The Defender stores its data in the /var folder. When allocating disk space for Defender, ensure the required space is available in the /var folder. Defenders are designed to be portable containers that collect data. Any data that must be persisted is sent to the Prisma Cloud Console for storage. Defenders don’t require persistent storage. If you deploy persistent storage for Defenders, it can corrupt Defender files.

If Defenders provide registry scanning they require the following resources:

Defenders providing registry scanning--

2GB of RAM

20GB of storage

2 CPU cores Defenders that are part of CI integrations (Jenkins, twistcli) require storage space depending on the size of the scanned images. The required disk space is 1.5 times the size of the largest image to be scanned, per executor. For example, if you have a Jenkins instance with two executors, and your largest container image is 500MB, then you need at least 1.5GB of storage space: 500MB x 1.5 x 2

Virtual Machines (VMs)

Prisma Cloud has been tested on the following hypervisors:

VMware for Tanzu Kubernetes Grid Multicloud (TKGM)

VMware for Tanzu Kubernetes Grid Integrated (TKGI)

Cloud Platforms

Prisma Cloud can run on nearly any cloud Infrastructure as a Service (IaaS) platform.

Prisma Cloud has been tested on the following services:

Amazon Web Services (AWS)

Google Cloud Platform

IBM Cloud

Microsoft Azure

Oracle Cloud Infrastructure (OCI)

Alibaba Cloud: You can deploy Defenders on VMs, hosts running containers, and clusters on Alibaba Cloud using the instructions for the supported host operating systems and orchestrator versions. Specific deployment instructions for Alibaba Cloud are not documented and Cloud discovery is not supported.

ARM Architecture Requirements

The following setups support Prisma Cloud on ARM64 architecture:

Cloud provider

AWS
Graviton2 processors

GCP
GKE on ARM using the Tau T2A machine series

Supported Defenders:

Orchestrator Defenders on AWS and GCP

Host Defenders including auto-defend on AWS

The twistcli is supported on Linux ARM64 instances.

Learn more in the Supported Operating Systems on ARM64 and Supported Orchestrators on ARM64 sections.

The Prisma Cloud Console doesn’t support running on ARM64 systems.

Operating Systems for bare-metal Hosts and Virtual Machines

Prisma Cloud is supported on both x86_64 and ARM64

Supported Operating Systems on x86_64

Prisma Cloud is supported on the following host operating systems on x86_64 architecture:

