Document:Prisma Cloud Administrator’s Guide (Compute)

System Requirements

Search the Table of Contents

Welcome
- Getting started
- Compute SaaS maintenance updates
- NAT gateway IP addresses
- Product architecture
- Support lifecycle
- Security Assurance Policy on Prisma Cloud Compute
- Licensing
- Prisma Cloud Enterprise Edition vs Compute Edition
- Utilities and plugins
Install
- Getting started
- System Requirements
- Prisma Cloud container images
- Kubernetes
- OpenShift v4
- Amazon ECS
- Windows
- Defender types
- Cluster Context
- Install Defender
Upgrade
- Support lifecycle for connected components
- Upgrade process
- Kubernetes
- OpenShift
- Helm charts
- Amazon ECS
- Manually upgrade single Container Defenders
- Manually upgrade Defender DaemonSets
- Manually upgrade Defender DaemonSets (Helm)
Technology overviews
- Intelligence Stream
- Prisma Cloud Advanced Threat Protection
- App-specific network intelligence
- Container Runtimes
- Radar
- Serverless Radar
- Prisma Cloud Rules Guide - Docker
- Defender architecture
- Host Defender architecture
- TLS v1.2 cipher suites
- Telemetry
Configure
- Rule ordering and pattern matching
- Backup and restore
- Custom feeds
- Configuring Prisma Cloud proxy settings
- Prisma Cloud Compute certificates
- Configure Agentless Scanning
- Configure scanning
- User certificate validity period
- Enable HTTP access to Console
- Set different paths for Defender and Console (with DaemonSets)
- Authenticate to Console with certificates
- Customize terminal output
- Collections
- Tags
- WildFire settings
- Log Scrubbing
Authentication
- Access keys
- Prisma Cloud Compute User Roles
- Compute user roles
- Assign roles
- Credentials store
- Cloud accounts
Vulnerability management
- Prisma Cloud vulnerability feed
- Vulnerability Explorer
- Vulnerability management rules
- Search CVEs
- Scan reports
- Scanning procedure
- Customize image scanning
- Configure Registry Scans
- Registry scanning
  - Scan images in Alibaba Cloud Container Registry
  - Amazon EC2 Container Registry (ECR)
  - Azure Container Registry (ACR)
  - Docker Registry v2
  - Google Artifact Registry
  - Google Container Registry (GCR)
  - Harbor
  - IBM Cloud Container Registry
  - Scan images on Artifactory Docker Registry
  - Sonatype Nexus Registry
  - OpenShift integrated Docker registry
  - Trigger registry scans with webhooks
- Base images
- Configure VM image scanning
- Configure code repository scanning
- Agentless scanning
- Malware scanning
- Vulnerability risk tree
- Detect vulnerabilities in unpackaged software
- CVSS scoring
- Windows container image scanning
- Serverless function scanning
- VMware Tanzu blobstore scanning
- Scan App-Embedded workloads
- Troubleshoot vulnerability detection
Access control
- Role-based access control for Docker Engine
- Admission control with Open Policy Agent
Compliance
- Compliance Explorer
- Enforce compliance checks
- CIS Benchmarks
- Prisma Cloud Labs compliance checks
- Serverless functions compliance checks
- Windows compliance checks
- DISA STIG compliance checks
- Custom compliance checks
- Trusted images
- Host scanning
- VM image scanning
- App-Embedded scanning
- Detect secrets
- Cloud discovery
- OSS license management
Runtime defense
- Runtime defense for containers
- Runtime defense for hosts
- Runtime defense for serverless functions
- Runtime defense for App-Embedded
- Event Aggregation
- Custom runtime rules
- Import and export individual rules
- ATT&CK Explorer
- Runtime Audits
- Image analysis sandbox
- Incident Explorer
- Incident types
Continuous integration
- Jenkins plugin
- Jenkins Freestyle project
- Jenkins Maven project
- Jenkins Pipeline project
- Run Jenkins in a container
- Jenkins pipeline on Kubernetes
- CI plugin policy
- Code repo scanning
WAAS
- Deploy WAAS
- Web-Application and API Security (WAAS)
- WAAS Explorer
- App Firewall Settings
- API Protection
- DoS protection
- Bot Protection
- WAAS Access Controls
- Advanced Settings
- WAAS Analytics
- API observations
- API definition scan
- WAAS custom rules
- Detecting unprotected web apps
- WAAS Log Scrubbing
Firewalls
- Cloud Native Network Firewall (CNNF)
Secrets
- Secrets manager
- Integrate with secrets stores
- Secrets Stores
- Inject secrets into containers
- Injecting secrets: end-to-end example
Alerts
- Alert mechanism
- AWS Security Hub
- Cortex XDR alerts
- Cortex XSOAR alerts
- Email alerts
- Google Cloud Pub/Sub
- Google Cloud Security Command Center
- IBM Cloud Security Advisor
- JIRA Alerts
- PagerDuty alerts
- ServiceNow alerts
- ServiceNow alerts
- Slack Alerts
- Splunk alerts
- Webhook alerts
Audit
- Event viewer
- Host activity
- Administrative activity audit trail
- Annotate audit event records
- Delete audit logs
- Syslog and stdout integration
- Log rotation
- Throttling audits
- Prometheus
- Kubernetes auditing
Tools
- twistcli
- Scan images with twistcli
- Scan code repos with twistcli
- Scan Infrastructure as Code (IaC)
Deployment patterns
- Best practices for DNS and certificate management
- Storage limits for audits and reports
- Performance planning
API
Howto
- Disable automatic learning
- Debug data

