detection.
Runtime prevent capability is supported only for DNS events. Other prevent capabilities are not supported. | |||
Oracle Enterprise Linux (OEL) | 7 | ||||
Oracle Enterprise Linux (OEL) | 8 | ||||
Oracle Enterprise Linux (OEL) | 9 | Agentless scanning is not supported for OEL 9. Vulnerabilities are matched by architecture, which leads to ARM images showing x86 relevant vulnerabilities and vice versa. | |||
Red Hat Enterprise Linux (RHEL) | 7 | ||||
Red Hat Enterprise Linux (RHEL) | 8 | ||||
Red Hat Enterprise Linux (RHEL) | 9 | ||||
Red Hat Enterprise Linux CoreOS (RHCOS) | All versions included in OpenShift versions: 4.9, 4.10, and 4.11 | ||||
Rocky Linux | 8 | ||||
Rocky Linux | 9.0 | ||||
SUSE | SLES-12 SP5 | ||||
SUSE | SLES 15 SP1 - SP4 | ||||
Talos OS | 1.3.0 | 5.15.83-talos | 1.25.4 | containerd 1.6.12 | The following features are not available for Talos OS:
- Scanning of underlying hosts
- Agentless scanning
- Vulnerability and compliance blocking policies
- WAAS defense |
Talos OS | 1.3.3 | 5.15.89-talos | 1.25.4 | containerd 1.6.15 | The following features are not available for Talos OS:
- Scanning of underlying hosts
- Agentless scanning
- Vulnerability and compliance blocking policies
- WAAS defense |
Talos OS | 1.3.5 | 5.15.94-talos | 1.25.4 | containerd 1.6.18 | The following features are not available for Talos OS:
- Scanning of underlying hosts
- Agentless scanning
- Vulnerability and compliance blocking policies
- WAAS defense |
Talos OS | 1.4.1 | 6.1.25-talos | 1.26.3 | containerd 1.6.20 | Agentless scanning is not supported |
Ubuntu | 22.04 LTS | ||||
Ubuntu | 20.04 LTS | ||||
Ubuntu | 18.04 LTS | ||||
VMWare Photon OS | 3.0 | Runtime scanning supported with kernel version >= 4.19.191-1 | The following use features are currently not supported in Photon 3.0:
- SSHD application in host runtime events and empty SSH events on Host observations
- Vulnerabilities in Layers view | ||
VMWare Photon OS | 4.0 | The following use features are currently not supported in Photon 4.0:
- SSHD application in host runtime events and empty SSH events on Host observations
- Vulnerabilities in Layers view | |||
Windows | Server 2016 | Server 2016 Long-Term Servicing Channel (LTSC) support includes only following features:
- Vulnerabilty scanning
- Compliance scanning
- CNNS defense for container
- WAAS defense for hosts
- Runtime defense for container | |||
Windows | Server 2019 | Server 2019 Long-Term Servicing Channel (LTSC) support includes only following features:
- Vulnerabilty scanning
- Compliance scanning
- CNNS defense for container
- WAAS defense for hosts
- Runtime defense for container | |||
Windows | Server 2022 | Server 2022 Long-Term Servicing Channel (LTSC) support includes only following features:
- Vulnerabilty scanning
- Compliance scanning
- CNNS defense for container
- WAAS defense for hosts
- Runtime defense for container |
Supported Operating Systems on ARM64
Prisma Cloud supports host Defenders on the following host operating systems on ARM64 architecture in AWS.
Distro | Version | Kernel | Supported Kubelet | Supported runtime | Notes |
|---|---|---|---|---|---|
Amazon Linux 2 | AMI Image: amzn-ami-hvm-2018.03.0.20220315.0-x86_64-gp2
AMI ID: ami-0f7691f59fd7c47af | 5.10.96-90.460.amzn2.aarch64 | |||
CentOS | 8 | ||||
Debian | 10 | ||||
Redhat Enterprise Linux (RHEL) | 8 | ||||
Redhat Enterprise Linux (RHEL) | 9 | ||||
Ubuntu | 18 | ||||
Ubuntu | 20 | ||||
Oracle Enterprise Linux (OEL) | 8 | ||||
Oracle Enterprise Linux (OEL) | 9 |
Kernel Capabilities
Prisma Cloud Defender requires the following kernel capabilities.
Refer to the the Linux capabilities man page for more details on each capability.
- CAP_NET_ADMIN
- CAP_NET_RAW
- `CAP_SYS_ADMIN
- CAP_SYS_PTRACE
- CAP_SYS_CHROOT
- CAP_MKNOD
- CAP_SETFCAP
- CAP_IPC_LOCK
- The Prisma Cloud App-Embedded Defender requires CAP_SYS_PTRACE only.
- If you have enabled the CNNS capabilities and are on v4.15.x kernel you must upgrade the kernel version to v5.4.x or later.
When running on a Docker host, Prisma Cloud Defender uses the following files/folder on the host:
- /var/run/docker.sock — Required for accessing Docker runtime.
- /var/lib/twistlock — Required for storing Prisma Cloud data.
- /dev/log — Required for writing to syslog.
Docker Engine
Prisma Cloud supports only the versions of the Docker Engine supported by Docker itself. Prisma Cloud supports only the following official mainstream Docker releases and later versions.
Edition | Version |
|---|---|
Community Edition (CE) | 18.06.1 |
Community Edition (CE) | 20.10.7 |
Community Edition (CE) | 20.10.13 |
Enterprise Edition (EE) | 19.03.4 |
Enterprise Edition (EE) | 19.03.8 |
For more information, review Docker’s guide to select a storage driver.