Distro	Version	Kernel	Supported Kubelet	Supported runtime	Notes
Amazon Linux 2	AMI name: amzn2-ami-hvm-2.0.20230727.0-x86_64-gp2 AMI ID: ami-09748abeb7370d1bc	4.14.322-244.536.amzn2.x86_64
Amazon Linux 2023	AMI ID:ami-02396cdd13e9a1257	6.1.23-36.46.amzn2023.x86_64
Azure Linux docker image	20230426
Bottlerocket OS	1.9.2		1.23.7	containerd 1.6.6	Defenders must be installed as privileged on Bottlerocket. The following features are not available for Bottlerocket: - Vulnerability and compliance blocking policies - RunC - Prevent on containerd runtime - Compliance for containerd
Bottlerocket OS	1.9.2		1.24.9	containerd 1.6.15+bottlerocket	Defenders must be installed as privileged on Bottlerocket. The following features are not available for Bottlerocket: - Vulnerability and compliance blocking policies - RunC - Prevent on containerd runtime - Compliance for containerd
Bottlerocket OS	1.9.2		1.25.5	containerd 1.6.15+bottlerocket	Defenders must be installed as privileged on Bottlerocket. The following features are not available for Bottlerocket: - Vulnerability and compliance blocking policies - RunC - Prevent on containerd runtime - Compliance for containerd
Bottlerocket OS	1.9.2		1.26.2	containerd 1.6.19+bottlerocket	Defenders must be installed as privileged on Bottlerocket. The following features are not available for Bottlerocket: - Vulnerability and compliance blocking policies - RunC - Prevent on containerd runtime - Compliance for containerd
Bottlerocket OS	1.14.1		1.27.1	containerd://1.6.20+bottlerocket	Defenders must be installed as privileged on Bottlerocket. The following features are not available for Bottlerocket: - Vulnerability and compliance blocking policies - RunC - Prevent on containerd runtime - Compliance for containerd
Bottlerocket OS	1.14.2		1.27.3	containerd://1.6.20+bottlerocket	Defenders must be installed as privileged on Bottlerocket. The following features are not available for Bottlerocket: - Vulnerability and compliance blocking policies - RunC - Prevent on containerd runtime - Compliance for containerd
Bottlerocket OS	1.14.3		1.27.3	containerd://1.6.20+bottlerocket	Defenders must be installed as privileged on Bottlerocket. The following features are not available for Bottlerocket: - Vulnerability and compliance blocking policies - RunC - Prevent on containerd runtime - Compliance for containerd
CentOS	7
CentOS	8
CentOS	9
Debian	10
Debian	11
Debian	12
GCOOS	latest				GCOOS is purposefully minimalistic. It doesn’t support installing new packages or writing new bins. Hence, Prisma Cloud’s vulnerability detection on GCOOS only covers Docker and Kubernetes package binary detection. Runtime prevent capability is supported only for DNS events. Other prevent capabilities are not supported.
Oracle Enterprise Linux (OEL)	7
Oracle Enterprise Linux (OEL)	8
Oracle Enterprise Linux (OEL)	9				Agentless scanning is not supported for OEL 9. Vulnerabilities are matched by architecture, which leads to ARM images showing x86 relevant vulnerabilities and vice versa.
Red Hat Enterprise Linux (RHEL)	7
Red Hat Enterprise Linux (RHEL)	8
Red Hat Enterprise Linux (RHEL)	9
Red Hat Enterprise Linux CoreOS (RHCOS)	All versions included in OpenShift versions: 4.9, 4.10, and 4.11
Rocky Linux	8
Rocky Linux	9.0
SUSE	SLES-12 SP5
SUSE	SLES 15 SP1 - SP4
Talos OS	1.3.0	5.15.83-talos	1.25.4	containerd 1.6.12	The following features are not available for Talos OS: - Scanning of underlying hosts - Agentless scanning - Vulnerability and compliance blocking policies - WAAS defense
Talos OS	1.3.3	5.15.89-talos	1.25.4	containerd 1.6.15	The following features are not available for Talos OS: - Scanning of underlying hosts - Agentless scanning - Vulnerability and compliance blocking policies - WAAS defense
Talos OS	1.3.5	5.15.94-talos	1.25.4	containerd 1.6.18	The following features are not available for Talos OS: - Scanning of underlying hosts - Agentless scanning - Vulnerability and compliance blocking policies - WAAS defense
Talos OS	1.4.1	6.1.25-talos	1.26.3	containerd 1.6.20	Agentless scanning is not supported
Ubuntu	22.04 LTS
Ubuntu	20.04 LTS
Ubuntu	18.04 LTS
VMWare Photon OS	3.0	Runtime scanning supported with kernel version >= 4.19.191-1			The following use features are currently not supported in Photon 3.0: - SSHD application in host runtime events and empty SSH events on Host observations - Vulnerabilities in Layers view
VMWare Photon OS	4.0				The following use features are currently not supported in Photon 4.0: - SSHD application in host runtime events and empty SSH events on Host observations - Vulnerabilities in Layers view
Windows	Server 2016				Server 2016 Long-Term Servicing Channel (LTSC) support includes only following features: - Vulnerabilty scanning - Compliance scanning - CNNS defense for container - WAAS defense for hosts - Runtime defense for container
Windows	Server 2019				Server 2019 Long-Term Servicing Channel (LTSC) support includes only following features: - Vulnerabilty scanning - Compliance scanning - CNNS defense for container - WAAS defense for hosts - Runtime defense for container
Windows	Server 2022				Server 2022 Long-Term Servicing Channel (LTSC) support includes only following features: - Vulnerabilty scanning - Compliance scanning - CNNS defense for container - WAAS defense for hosts - Runtime defense for container

Supported Operating Systems on ARM64

Prisma Cloud supports host Defenders on the following host operating systems on ARM64 architecture in AWS.

