System Requirements

Before installing Prisma Cloud, verify that your environment meets the minimum requirements.
For information about when Prisma Cloud adds and drops support for third party software, see our support lifecycle page.

Hardware

Prisma Cloud supports
x86_64
and
ARM64
architectures. Ensure that your systems meet the following hardware requirements.

Defender Resource Requirements

Each Defender requires 256MB of RAM and 8GB of host storage.
The Defender uses cgroups to cap resource usage at 512MB of RAM and 900 CPU shares where a typical load is ~1-5% CPU and 30-70MB RAM.
The Defender stores its data in the /var folder. When allocating disk space for Defender, ensure the required space is available in the /var folder. Defenders are designed to be portable containers that collect data. Any data that must be persisted is sent to the Prisma Cloud Console for storage. Defenders don’t require persistent storage. If you deploy persistent storage for Defenders, it can corrupt Defender files.
If Defenders provide registry scanning they require the following resources:
  • Defenders providing registry scanning--
  • 2GB of RAM
  • 20GB of storage
  • 2 CPU cores Defenders that are part of CI integrations (Jenkins, twistcli) require storage space depending on the size of the scanned images. The required disk space is 1.5 times the size of the largest image to be scanned, per executor. For example, if you have a Jenkins instance with two executors, and your largest container image is 500MB, then you need at least 1.5GB of storage space: 500MB x 1.5 x 2

Virtual Machines (VMs)

Prisma Cloud has been tested on the following hypervisors:
  • VMware for Tanzu Kubernetes Grid Multicloud (TKGM)
  • VMware for Tanzu Kubernetes Grid Integrated (TKGI)

Cloud Platforms

Prisma Cloud can run on nearly any cloud Infrastructure as a Service (IaaS) platform.
Prisma Cloud has been tested on the following services:
  • Amazon Web Services (AWS)
  • Google Cloud Platform
  • IBM Cloud
  • Microsoft Azure
  • Oracle Cloud Infrastructure (OCI)

ARM Architecture Requirements

The following setups support Prisma Cloud on ARM64 architecture:
  • Cloud provider
  • Supported Defenders:
    • Orchestrator Defenders on AWS and GCP
    • Host Defenders including auto-defend on AWS
  • The twistcli is supported on Linux ARM64 instances.
The Prisma Cloud Console doesn’t support running on ARM64 systems.

Host Operating Systems

Prisma Cloud is supported on both x86_64 and ARM64

Supported Operating Systems on x86_64

Prisma Cloud is supported on the following host operating systems on x86_64 architecture:
Distro
Version
Amazon Linux 2
AMI name: amzn2-ami-hvm-2.0.20220426.0-x86_64-gp2
AMI ID: ami-06eecef118bbf9259
Bottlerocket OS
Tested version: 1.7.0
Containerd v1.5.11
Kernel version: 5.10.102
Kubelet version: v1.22.6-eks-b18cdc9
  • Vulnerability and compliance blocking policies are not supported on Bottlerocket.
  • RunC not supported.
  • Prevent is not supported on containerd runtime.
  • Compliance for containerd not supported.
  • Defenders must to be installed as privileged.
CentOS
CentOS 7
CentOS 8
Debian
Debian 10
Debian 11
GCOOS
Container-Optimized OS on Google Cloud latest
GCOOS is purposefully minimalistic. It doesn’t support installing new packages or writing new bins. Hence, Prisma Cloud’s vulnerability detection on GCOOS only covers Docker and Kubernetes package binary detection.
Runtime prevent capability is supported only for DNS events. Other prevent capabilities are not supported.
Red Hat Enterprise Linux
Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8
Red Hat Enterprise Linux CoreOS (RHCOS)
Red Hat Enterprise Linux CoreOS (RHCOS) versions included in OpenShift versions: 4.8, 4.9, and 4.10
SUSE
SLES-12 SP5
SLES 15 - Only Host Defenders are supported.
SLES 15 SP1 - SP4 - Only Host Defenders are supported.
Ubuntu
Ubuntu 22.04 LTS
Ubuntu 18.04 LTS
VMware
Photon OS 3.0 - Runtime scanning supported with kernel version >= 4.19.191-1
Photon OS 4.0 - Runtime scanning not supported
The following use features are currently not supported in Photon 3.0 and 4.0:
  • Detecting binaries without a package manager.
  • Event / incident for WildFire malware
  • SSHD application in host runtime events and empty SSH events on Host observations
  • Vulnerabilities in Layers view
Windows
Windows Server 2016
Windows Server 2019 Long-Term Servicing Channel (LTSC)
Windows on ARM64 architecture is not supported
Defender is supported on Windows Server 2016 (vulnerability and compliance scanning), and Windows Server 2019 (vulnerability scanning, compliance scanning, and runtime defense for containers).

