1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Administrator’s Guide (Compute)
    5. Install
    6. Deploy Prisma Cloud Defenders
    7. Kubernetes
    8. VMware Tanzu Application Service (TAS) Defender

    VMware Tanzu Application Service (TAS) Defender

    Prisma Cloud deploys the Defender on the VMware Tanzu Application Service (TAS) as addon software, which works similarly to a Daemon set in Kubernetes. This approach co-locates the Defender on every Diego cell VM. The Prisma Cloud for TAS tile in the Tanzu Ops Manager allows you to configure the Defender across your TAS environment. When you deploy full coverage Defenders for TAS, they perform blobstore scanning alongside compliance, vulnerability, and runtime protection. If you have a large scale environment, you can choose to deploy blobstore scanning Defenders as dedicated VMs that focus exclusively on scanning your blobstores.
    Tanzu Application Service (TAS) Defender supports the following functions:
    • Vulnerability scanning for running apps.
    • Vulnerability and compliance scanning for the underlying Diego cell hosts.
    • Blobstore scanning for Linux droplets.
    • Runtime protection: process, networking, and file system.
    The Prisma Cloud Console lets you deploy Defender to multiple TAS environments. TAS Defender supports the prevent action because it doesn’t require controlling the app lifecycle. The TAS Defenders don’t support the block action for runtime rules, vulnerability rules, and compliance rules because the Defenders cannot block running apps. The TAS framework controls the app lifecycle including stopping the containers as required by the block action.

    Install the TAS Defender

    1. Get the Prisma Cloud tile.
      1. Log in to the Prisma Cloud console.
      2. Select
        Manage > Defender > Deployed Defenders
        .
      3. Click
        Manual deploy
        .
      4. Select the
        Orchestrator
         deployment method.
      5. Under
        Orchestrator type
        , select one of the following options:
        • Tanzu Application Service Defender - Linux
        • Tanzu Application Service Defender - Windows
      6. On the sidebar, click the
        Download
         button to get the TAS tile.
        Alternatively, you can download the tile under
        Manage > System > Utilities
        .
    2. Import the Prisma Cloud tile.
      1. Go to the
        Tanzu Ops Manager > Installation Dashboard
        .
      2. Click the
        Import a Product
         button
      3. Select the downloaded tile.
      4. On the left side bar, the Prisma Cloud for TAS appears.
      5. Click the
        plus sign
         beside the version number to stage the tile.
      6. Click the orange tile that was added.
    3. Configure the Defenders.
      1. Return to the Prisma Cloud Console.
      2. Under
        Choose the name that Defender will use to connect to this Console
        , select the IP address or URL that your TAS environment can reach.
      3. If you selected the
        Tanzu Application Service Defender - Windows
         as the
        Orchestrator type
        , enable or disable
        Runtime protection
        .
      4. Enable the
        Assign globally unique names to Hosts
         in the
        Advanced Settings
         as needed.
      5. Copy the installation scripts from the sidebar. You can deploy Prisma Cloud Defenders on Linux and Windows.
    4. Configure the Prisma Cloud tile.
      1. Return to the Tanzu Ops Manager.
      2. Under
        Assign AZs and Networks
        , select the
        TAS network
        .
      3. Under
        Prisma Cloud Component Configuration
        , paste the installation scripts for the operating systems you are using. If you don’t provide an installation script, Tanzu doesn’t deploy Defenders for that operating system.
      4. Under
        Prisma Cloud Proxy configuration
        , configure your Proxy as needed if you are using Linux. The Defender on Windows doesn’t support a proxy.
      5. Under
        Credentials
        , provide your Prisma Cloud credentials for Linux and Windows. You can use certificates for authentication if you only use Linux. Provide your username and password credentials instead to authenticate the Defender if you use Windows Defenders by themselves or together with Linux Defenders.
      6. Under
        Resource configuration
        , you can add dedicated Linux VMs to serve exclusively as Linux blobstore scanners.
      7. Click
        Save
         to go back to the
        Installation Dashboard
        .
      8. Click Review Pending Changes.
      9. Select the following products.
        • Prisma Cloud for TAS
        • VMWare Tanzu Application Service
        • Every TAS Isolation segment in your environment.
      10. Apply the changes and wait for the tile to become active.
        It can take an hour or longer for the changes to apply and your deployment to complete.
    5. Verify the deployment: On Linux, the Prisma Cloud Console reports the agentID in the Host field. On Windows, the Prisma Cloud Console reports the VM CID in the Host field.
      1. Log into an Diego cell
      3. The file shows the agentID or VM CID mapped to the host IP address.
      4. If the deployment fails, no agentID or VM CID are shown.

    Deploy Blobstore Scanners for TAS

    Prisma Cloud for TAS can perfor