The versions of Docker Engine listed apply to versions you independently install on a host.
The versions shipped as a part of an orchestrator, such as Red Hat OpenShift, might defer.
Prisma Cloud supports the version of Docker Engine that ships with any Prisma Cloud-supported version of the orchestrator.
Container Runtimes
Prisma Cloud supports several container runtimes depending on the orchestrator.
Supported versions are listed in the orchestration section
Podman
Podman is a daemon-less container engine for developing, managing, and running OCI containers on Linux. The twistcli tool can use the preinstalled Podman binary to scan CRI images.
Podman v1.6.4, v3.4.2, v4.0.2
Helm
Helm is a package manager for Kubernetes that allows developers and operators to more easily package, configure, and deploy applications and services onto Kubernetes clusters.
Helm v3.10, v3.10.3, and 3.11 are supported.
Orchestrators
Prisma Cloud is supported on the following orchestrators.
We support the following versions of official mainline vendor/project releases.
Supported Orchestrators on x86_64
Orchestrator | Version | Operating System | Image | Runtime | Kernel | Tested in | Notes |
|---|---|---|---|---|---|---|---|
Azure Kubernetes Service (AKS) | v1.25.11 | Linux | - | containerd://1.7.1+azure-1 | - | 31.01 | |
Azure Kubernetes Service (AKS) | v1.26.6 | Linux | - | containerd://1.7.1+azure-1 | - | 31.01 | |
Azure Kubernetes Service (AKS) | 1.27.3 | Linux | - | containerd://1.7.1+azure-1 | - | 31.01 | |
Azure Kubernetes Service (AKS) | 1.27.1 | Linux | - | containerd://1.7.1+azure-1 | - | 31.00 | |
Azure Kubernetes Service (AKS) | 1.26.6 | Windows | containerd://1.6.21+azure | 31.01 | |||
Azure Kubernetes Service (AKS) | 1.26.3 | Windows | containerd://1.6.21+azure | 31.00 | |||
Elastic Kubernetes Service (EKS) | v1.23.9-eks-ba74326 | - | - | containerd://1.6.6 | - | 31.01 | |
Elastic Kubernetes Service (EKS) | v1.24.7-eks-fb459a0 | - | - | containerd://1.6.6 | - | 31.01 | |
Elastic Kubernetes Service (EKS) | v1.25.12-eks-2d98532 | - | - | containerd://1.6.6 | - | 31.01 | |
Elastic Kubernetes Service (EKS) | v1.26.2-eks-a59e1f0 | - | - | containerd://1.6.6 | - | 31.01 | |
Elastic Kubernetes Service (EKS) | 1.27.3 | - | - | containerd://1.6.19 | - | 31.01 | |
Elastic Kubernetes Service (EKS) | 1.27.3 | - | - | containerd://1.6.19 | - | 31.00 | |
Elastic Kubernetes Service (EKS) Bottlerocket | 1.27.3 | - | containerd://1.6.20+bottlerocket | - | 31.01 | ||
Elastic Kubernetes Service (EKS) Bottlerocket | 1.27.3 | - | - | containerd://1.6.20+bottlerocket | - | 31.00 | |
Elastic Container Service (ECS) | 1.75.0 | - | al2023-ami-ecs-hvm-2023.0.20230809-kernel-6.1-x86_64 | Docker version: 20.10.23 | - | 31.01 | |
Elastic Container Service (ECS) | 1.74.1 | - | al2023-ami-ecs-hvm-2023.0.20230720-kernel-6.1-x86_64 | Docker version: 20.10.23 | - | 31.00 | |
Google Kubernetes Engine (GKE) | v1.23.17-gke.10700 | containerd://1.5.18 | 31.01 | ||||
Google Kubernetes Engine (GKE) | v1.24.16-gke.500 | containerd://1.6.20 | 31.01 | ||||
Google Kubernetes Engine (GKE) | v1.25.12-gke.500 | containerd://1.6.18 | 31.01 | ||||
Google Kubernetes Engine (GKE) | v1.26.7-gke.500 | containerd://1.6.18 | 31.01 | ||||
Google Kubernetes Engine (GKE) | 1.27.4-gke.904 | containerd://1.7.6 | 31.01 | ||||
Google Kubernetes Engine (GKE) | 1.27.3-gke.100 | containerd://1.7.0 | 31.00 | ||||
Google Kubernetes Engine (GKE) autopilot | 1.26.5-gke.1200 | - | - | containerd://1.6.18 | - | 31.01 | Custom Compliance and Prevent (Runtime) are not supported. |
Google Kubernetes Engine (GKE) autopilot | 1.26.5-gke.1200 | - | - | containerd://1.6.18 | - | 31.00 | Custom Compliance and Prevent (Runtime) are not supported. |
Kubernetes (k8s) | 1.28.1 | - | - | containerd://1.6.22 | - | 31.01 | |
Kubernetes (k8s) | 1.27.4 | - | - | containerd://1.6.22 | - | 31.00 | |
Kubernetes (k8s) | 1.28.1 | cri-o://1.28.1 | - | 31.01 | |||
Kubernetes (k8s) | 1.27.4 | cri-o://1.27.1 | - | 31.00 | |||
Lightweight Kubernetes (k3s) | v1.27.4+k3s1 | containerd://1.7.1-k3s1 | 31.00 | ||||
Lightweight Kubernetes (k3s) | v1.27.4+k3s1 |