Distro	Version	Kernel
Amazon Linux 2	AMI Image: amzn-ami-hvm-2018.03.0.20220315.0-x86_64-gp2 AMI ID: ami-0f7691f59fd7c47af	5.10.96-90.460.amzn2.aarch64
CentOS	8
Debian	10
Redhat Enterprise Linux (RHEL)	8
Redhat Enterprise Linux (RHEL)	9
Ubuntu	18
Ubuntu	20
Oracle Enterprise Linux (OEL)	8
Oracle Enterprise Linux (OEL)	9

Kernel Capabilities

Prisma Cloud Defender requires the following kernel capabilities. Refer to the the Linux capabilities man page for more details on each capability.

CAP_NET_ADMIN

CAP_NET_RAW

`CAP_SYS_ADMIN

CAP_SYS_PTRACE

CAP_SYS_CHROOT

CAP_MKNOD

CAP_SETFCAP

CAP_IPC_LOCK

The Prisma Cloud App-Embedded Defender requires CAP_SYS_PTRACE only.

If you have enabled the CNNS capabilities and are on v4.15.x kernel you must upgrade the kernel version to v5.4.x or later.

When running on a Docker host, Prisma Cloud Defender uses the following files/folder on the host:

/var/run/docker.sock — Required for accessing Docker runtime.

/var/lib/twistlock — Required for storing Prisma Cloud data.

/dev/log — Required for writing to syslog.

Docker Engine

Prisma Cloud supports only the versions of the Docker Engine supported by Docker itself. Prisma Cloud supports only the following official mainstream Docker releases and later versions.

Edition	Version
Community Edition (CE)	18.06.1
Community Edition (CE)	20.10.7
Community Edition (CE)	20.10.13
Enterprise Edition (EE)	19.03.4
Enterprise Edition (EE)	19.03.8

The following storage drivers are supported: * overlay2 * overlay * devicemapper are supported.

For more information, review Docker’s guide to select a storage driver.

The versions of Docker Engine listed apply to versions you independently install on a host. The versions shipped as a part of an orchestrator, such as Red Hat OpenShift, might defer. Prisma Cloud supports the version of Docker Engine that ships with any Prisma Cloud-supported version of the orchestrator.

Container Runtimes

Prisma Cloud supports several container runtimes depending on the orchestrator. Supported versions are listed in the orchestration section

Podman

Podman is a daemon-less container engine for developing, managing, and running OCI containers on Linux. The twistcli tool can use the preinstalled Podman binary to scan CRI images.

Podman v1.6.4, v3.4.2, v4.0.2

Helm

Helm is a package manager for Kubernetes that allows developers and operators to more easily package, configure, and deploy applications and services onto Kubernetes clusters.

Helm v3.10, v3.10.3, and 3.11 are supported.

Orchestrators

Prisma Cloud is supported on the following orchestrators. We support the following versions of official mainline vendor/project releases.