System Requirements

Before installing Prisma Cloud, verify that your environment meets the minimum requirements.

For information about when Prisma Cloud adds and drops support for third party software, see our support lifecycle page.

Hardware

Prisma Cloud supports x86_64
and ARM64
architectures. Ensure that your systems meet the following hardware requirements.

Defender Resource Requirements

Each Defender requires 256MB of RAM and 8GB of host storage.

The Defender uses cgroups to cap resource usage at 512MB of RAM and 900 CPU shares where a typical load is ~1-5% CPU and 30-70MB RAM.

The Defender stores its data in the /var folder. When allocating disk space for Defender, ensure the required space is available in the /var folder. Defenders are designed to be portable containers that collect data. Any data that must be persisted is sent to the Prisma Cloud Console for storage. Defenders don’t require persistent storage. If you deploy persistent storage for Defenders, it can corrupt Defender files.

If Defenders provide registry scanning they require the following resources:

Defenders providing registry scanning--

2GB of RAM

20GB of storage

2 CPU cores Defenders that are part of CI integrations (Jenkins, twistcli) require storage space depending on the size of the scanned images. The required disk space is 1.5 times the size of the largest image to be scanned, per executor. For example, if you have a Jenkins instance with two executors, and your largest container image is 500MB, then you need at least 1.5GB of storage space: 500MB x 1.5 x 2

Virtual Machines (VMs)

Prisma Cloud has been tested on the following hypervisors:

VMware for Tanzu Kubernetes Grid Multicloud (TKGM)

VMware for Tanzu Kubernetes Grid Integrated (TKGI)

Cloud Platforms

Prisma Cloud can run on nearly any cloud Infrastructure as a Service (IaaS) platform.

Prisma Cloud has been tested on the following services:

Amazon Web Services (AWS)

Google Cloud Platform

IBM Cloud

Microsoft Azure

Oracle Cloud Infrastructure (OCI)

ARM Architecture Requirements

The following setups support Prisma Cloud on ARM64 architecture:

Cloud provider

AWS
Graviton2 processors

GCP
GKE on ARM using the Tau T2A machine series

Supported Defenders:

Orchestrator Defenders on AWS and GCP

Host Defenders including auto-defend on AWS

The twistcli is supported on Linux ARM64 instances.