Supported Operating Systems on ARM64

Prisma Cloud is supported on the following host operating systems on ARM64 architecture in AWS:
Distro
Version
Amazon Linux 2
AMI Image: amzn-ami-hvm-2018.03.0.20220315.0-x86_64-gp2
AMI ID: ami-0f7691f59fd7c47af
CentOS
AMI Image: CentOS-8-ec2-8.3.2011-20210302.1.arm64-a14b8c70-a48b-4a94-87b3-5dc93b3f6be8
AMI ID: ami-0446e1158fe3f255a
Debian
AMI Image: debian-10-arm64-20210208-542
AMI ID: ami-08b2293fdd2deba2a
Photon
aws- no photon image
Redhat Enterprise Linux (RHEL)
AMI Image: RHEL-8.4.0_HVM-20210504-arm64-2-Hourly2-GP2
AMI ID: ami-01fc429821bf1f4b4
Ubuntu
AMI Image: ubuntu/images/hvm-ssd/ubuntu-bionic-18.04-arm64-server-20211129
AMI ID: ami-0a940cb939351ccca
AMI Image: ubuntu/images/hvm-ssd/ubuntu-focal-20.04-arm64-server-20211129
AMI ID: ami-0b49a4a6e8e22fa16

Kernel Capabilities

Prisma Cloud Defender requires the following kernel capabilities. More info about each capability can be found on the Linux capabilities man page.
When running on a Docker host, Prisma Cloud Defender uses the following files/folder on the host:

Docker Engine

Prisma Cloud supports only the versions of the Docker Engine supported by Docker itself. Prisma Cloud supports only the following official mainstream Docker releases and later versions.
  • Community Edition (CE):
    • 18.06.1
    • 20.10.7
    • 20.10.13
  • Enterprise Edition (EE):
    • 19.03.4
    • 19.03.8
The following storage drivers are supported: * overlay2 * overlay * devicemapper are supported.
For more information, review Docker’s guide to select a storage driver.
The versions of Docker Engine listed apply to versions you independently install on a host. The versions shipped as a part of an orchestrator, such as Red Hat OpenShift, might defer. Prisma Cloud supports the version of Docker Engine that ships with any Prisma Cloud-supported version of the orchestrator.

OCI Runtimes

Prisma Cloud supports the following container runtimes:
Container runtime
Version
Docker
See the Docker section
Native Kubernetes 1.22.9 (containerd 1.6.4)
Native Kubernetes 1.23.3 (containerd 1.4.12)
Supported versions are listed in the orchestration section
OS 4.8 - CRIO version 1.21.3
OS 4.9- CRIO version 1.22.3
OS 4.10- CRIO version 1.23.1
K8s native - versions 1.22, 1.23 (x86_64 Arch)

Podman

Podman is a daemon-less container engine for developing, managing, and running OCI containers on Linux. The twistcli tool can use the preinstalled Podman binary to scan CRI images.
Podman v1.6.4, v3.0.1, v4.0.2

Helm

Helm is a package manager for Kubernetes that allows developers and operators to more easily package, configure, and deploy applications and services onto Kubernetes clusters.
Helm v3.9 is supported.