Supported Orchestrators on x86_64

Orchestrator	Version	Operating System	Image	Runtime	Kernel	Tested in	Notes
Azure Kubernetes Service (AKS)	v1.25.11	Linux	-	containerd://1.7.1+azure-1	-	31.01
Azure Kubernetes Service (AKS)	v1.26.6	Linux	-	containerd://1.7.1+azure-1	-	31.01
Azure Kubernetes Service (AKS)	1.27.3	Linux	-	containerd://1.7.1+azure-1	-	31.01
Azure Kubernetes Service (AKS)	1.27.1	Linux	-	containerd://1.7.1+azure-1	-	31.00
Azure Kubernetes Service (AKS)	1.26.6	Windows		containerd://1.6.21+azure		31.01
Azure Kubernetes Service (AKS)	1.26.3	Windows		containerd://1.6.21+azure		31.00
Elastic Kubernetes Service (EKS)	v1.23.9-eks-ba74326	-	-	containerd://1.6.6	-	31.01
Elastic Kubernetes Service (EKS)	v1.24.7-eks-fb459a0	-	-	containerd://1.6.6	-	31.01
Elastic Kubernetes Service (EKS)	v1.25.12-eks-2d98532	-	-	containerd://1.6.6	-	31.01
Elastic Kubernetes Service (EKS)	v1.26.2-eks-a59e1f0	-	-	containerd://1.6.6	-	31.01
Elastic Kubernetes Service (EKS)	1.27.3	-	-	containerd://1.6.19	-	31.01
Elastic Kubernetes Service (EKS)	1.27.3	-	-	containerd://1.6.19	-	31.00
Elastic Kubernetes Service (EKS) Bottlerocket	1.27.3		-	containerd://1.6.20+bottlerocket	-	31.01
Elastic Kubernetes Service (EKS) Bottlerocket	1.27.3	-	-	containerd://1.6.20+bottlerocket	-	31.00
Elastic Container Service (ECS)	1.75.0	-	al2023-ami-ecs-hvm-2023.0.20230809-kernel-6.1-x86_64	Docker version: 20.10.23	-	31.01
Elastic Container Service (ECS)	1.74.1	-	al2023-ami-ecs-hvm-2023.0.20230720-kernel-6.1-x86_64	Docker version: 20.10.23	-	31.00
Google Kubernetes Engine (GKE)	v1.23.17-gke.10700			containerd://1.5.18		31.01
Google Kubernetes Engine (GKE)	v1.24.16-gke.500			containerd://1.6.20		31.01
Google Kubernetes Engine (GKE)	v1.25.12-gke.500			containerd://1.6.18		31.01
Google Kubernetes Engine (GKE)	v1.26.7-gke.500			containerd://1.6.18		31.01
Google Kubernetes Engine (GKE)	1.27.4-gke.904			containerd://1.7.6		31.01
Google Kubernetes Engine (GKE)	1.27.3-gke.100			containerd://1.7.0		31.00
Google Kubernetes Engine (GKE) autopilot	1.26.5-gke.1200	-	-	containerd://1.6.18	-	31.01	Custom Compliance and Prevent (Runtime) are not supported.
Google Kubernetes Engine (GKE) autopilot	1.26.5-gke.1200	-	-	containerd://1.6.18	-	31.00	Custom Compliance and Prevent (Runtime) are not supported.
Kubernetes (k8s)	1.28.1	-	-	containerd://1.6.22	-	31.01
Kubernetes (k8s)	1.27.4	-	-	containerd://1.6.22	-	31.00
Kubernetes (k8s)	1.28.1			cri-o://1.28.1	-	31.01
Kubernetes (k8s)	1.27.4			cri-o://1.27.1	-	31.00
Lightweight Kubernetes (k3s)	v1.27.4+k3s1			containerd://1.7.1-k3s1		31.00
Lightweight Kubernetes (k3s)	v1.27.4+k3s1			containerd://1.7.1-k3s1		31.00
OpenShift	4.11			cri-o://1.24.1-11.rhaos4.11.gitb0d2ef3.el8		31.01
OpenShift	4.12			cri-o://1.25.1-5.rhaos4.12.git6005903.el8		31.01
OpenShift	4.13.3			cri-o://1.26.3-9.rhaos4.13.git9232b13.el9		31.01
OpenShift	4.12	-	-	crio://1.25.1-5.rhaos4	-	31.00
VMware Tanzu Application Service (TAS)	4.00	Linux		-	-	31.01	Agentless scan not supported
VMware Tanzu Application Service (TAS)	4.00	Linux		-	-	31.00	Agentless scan not supported
VMware Tanzu Application Service (TAS)	4.00	Windows	-	-	-	31.01	Agentless scan not supported
VMware Tanzu Application Service (TAS)	4.00	Windows	-	-	-	31.00	Agentless scan not supported
VMware Tanzu Kubernetes Grid Multicloud (TKGM)	1.25.7+vmware.2	VMware Photon 3 OS/Linux	-	containerd:1.6.18-1	4.19.272.5.ph3	31.01	TKGM platform version: 1.6.0 Agentless scan not supported
VMware Tanzu Kubernetes Grid Multicloud (TKGM)	v1.23.8+vmware.2	VMware Photon 3 OS/Linux	-	containerd://1.6.6	4.19.247-7.ph3	31.00	TKGM platform version: 1.6.0 Agentless scan not supported
VMware Tanzu Kubernetes Grid Integrated Edition (TKGI)	v1.26.5+vmware.1	Ubuntu 22.04.1 LTS		containerd://1.6.18-1-gdbc99e5b1	5.19.0-50-generic	31.01	TKGI platform version: 1.16.0 Agentless scan not supported
VMware Tanzu Kubernetes Grid Integrated Edition (TKGI)	v1.25.10+vmware.1	Ubuntu 22.04.1 LTS		containerd://1.6.18	5.19.0-50-generic	31.00	TKGI platform version: 1.16.0 Agentless scan not supported
RKE2	1.27.4+rke2r1	-	-	containerd://1.7.1-k3s1	-	31.01
RKE2	1.27.4+rke2r1	-	-	containerd://1.7.1-k3s1	-	31.00
TalOS	1.26.3	-	-	containerd://1.6.23	6.1.46-talos	31.01	Agentless scan not supported
TalOS	1.26.3	-	-	containerd://1.6.21	6.1.41-talos	31.00	Agentless scan not supported