Learn more in the Supported Operating Systems on ARM64 and Supported Orchestrators on ARM64 sections.

The Prisma Cloud Console doesn’t support running on ARM64 systems.

Host Operating Systems

Prisma Cloud is supported on both x86_64 and ARM64

Supported Operating Systems on x86_64

Prisma Cloud is supported on the following host operating systems on x86_64 architecture:

Distro	Version
Amazon Linux 2	AMI name: amzn2-ami-hvm-2.0.20220426.0-x86_64-gp2 AMI ID: ami-06eecef118bbf9259
Bottlerocket OS	Tested version: 1.7.0 Containerd v1.5.11 Kernel version: 5.10.102 Kubelet version: v1.22.6-eks-b18cdc9 Vulnerability and compliance blocking policies are not supported on Bottlerocket. RunC not supported. Prevent is not supported on containerd runtime. Compliance for containerd not supported. Defenders must to be installed as privileged.
CentOS	CentOS 7 CentOS 8
Debian	Debian 10 Debian 11
GCOOS	Container-Optimized OS on Google Cloud latest GCOOS is purposefully minimalistic. It doesn’t support installing new packages or writing new bins. Hence, Prisma Cloud’s vulnerability detection on GCOOS only covers Docker and Kubernetes package binary detection. Runtime prevent capability is supported only for DNS events. Other prevent capabilities are not supported.
Red Hat Enterprise Linux	Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8
Red Hat Enterprise Linux CoreOS (RHCOS)	Red Hat Enterprise Linux CoreOS (RHCOS) versions included in OpenShift versions: 4.8, 4.9, and 4.10
SUSE	SLES-12 SP5 SLES 15 - Only Host Defenders are supported. SLES 15 SP1 - SP4 - Only Host Defenders are supported.
Ubuntu	Ubuntu 22.04 LTS Ubuntu 18.04 LTS
VMware	Photon OS 3.0 - Runtime scanning supported with kernel version >= 4.19.191-1 Photon OS 4.0 - Runtime scanning not supported The following use features are currently not supported in Photon 3.0 and 4.0: Detecting binaries without a package manager. Event / incident for WildFire malware SSHD application in host runtime events and empty SSH events on Host observations Vulnerabilities in Layers view
Windows	Windows Server 2016 Windows Server 2019 Long-Term Servicing Channel (LTSC) Windows on ARM64 architecture is not supported Defender is supported on Windows Server 2016 (vulnerability and compliance scanning), and Windows Server 2019 (vulnerability scanning, compliance scanning, and runtime defense for containers).

Supported Operating Systems on ARM64

Prisma Cloud is supported on the following host operating systems on ARM64 architecture in AWS:

Distro	Version
Amazon Linux 2	AMI Image: amzn-ami-hvm-2018.03.0.20220315.0-x86_64-gp2 AMI ID: ami-0f7691f59fd7c47af
CentOS	AMI Image: CentOS-8-ec2-8.3.2011-20210302.1.arm64-a14b8c70-a48b-4a94-87b3-5dc93b3f6be8 AMI ID: ami-0446e1158fe3f255a
Debian	AMI Image: debian-10-arm64-20210208-542 AMI ID: ami-08b2293fdd2deba2a
Photon	aws- no photon image
Redhat Enterprise Linux (RHEL)	AMI Image: RHEL-8.4.0_HVM-20210504-arm64-2-Hourly2-GP2 AMI ID: ami-01fc429821bf1f4b4
Ubuntu	AMI Image: ubuntu/images/hvm-ssd/ubuntu-bionic-18.04-arm64-server-20211129 AMI ID: ami-0a940cb939351ccca AMI Image: ubuntu/images/hvm-ssd/ubuntu-focal-20.04-arm64-server-20211129 AMI ID: ami-0b49a4a6e8e22fa16

Kernel Capabilities

Prisma Cloud Defender requires the following kernel capabilities. More info about each capability can be found on the Linux capabilities man page.