Orchestrators

Prisma Cloud is supported on the following orchestrators. We support the following versions of official mainline vendor/project releases.

Supported Orchestrators on x86_64

Orchestrator
Version
Azure Kubernetes Service (AKS)
Linux on AKS: v1.22.6, v1.23.5 (containerd 1.5.11)
Windows on AKS: v1.22.6, v1.23.3
Bottlerocket
Bottlerocket OS 1.7.0 (aws-k8s-1.22)
containerd 1.5.11
Kernel version: 5.10.102
Kubelet version: v1.22.6-eks-b18cdc9
The following features are not supported.
  • RunC.
  • Prevent on the containerd runtime.
  • Compliance discovery for containerd.
Elastic Container Service (ECS)
ECS Fargate Console:
Fargate Platform 1.4.0
ECS x86 Console:
AMI Image: amzn2-ami-ecs-hvm-2.0.20220509-x86_64-ebs
AMI ID: ami-061c10a2cb32f3491
ECS agent version: 1.61.0
Docker version:20.10.13
Elastic Kubernetes Service (EKS)
EKS 1.21.9 (containerd 1.4.13)
EKS 1.22.6 (containerd 1.4.6)
Google Kubernetes Engine (GKE)
GKE 1.21.11 (containerd 1.4.8)
GKE 1.22.8 (containerd 1.5.4)
GKE 1.23.7 (containerd 1.5.11)
Google Kubernetes Engine (GKE) autopilot
GKE autopilot 1.21.11 (containerd 1.4.8)
Custom Compliance and Prevent (Runtime) are not supported on GKE autopilot.
Kubernetes (k8s)
k8s 1.22.9 (CRIO 1.22.3)
k8s 1.23.3 (CRIO 1.23.1)
k8s 1.22.9 (containerd 1.6.4)
k8s 1.23.3 (containerd 1.4.12)
k8s 1.23.8 Docker 20.10.17
Lightweight Kubernetes (k3s)
k3s version: 1.21.7+k3s1 (containerd 1.4.12-k3s1)
On Linux/AMD64:
  • k3s version: 1.23.8+k3s2 (containerd 1.5.13-k3s1)
  • k3s version: v1.23.6+k3s1 (containerd 1.5.11-k3s2)
  • k3s version: v1.23.8+k3s1 (containerd 1.5.13-k3s1)
OpenShift
OpenShift versions: 4.8, 4.9, and 4.10
Rancher Kubernetes Engine (RKE)
RKE2 v1.22.5+rke2r1 (containerd 1.5.8-k3s)
VMware Tanzu Application Service (TAS)
v2.11, v2.12, v2.13
VMware Tanzu Kubernetes Grid Integrated (TKGI)
TKGi version: TAS TKGI 1.14
Kernel Version: 4.15.0-184-generic
containerd version: 1.6.0
OS version: Ubuntu 16.0.4.7 LTS
VMware Tanzu Kubernetes Grid Multicloud (TKGM)
TKG Multicloud 1.5.1
vSphere 6.7U3
  • Kubernetes version v1.20.14+vmware.1 with:
    • containerd version: 1.5.9
    • OS-Image: VMware Photon 3 OS/Linux
    • VMWare version: v1.20.14+vmware.1
    • Kernel version :4.19.224-2.ph3
  • Kubernetes version v1.22.5+vmware.1 with:
    • containerd version: 1.5.9
    • OS-Image: Ubuntu 20.04.03 LTS
    • VMWare version: v1.22.5+vmware.1
    • Kernel version: 5.4.0-96-generic

Supported Orchestrators on ARM64

Prisma Cloud supports the official releases of the following orchestrators for the ARM64 architecture.
Orchestrator
Version
Elastic Container Service (ECS)
AMI name: amzn2-ami-ecs-hvm-2.0.20220411-arm64-ebs
ECS agent 1.61.0
Docker 20.10.7
Elastic Kubernetes Service (EKS)
EKS v1.21.5 (containerd 1.4.6)
GKE on ARM
GKE version: v1.24.1-gke.1400
containerd version: 1.6.2
Defenders running in GKE on ARM don’t support the following features:
  • Prevent for processes
  • Prevent for file system events
While Prevent is not supported, runtime detection is supported for processes and file system events.
Kubernetes with containerd
Kubernetes 1.23.5 (containerd 1.5.11)
Kubernetes with Docker
Docker Engine version: 20.10.14
API version:1.41
Go Version: go1.16.15
OpenShift
OpenShift 4.10 (CRI-O 1.23)

Istio

Prisma Cloud supports Istio 1.13.4.

