VMware Tanzu Application Service (TAS) Defender
Prisma Cloud deploys the Defender on the VMware Tanzu Application Service (TAS) as addon software, which works similarly to a Daemon set in Kubernetes. This approach co-locates the Defender on every Diego cell VM. The Prisma Cloud for TAS tile in the Tanzu Ops Manager allows you to configure the Defender across your TAS environment. When you deploy full coverage Defenders for TAS, they perform blobstore scanning alongside compliance, vulnerability, and runtime protection. If you have a large scale environment, you can choose to deploy blobstore scanning Defenders as dedicated VMs that focus exclusively on scanning your blobstores.
Tanzu Application Service (TAS) Defender supports the following functions:
- Vulnerability scanning for running apps.
- Vulnerability and compliance scanning for the underlying Diego cell hosts.
- Blobstore scanning for Linux droplets.
- Runtime protection: process, networking, and file system.
The Prisma Cloud Console lets you deploy Defender to multiple TAS environments. TAS Defender supports the prevent action because it doesn’t require controlling the app lifecycle. The TAS Defenders don’t support the block action for runtime rules, vulnerability rules, and compliance rules because the Defenders cannot block running apps. The TAS framework controls the app lifecycle including stopping the containers as required by the block action.
Install the TAS Defender
- Get the Prisma Cloud tile.
- Log in to the Prisma Cloud console.
- SelectManage > Defender > Deployed Defenders.
- ClickManual deploy.
- Select theOrchestratordeployment method.
- UnderOrchestrator type, select one of the following options:
- Tanzu Application Service Defender - Linux
- Tanzu Application Service Defender - Windows
- On the sidebar, click theDownloadbutton to get the TAS tile.Alternatively, you can download the tile underManage > System > Utilities.
- Import the Prisma Cloud tile.
- Go to theTanzu Ops Manager > Installation Dashboard.
- Click theImport a Productbutton
- Select the downloaded tile.
- On the left side bar, the Prisma Cloud for TAS appears.
- Click theplus signbeside the version number to stage the tile.
- Click the orange tile that was added.
- Configure the Defenders.
- Return to the Prisma Cloud Console.
- UnderChoose the name that Defender will use to connect to this Console, select the IP address or URL that your TAS environment can reach.
- If you selected theTanzu Application Service Defender - Windowsas theOrchestrator type, enable or disableRuntime protection.
- Enable theAssign globally unique names to Hostsin theAdvanced Settingsas needed.
- Copy the installation scripts from the sidebar. You can deploy Prisma Cloud Defenders on Linux and Windows.
- Configure the Prisma Cloud tile.
- Return to the Tanzu Ops Manager.
- UnderAssign AZs and Networks, select theTAS network.
- UnderPrisma Cloud Component Configuration, paste the installation scripts for the operating systems you are using. If you don’t provide an installation script, Tanzu doesn’t deploy Defenders for that operating system.
- UnderPrisma Cloud Proxy configuration, configure your Proxy as needed if you are using Linux. The Defender on Windows doesn’t support a proxy.
- UnderCredentials, provide your Prisma Cloud credentials for Linux and Windows. You can use certificates for authentication if you only use Linux. Provide your username and password credentials instead to authenticate the Defender if you use Windows Defenders by themselves or together with Linux Defenders.
- UnderResource configuration, you can add dedicated Linux VMs to serve exclusively as Linux blobstore scanners.
- ClickSaveto go back to theInstallation Dashboard.
- Click Review Pending Changes.
- Select the following products.
- Prisma Cloud for TAS
- VMWare Tanzu Application Service
- Every TAS Isolation segment in your environment.
- Apply the changes and wait for the tile to become active.It can take an hour or longer for the changes to apply and your deployment to complete.
- Log into an Diego cell
- Inspect the /var/vcap/instance/dns/records.json file.
Deploy Blobstore Scanners for TAS
Prisma Cloud for TAS can perfor