Configure Agentless Scanning

Agentless scanning provides visibility into vulnerabilities and compliance risks on hosts by scanning root volumes of snapshots. Through agentless scanning architecture, users can gain visibility into vulnerabilities from packages that are installed via package manager and third party binaries beyond OS packages. To learn more about the architecture and scan results, see agentless scanning.

Prerequisites

To configure agentless scanning you must ensure the following requirements are met.
  • Add your AWS, Azure or GCP account to Prisma Cloud, and select the
    Monitor and Protect
    mode.
  • Switch accounts already added using the
    Monitor
    mode to the
    Monitor and Protect
    mode.
  • If you have an existing cloud account using
    Monitor and Protect
    that was added before June 2022, update the CFT with any new permissions needed.
  • You have enabled auto-assign public IPs on the subnet or security group you use to connect your cloud account to the Prisma Cloud Console.

Configure Agentless Scanning

The following procedure shows the steps needed to configure agentless scanning for a cloud account.
  1. Go to
    Compute > Manage > Cloud accounts
    .
  2. Click on
    Add Account
    or click the edit icon for an existing account.
  3. Select your cloud provider and add its credential.
    You can leave permissions empty while creating these credentials. You can download agentless permission templates in the next step after validating the given credentials. If the credentials are incorrect, the permissions template download shows an error.
    1. Azure uses a service principal
    2. GCP uses a service account and an API key.
  4. Click the
    Download
    button to get the template files that you must apply depending on the scanning type. To understand more about the downloaded template files and how they are used, refer to the permission templates document
  5. Review the default configuration values and make any needed changes.
    1. Console URL and Port: Provide the Prisma Cloud Console URL and port.
    2. Scanning type:
      1. Same Account: The hosts are scanned in the same account where the hosts are running.
        From the downloaded templates, apply the permission template with the _target_user_permissions suffix to the account you want to configure for agentless scanning.
      2. Hub Account: In this setup, you select an account as a hub account where scanners are spin up to scan hosts from another account or accounts. You can then configure an account to get scanned by the selected hub account.
        To the selected hub account, apply the permission template with the _hub_user_permissions suffix.
        To the account that the hub account should scan, apply the permission template with the _hub_target_user_permissions suffix.
        If you use GCP, you require an additional template. Apply the permission template with the _hub_target_access_permissions suffix.
        For a detailed explanation on each of the scanning types and the corresponding permission templates, refer to permission templates document.
    3. HTTP Proxy: To connect to the Prisma Cloud Console through a proxy, enter the full proxy address that Prisma Cloud scanners must use.
    4. Regions: Specify the regions to be scanned.
    5. Exclude VMs by tags: Provide the tags used to ignore specific Virtual Machines (VMs). For example: example:tag
    6. Scan non-running hosts: Enable to scan stopped hosts, that are not currently running.
    7. Auto-scaling : When turned ON, Prisma Cloud automatically scales up / down multiple scanners for faster scans without any user-defined limits. Useful for large scale deployments.
    8. Number of scanner: Define an upper limit to control the number of scanners Prisma Cloud can automatically spin up in your environment. Depending on the size of your environment, Prisma cloud will scale up / down scanners within the given limit for faster scans.
    9. Security groups:
      1. AWS: Security group - If blank, Prisma Cloud attempts to use the default security group in the account to connect to the Prisma Cloud Console. If the default security group is not available, create a custom security group to connect to the Prisma Cloud Console. Otherwise, the connection from your account to the Prisma Cloud Console fails and no scan results are shown.
      2. Azure: Security Group ID and Subnet ID - If blank, a security group and subnet are created automatically. You can provide a custom security group ID and subnet ID to connect to the Prisma Cloud Console.
      3. GCP: Subnet - If blank, Prisma Cloud attempts to use the default subnet in your project to connect to the Prisma Cloud Console. You must create a custom subnet to connect to the Prisma Cloud Console if the default is not available. Otherwise, the connection from your project to the Prisma Cloud Console fails and no scan results are shown.
  6. Enable or disable the
    Discovery features
    using the corresponding toggle.
  7. To complete the configuration, click the
    Add account
    button for new accounts or the
    Save
    button for existing accounts.

Default Configuration Fields

The following list shows the default values for agentless configuration that are
ON
by default and the credentials imported from the platform.
  1. Console URL and Port:
    Prisma Cloud Compute Console address - automatically imported from platform.
  2. Scanning type:
    Same Account.
  3. Scan Scope:
    All regions in the account
  4. Scan non running hosts:
    OFF
  5. Auto-scale scanning:
    OFF
  6. Number of scanners:
    1
  7. Security groups:
    1. AWS:
      Prisma Cloud looks for default security group to connect to the Prisma Cloud Console.
    2. GCP:
      Prisma Cloud looks default security group to connect to the Prisma Cloud Console.
    3. Azure:
      Prisma Cloud automatically creates a security group to connect to the Prisma Cloud Console.
You can change these default values after importing accounts into Compute using the
Edit
button on the specific account or by selecting multiple accounts and clicking on
Bulk actions
.

Bulk Actions

Prisma Cloud supports performing bulk agentless configuration at scale provided you account for the differences between cloud providers. Different account subtypes require different configuration fields, which also limits your ability to change accounts in bulk. The Prisma Cloud Console displays all the configuration fields that can be changed across all the selected accounts and hide those that differ to prevent accidental misconfiguration.
The following procedure shows the steps needed to configure agentless scanning for multiple accounts at the same time.
  1. Go to
    Manage > Cloud accounts
  2. Select multiple accounts.
  3. Click the
    Bulk actions
    dropdown.
  4. Select the
    Agentless configuration
    button.
  5. Change the configuration values for the selected accounts.
    • Select
      Save
      to save the configurations.

Other settings

Use the
Cloud Account Manager
user role to grant full read and write access to all cloud account settings. This role can manage credentials, change the agentless scanning configuration, and edit the Cloud Discovery settings.
By default, configured scans are performed every 24 hours, but you can change the scanning interval during configuration under
Manage > System > Scan
page. To Change the agentless scanning interval go to
Scheduling > Agentless
To trigger a global scan, click the
Trigger scan
dropdown and select the
Start agentless scan
option on the
Cloud accounts
page.

Recommended For You