Jenkins

Prisma Cloud supports Jenkins 2.235.1, 2.319.1, and the 2.319.2 container version.
The Prisma Cloud Jenkins plugin supports Jenkins LTS releases greater than 2.319.1. For any given release of Prisma Cloud, the plugin supports those Jenkins LTS releases supported by the Jenkins project at the time of the Prisma Cloud release.
The Jenkins plugin is not supported on ARM64 architecture.

Image Base Layers

Prisma Cloud can protect containers built on nearly any base layer operating system. Comprehensive Common Vulnerabilities and Exposures (CVE) data is provided for the following base layers for all versions except EOL versions:
  • Alpine
  • Amazon Linux 2
  • BusyBox
  • CentOS
  • Debian
  • Red Hat Enterprise Linux
  • SUSE
  • Ubuntu (LTS releases only)
  • Windows Server
If a CVE doesn’t have an architecture identifier, the CVE is related to all architectures.

Serverless Runtimes

Prisma Cloud can protect AWS Lambda functions at runtime. Prisma Cloud supports the following runtimes:

Serverless Runtimes Using Lambda Layers

  • Node.js 12.x, 14.x
  • Python 3.6, 3.7, 3.8, 3.9
  • Ruby 2.7

Serverless Runtimes Using Manually Embedded Defenders in AWS

  • C# (.NET Core 3.1)
  • Java 8, 11
  • Node.js 12.x, 14.x
  • Python 3.6, 3.7, 3.8, 3.9
  • Ruby 2.7
Prisma Cloud can also scan serverless functions for vulnerabilities and compliance benchmarks. Prisma Cloud supports the following runtimes for vulnerability and compliance scans in AWS Lambda, Google Cloud Functions, and Azure Functions:

Serverless Vulnerability and Compliance Scanning

  • Node.js 12.x, 14.x
  • Python 3.6, 3.7, 3.8, 3.9
  • Ruby 2.7

Serverless WAAS Functions

  • Java 11
  • Node.js 12.x, 14.x
  • Python 3.6, 3.7, 3.8, 3.9
  • Ruby 2.7

Serverless Runtimes Using Manually Embedded Defenders in Azure

  • C# 3 (.NET Core 3.1)
  • C# 5 (.NET Core 4.0)
  • C# 6 (.NET Core 4.0)

Go

Prisma Cloud can detect vulnerabilities in Go executables for Go versions 1.13 and greater.

Shells

For Linux, Prisma Cloud depends on the Bash shell. For Windows, Prisma Cloud depends on PowerShell.
The shell environment variable DOCKER_CONTENT_TRUST should be set to 0 or unset before running any commands that interact with the Prisma Cloud cloud registry, such as Defender installs or upgrades.

Browsers

Prisma Cloud supports the latest versions of Chrome, Safari, and Edge.
For Microsoft Edge, only the new Chromium-based version (80.0.361 and later) is supported.

Cortex XDR

Prisma Cloud Defenders can work alongside Cortex XDR agents. Currently, users need to manually add exceptions in Console for both agents to work together. In a future release, there will be out-of-the-box support for co-existence. Users can disable the Defender runtime defense when a Cortex XDR agent is present.
To allow for both the solutions to co-exist:
  1. Add the Cortex agent as a trustable executable. For more information, see to Creating a trusted exeuctable.
  2. Suppress runtime alerts from the Cortex agent by adding custom runtime rules that allow the Cortex agent process and file path.

Recommended For You