When running on a Docker host, Prisma Cloud Defender uses the following files/folder on the host:

/var/run/docker.sock — Required for accessing Docker runtime.

/var/lib/twistlock — Required for storing Prisma Cloud data.

/dev/log — Required for writing to syslog.

Docker Engine

Prisma Cloud supports only the versions of the Docker Engine supported by Docker itself. Prisma Cloud supports only the following official mainstream Docker releases and later versions.

Community Edition (CE):

18.06.1

20.10.7

20.10.13

Enterprise Edition (EE):

19.03.4

19.03.8

The following storage drivers are supported: * overlay2 * overlay * devicemapper are supported.

For more information, review Docker’s guide to select a storage driver.

The versions of Docker Engine listed apply to versions you independently install on a host. The versions shipped as a part of an orchestrator, such as Red Hat OpenShift, might defer. Prisma Cloud supports the version of Docker Engine that ships with any Prisma Cloud-supported version of the orchestrator.

OCI Runtimes

Prisma Cloud supports the following container runtimes:

Container runtime	Version
Docker	See the Docker section
cri-containerd	Native Kubernetes 1.22.9 (containerd 1.6.4) Native Kubernetes 1.23.3 (containerd 1.4.12) Supported versions are listed in the orchestration section
CRI-O	OS 4.8 - CRIO version 1.21.3 OS 4.9- CRIO version 1.22.3 OS 4.10- CRIO version 1.23.1 K8s native - versions 1.22, 1.23 (x86_64 Arch)

Podman

Podman is a daemon-less container engine for developing, managing, and running OCI containers on Linux. The twistcli tool can use the preinstalled Podman binary to scan CRI images.

Podman v1.6.4, v3.0.1, v4.0.2

Helm

Helm is a package manager for Kubernetes that allows developers and operators to more easily package, configure, and deploy applications and services onto Kubernetes clusters.

Helm v3.9 is supported.

Orchestrators

Prisma Cloud is supported on the following orchestrators. We support the following versions of official mainline vendor/project releases.

Supported Orchestrators on x86_64

Orchestrator	Version
Azure Kubernetes Service (AKS)	Linux on AKS: v1.22.6, v1.23.5 (containerd 1.5.11) Windows on AKS: v1.22.6, v1.23.3
Bottlerocket	Bottlerocket OS 1.7.0 (aws-k8s-1.22) containerd 1.5.11 Kernel version: 5.10.102 Kubelet version: v1.22.6-eks-b18cdc9 The following features are not supported. RunC. Prevent on the containerd runtime. Compliance discovery for containerd.
Elastic Container Service (ECS)	ECS Fargate Console: Fargate Platform 1.4.0 ECS x86 Console: AMI Image: amzn2-ami-ecs-hvm-2.0.20220509-x86_64-ebs AMI ID: ami-061c10a2cb32f3491 ECS agent version: 1.61.0 Docker version:20.10.13
Elastic Kubernetes Service (EKS)	EKS 1.21.9 (containerd 1.4.13) EKS 1.22.6 (containerd 1.4.6)
Google Kubernetes Engine (GKE)	GKE 1.21.11 (containerd 1.4.8) GKE 1.22.8 (containerd 1.5.4) GKE 1.23.7 (containerd 1.5.11)
Google Kubernetes Engine (GKE) autopilot	GKE autopilot 1.21.11 (containerd 1.4.8) Custom Compliance and Prevent (Runtime) are not supported on GKE autopilot.
Kubernetes (k8s)	k8s 1.22.9 (CRIO 1.22.3) k8s 1.23.3 (CRIO 1.23.1) k8s 1.22.9 (containerd 1.6.4) k8s 1.23.3 (containerd 1.4.12) k8s 1.23.8 Docker 20.10.17
Lightweight Kubernetes (k3s)	k3s version: 1.21.7+k3s1 (containerd 1.4.12-k3s1) On Linux/AMD64: k3s version: 1.23.8+k3s2 (containerd 1.5.13-k3s1) k3s version: v1.23.6+k3s1 (containerd 1.5.11-k3s2) k3s version: v1.23.8+k3s1 (containerd 1.5.13-k3s1)
OpenShift	OpenShift versions: 4.8, 4.9, and 4.10
Rancher Kubernetes Engine (RKE)	RKE2 v1.22.5+rke2r1 (containerd 1.5.8-k3s)
VMware Tanzu Application Service (TAS)	v2.11, v2.12, v2.13
VMware Tanzu Kubernetes Grid Integrated (TKGI)	TKGi version: TAS TKGI 1.14 Kernel Version: 4.15.0-184-generic containerd version: 1.6.0 OS version: Ubuntu 16.0.4.7 LTS
VMware Tanzu Kubernetes Grid Multicloud (TKGM)	TKG Multicloud 1.5.1 vSphere 6.7U3 Kubernetes version v1.20.14+vmware.1 with: containerd version: 1.5.9 OS-Image: VMware Photon 3 OS/Linux VMWare version: v1.20.14+vmware.1 Kernel version :4.19.224-2.ph3 Kubernetes version v1.22.5+vmware.1 with: containerd version: 1.5.9 OS-Image: Ubuntu 20.04.03 LTS VMWare version: v1.22.5+vmware.1 Kernel version: 5.4.0-96-generic

