VMware Tanzu Application Service (TAS) Defender

Prisma Cloud deploys the Defender on the VMware Tanzu Application Service (TAS) as addon software, which works similarly to a Daemon set in Kubernetes. This approach co-locates the Defender on every Diego cell VM. The Prisma Cloud for TAS tile in the Tanzu Ops Manager allows you to configure the Defender across your TAS environment. When you deploy full coverage Defenders for TAS, they perform blobstore scanning alongside compliance, vulnerability, and runtime protection. If you have a large scale environment, you can choose to deploy blobstore scanning Defenders as dedicated VMs that focus exclusively on scanning your blobstores.
Tanzu Application Service (TAS) Defender supports the following functions:
  • Vulnerability scanning for running apps.
  • Vulnerability and compliance scanning for the underlying Diego cell hosts.
  • Blobstore scanning for Linux droplets.
  • Runtime protection: process, networking, and file system.
The Prisma Cloud Console lets you deploy Defender to multiple TAS environments. TAS Defender supports the prevent action because it doesn’t require controlling the app lifecycle. The TAS Defenders don’t support the block action for runtime rules, vulnerability rules, and compliance rules because the Defenders cannot block running apps. The TAS framework controls the app lifecycle including stopping the containers as required by the block action.

Install the TAS Defender

  1. Get the Prisma Cloud tile.
    1. Log in to the Prisma Cloud console.
    2. Select
      Manage > Defender > Deployed Defenders
    3. Click
      Manual deploy
    4. Select the
      deployment method.
    5. Under
      Orchestrator type
      , select one of the following options:
      • Tanzu Application Service Defender - Linux
      • Tanzu Application Service Defender - Windows
    6. On the sidebar, click the
      button to get the TAS tile.
      Alternatively, you can download the tile under
      Manage > System > Utilities
  2. Import the Prisma Cloud tile.
    1. Go to the
      Tanzu Ops Manager > Installation Dashboard
    2. Click the
      Import a Product
    3. Select the downloaded tile.
    4. On the left side bar, the Prisma Cloud for TAS appears.
    5. Click the
      plus sign
      beside the version number to stage the tile.
    6. Click the orange tile that was added.
  3. Configure the Defenders.
    1. Return to the Prisma Cloud Console.
    2. Under
      Choose the name that Defender will use to connect to this Console
      , select the IP address or URL that your TAS environment can reach.
    3. If you selected the
      Tanzu Application Service Defender - Windows
      as the
      Orchestrator type
      , enable or disable
      Runtime protection
    4. Enable the
      Assign globally unique names to Hosts
      in the
      Advanced Settings
      as needed.
    5. Copy the installation scripts from the sidebar. You can deploy Prisma Cloud Defenders on Linux and Windows.
  4. Configure the Prisma Cloud tile.
    1. Return to the Tanzu Ops Manager.
    2. Under
      Assign AZs and Networks
      , select the
      TAS network
    3. Under
      Prisma Cloud Component Configuration
      , paste the installation scripts for the operating systems you are using. If you don’t provide an installation script, Tanzu doesn’t deploy Defenders for that operating system.
    4. Under
      Prisma Cloud Proxy configuration
      , configure your Proxy as needed if you are using Linux. The Defender on Windows doesn’t support a proxy.
    5. Under
      , provide your Prisma Cloud credentials for Linux and Windows. You can use certificates for authentication if you only use Linux. Provide your username and password credentials instead to authenticate the Defender if you use Windows Defenders by themselves or together with Linux Defenders.
    6. Under
      Resource configuration
      , you can add dedicated Linux VMs to serve exclusively as Linux blobstore scanners.
    7. Click
      to go back to the
      Installation Dashboard
    8. Click Review Pending Changes.
    9. Select the following products.
      • Prisma Cloud for TAS
      • VMWare Tanzu Application Service
      • Every TAS Isolation segment in your environment.
    10. Apply the changes and wait for the tile to become active.
      It can take an hour or longer for the changes to apply and your deployment to complete.
  5. Verify the deployment: On Linux, the Prisma Cloud Console reports the agentID in the Host field. On Windows, the Prisma Cloud Console reports the VM CID in the Host field.
    1. Log into an Diego cell
    2. The file shows the agentID or VM CID mapped to the host IP address.
    3. If the deployment fails, no agentID or VM CID are shown.

Deploy Blobstore Scanners for TAS

Prisma Cloud for TAS can perfor