Supported Orchestrators on ARM64

Prisma Cloud supports the official releases of the following orchestrators for the ARM64 architecture.

Orchestrator	Version	Operating System	Image	Runtime	Kernel	Tested in
Elastic Container Service (ECS)	1.75.0	-	AMI-Name: al2023-ami-ecs-hvm-2023.0.20230809-kernel-6.1-arm64	Docker 20.10.23		31.01
Elastic Container Service (ECS)	1.74.1	-	AMI-Name: al2023-ami-ecs-hvm-2023.0.20230720-kernel-6.1-arm64	Docker 20.10.23		31.00
Elastic Kubernetes Service (EKS)	1.27.3	-	-	containerd: 1.6.19		31.01
Elastic Kubernetes Service (EKS)	1.27.3	-	-	containerd: 1.6.19		31.00
Google Kubernetes Engine (GKE) autopilot on ARM	1.26.5-gke.1400		-	containerd: 1.6.18	-	31.01
Google Kubernetes Engine (GKE) on ARM	1.27.3-gke.1700		-	containerd: 1.7.0	-	31.01
Google Kubernetes Engine (GKE) on ARM	1.27.3-gke.100		-	containerd: 1.7.0	-	31.00
Kubernetes	1.28.1	-	-	containerd: 1.6.21	-	31.01
Kubernetes	1.27.3	-	-	containerd: 1.6.21	-	31.00

Istio

Prisma Cloud supports Istio 1.16.1.

Jenkins

Prisma Cloud was tested with Jenkins 2.346.3 and the 2.361.4 container version.

The Prisma Cloud Jenkins plugin supports Jenkins LTS releases greater than 2.319.1. For any given release of Prisma Cloud, the plugin supports those Jenkins LTS releases supported by the Jenkins project at the time of the Prisma Cloud release.

The Jenkins plugin is not supported on ARM64 architecture.

Image Base Layers

Prisma Cloud can protect containers built on nearly any base layer operating system. Comprehensive Common Vulnerabilities and Exposures (CVE) data is provided for the following base layers for all versions except EOL versions:

Alpine

Amazon Linux container image

Amazon Linux 2

BusyBox

CentOS

Debian

Red Hat Enterprise Linux

SUSE

Ubuntu (LTS releases only)

Windows Server

If a CVE doesn’t have an architecture identifier, the CVE is related to all architectures.

Serverless Runtimes

Prisma Cloud offers multiple features to help you secure your serverless runtimes on AWS, Azure, and GCP. The following sections show the supported languages for each feature available for serverless scanning in each cloud service provider.

Vulnerability Scanning

Feature	Platform	Language	Versions	Conditions
Vulnerability scanning	AWS	Node.js	12	-
Vulnerability scanning	AWS	Node.js	14	-
Vulnerability scanning	AWS	Node.js	16	-
Vulnerability scanning	AWS	Node.js	18	-
Vulnerability scanning	Azure	Node.js	16	-
Vulnerability scanning	GCP	Node.js	6	-
Vulnerability scanning	AWS	Python	3.7	-
Vulnerability scanning	AWS	Python	3.8	-
Vulnerability scanning	AWS	Python	3.9	-
Vulnerability scanning	Azure	Python	3.8	-
Vulnerability scanning	GCP	Python	3.7	-
Vulnerability scanning	AWS	Java	8	-
Vulnerability scanning	AWS	Java	11	-
Vulnerability scanning	Azure	Java	8	-
Vulnerability scanning	AWS	Ruby	2.7	-
Vulnerability scanning	AWS	C#	3.1	Deprecated in 30.01