Supported Orchestrators on ARM64

Prisma Cloud supports the official releases of the following orchestrators for the ARM64 architecture.

Orchestrator	Version
Elastic Container Service (ECS)	AMI name: amzn2-ami-ecs-hvm-2.0.20220411-arm64-ebs ECS agent 1.61.0 Docker 20.10.7
Elastic Kubernetes Service (EKS)	EKS v1.21.5 (containerd 1.4.6)
GKE on ARM	GKE version: v1.24.1-gke.1400 containerd version: 1.6.2 Defenders running in GKE on ARM don’t support the following features: Prevent for processes Prevent for file system events While Prevent is not supported, runtime detection is supported for processes and file system events.
Kubernetes with containerd	Kubernetes 1.23.5 (containerd 1.5.11)
Kubernetes with Docker	Docker Engine version: 20.10.14 API version:1.41 Go Version: go1.16.15
OpenShift	OpenShift 4.10 (CRI-O 1.23)

Istio

Prisma Cloud supports Istio 1.13.4.

Jenkins

Prisma Cloud supports Jenkins 2.235.1, 2.319.1, and the 2.319.2 container version.

The Prisma Cloud Jenkins plugin supports Jenkins LTS releases greater than 2.319.1. For any given release of Prisma Cloud, the plugin supports those Jenkins LTS releases supported by the Jenkins project at the time of the Prisma Cloud release.

The Jenkins plugin is not supported on ARM64 architecture.

Image Base Layers

Prisma Cloud can protect containers built on nearly any base layer operating system. Comprehensive Common Vulnerabilities and Exposures (CVE) data is provided for the following base layers for all versions except EOL versions:

Alpine

Amazon Linux container image

Amazon Linux 2

BusyBox

CentOS

Debian

Red Hat Enterprise Linux

SUSE

Ubuntu (LTS releases only)

Windows Server

If a CVE doesn’t have an architecture identifier, the CVE is related to all architectures.

Serverless Runtimes

Prisma Cloud can protect AWS Lambda functions at runtime. Prisma Cloud supports the following runtimes:

Serverless Runtimes Using Lambda Layers

Node.js 12.x, 14.x

Python 3.6, 3.7, 3.8, 3.9

Ruby 2.7

Serverless Runtimes Using Manually Embedded Defenders in AWS

C# (.NET Core 3.1)

Java 8, 11

Node.js 12.x, 14.x

Python 3.6, 3.7, 3.8, 3.9

Ruby 2.7

Prisma Cloud can also scan serverless functions for vulnerabilities and compliance benchmarks. Prisma Cloud supports the following runtimes for vulnerability and compliance scans in AWS Lambda, Google Cloud Functions, and Azure Functions:

Serverless Vulnerability and Compliance Scanning

Node.js 12.x, 14.x

Python 3.6, 3.7, 3.8, 3.9

Ruby 2.7

Serverless WAAS Functions

Java 11

Node.js 12.x, 14.x

Python 3.6, 3.7, 3.8, 3.9

Ruby 2.7

Serverless Runtimes Using Manually Embedded Defenders in Azure

C# 3 (.NET Core 3.1)

C# 5 (.NET Core 4.0)

C# 6 (.NET Core 4.0)

Go

Prisma Cloud can detect vulnerabilities in Go executables for Go versions 1.13 and greater.

Shells

For Linux, Prisma Cloud depends on the Bash shell. For Windows, Prisma Cloud depends on PowerShell.

The shell environment variable DOCKER_CONTENT_TRUST should be set to 0 or unset before running any commands that interact with the Prisma Cloud cloud registry, such as Defender installs or upgrades.

Browsers

Prisma Cloud supports the latest versions of Chrome, Safari, and Edge.

For Microsoft Edge, only the new Chromium-based version (80.0.361 and later) is supported.

Cortex XDR

Prisma Cloud Defenders can work alongside Cortex XDR agents. Currently, users need to manually add exceptions in Console for both agents to work together. In a future release, there will be out-of-the-box support for co-existence. Users can disable the Defender runtime defense when a Cortex XDR agent is present.

To allow for both the solutions to co-exist:

Add the Cortex agent as a trustable executable. For more information, see to Creating a trusted exeuctable.

Suppress runtime alerts from the Cortex agent by adding custom runtime rules that allow the Cortex agent process and file path.

Document:Prisma Cloud Administrator’s Guide (Compute)

System Requirements

Table of Contents

System Requirements

Hardware

Defender Resource Requirements

Virtual Machines (VMs)

Cloud Platforms

ARM Architecture Requirements

Host Operating Systems

Supported Operating Systems on x86_64

Supported Operating Systems on ARM64

Kernel Capabilities

Docker Engine

OCI Runtimes

Podman

Helm

Orchestrators

Supported Orchestrators on x86_64

Supported Orchestrators on ARM64

Istio

Jenkins

Image Base Layers

Serverless Runtimes

Serverless Runtimes Using Lambda Layers

Serverless Runtimes Using Manually Embedded Defenders in AWS

Serverless Vulnerability and Compliance Scanning

Serverless WAAS Functions

Serverless Runtimes Using Manually Embedded Defenders in Azure

Go

Shells

Browsers

Cortex XDR

Most Popular

Recommended For You

Document:Prisma Cloud Administrator’s Guide (Compute)

System Requirements

Table of Contents

System Requirements

Hardware

Defender Resource Requirements

Virtual Machines (VMs)

Cloud Platforms

ARM Architecture Requirements

Host Operating Systems

Supported Operating Systems on x86_64

Supported Operating Systems on ARM64

Kernel Capabilities

Docker Engine

OCI Runtimes

Podman

Helm

Orchestrators

Supported Orchestrators on x86_64

Supported Orchestrators on ARM64

Istio

Jenkins

Image Base Layers

Serverless Runtimes

Serverless Runtimes Using Lambda Layers

Serverless Runtimes Using Manually Embedded Defenders in AWS

Serverless Vulnerability and Compliance Scanning

Serverless WAAS Functions

Serverless Runtimes Using Manually Embedded Defenders in Azure

Go

Shells

Browsers

Cortex XDR

Most Popular

Recommended For You

Recommended Videos