Compliance Scanning

Feature	Platform	Language	Versions	Conditions
Compliance scanning	AWS	Node.js	12	Full scans available
Compliance scanning	AWS	Node.js	14	Full scans available
Compliance scanning	AWS	Node.js	16	Full scans available
Compliance scanning	AWS	Node.js	18	Full scans available
Compliance scanning	AWS	Python	3.7	Full scans available
Compliance scanning	AWS	Python	3.8	Full scans available
Compliance scanning	AWS	Python	3.9	Full scans available
Compliance scanning	AWS	C#	3.1	Deprecated in 30.01
Compliance scanning	AWS	C#	5.0	Full scans available
Compliance scanning	AWS	C#	6.0	Full scans available
Compliance scanning	AWS	Java	8	Limited scans available
Compliance scanning	AWS	Java	11	Limited scans available
Compliance scanning	AWS	Ruby	2.7	Limited scans available
Compliance scanning	AWS	Go	1.x	Limited scans available
Compliance scanning	Azure	Python	3.8	Limited scans available
Compliance scanning	GCP	Python	3.7	Limited scans available

Runtime Protection with Defender

Feature	Platform	Language	Versions	Conditions
Runtime protection with Defender	AWS	Node.js	12
Runtime protection with Defender	AWS	Node.js	14
Runtime protection with Defender	AWS	Node.js	16
Runtime protection with Defender	AWS	Node.js	18
Runtime protection with Defender	AWS	Python	3.7
Runtime protection with Defender	AWS	Python	3.8
Runtime protection with Defender	AWS	Python	3.9
Runtime protection with Defender	AWS	Java	8
Runtime protection with Defender	AWS	Java	11
Runtime protection with Defender	AWS	C#	3.1	Deprecated in 30.01
Runtime protection with Defender	AWS	C#	6.0
Runtime protection with Defender	AWS	Ruby	2.7
Runtime protection with Defender	Azure	C#	6.0
Runtime protection with Defender	GCP	-	-	Not available

WaaS with Defender

Feature	Platform	Language	Versions	Conditions
WAAS with Defender	AWS	Node.js	14
WAAS with Defender	AWS	Node.js	16
WAAS with Defender	AWS	Node.js	18
WAAS with Defender	AWS	Python	3.7
WAAS with Defender	AWS	Python	3.8
WAAS with Defender	AWS	Python	3.9
WAAS with Defender	AWS	Python	"3.10"
WAAS with Defender	AWS	Ruby	2.7
WAAS with Defender	AWS	Java	8
WAAS with Defender	AWS	Java	11
WAAS with Defender	AWS	Java	11
WAAS with Defender	Azure	-	-	Not available
WAAS with Defender	GCP	-	-	Not available

Auto-Defend

Feature	Platform	Language	Versions	Conditions
Auto-Defend	AWS	Node.js	12
Auto-Defend	AWS	Node.js	14
Auto-Defend	AWS	Python	3.7
Auto-Defend	AWS	Python	3.8
Auto-Defend	AWS	Python	3.9
Auto-Defend	AWS	Ruby	2.7
Auto-Defend	Azure	-	-	Not available
Auto-Defend	GCP	-	-	Not available

Go

Prisma Cloud can detect vulnerabilities in Go executables for Go versions 1.13 and greater.

Shells

For Linux, Prisma Cloud depends on the Bash shell. For Windows, Prisma Cloud depends on PowerShell.

The shell environment variable DOCKER_CONTENT_TRUST should be set to 0 or unset before running any commands that interact with the Prisma Cloud cloud registry, such as Defender installs or upgrades.

Browsers

Prisma Cloud supports the latest versions of Chrome, Safari, and Edge.

For Microsoft Edge, only the new Chromium-based version (80.0.361 and later) is supported.

Cortex XDR

Prisma Cloud Defenders can work alongside Cortex XDR agents. Currently, users need to manually add exceptions in Console for both agents to work together. In a future release, there will be out-of-the-box support for co-existence. Users can disable the Defender runtime defense when a Cortex XDR agent is present.

To allow for both the solutions to co-exist:

Add the Cortex agent as a trustable executable. For more information, see to Creating a trusted executable.

Suppress runtime alerts from the Cortex agent by adding custom runtime rules that allow the Cortex agent process and file path.

Getting started

Cluster Context

Prisma Cloud Administrator’s Guide (Compute)

System Requirements