Prisma Cloud Administrator’s Guide (Compute)
    : Deploy WAAS for Containers Protected By App-Embedded Defender
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Administrator’s Guide (Compute)
    5. WAAS
    6. Deploy WAAS
    7. Deploy WAAS for Containers Protected By App-Embedded Defender
    Download PDF

    Prisma Cloud Administrator’s Guide (Compute)

    Deploy WAAS for Containers Protected By App-Embedded Defender

    Table of Contents

    Deploy WAAS for Containers Protected By App-Embedded Defender

    In some environments, Prisma Cloud Defender must be embedded directly inside the container it is protecting. This type of Defender is known as an App-Embedded Defender. App-Embedded Defender can secure these types of containers with all WAAS protection capabilities.
    The only difference is that App-Embedded Defender runs as a reverse proxy to the container it’s protecting. As such, when you set up WAAS for App-Embedded, you must specify the exposed external port where App-Embedded Defender can listen, and the port (not exposed to the Internet) where your web application listens. WAAS for App-Embedded forwards the filtered traffic to your application’s port - unless an attack is detected and you set your WAAS for App-Embedded rule to
    Prevent
    .
    When testing your Prisma Cloud-protected container, be sure you update the security group’s inbound rules to permit TCP connections on the external port you entered in the WAAS rule. This is the exposed port that allows you to access your web application’s container. To disable WAAS protection, disable the WAAS rule, and re-expose the application’s real port by modifying the security group’s inbound rule.
    To embed App-Embedded WAAS into your container or Fargate task:

    Create a Rule for App-Embedded

    1. Open Console, and go to
      Defend > WAAS > App-Embedded
      .
    2. Select
      Add rule
      .
    3. Enter a
      Rule name
       and
      Notes
       (Optional) for describing the rule.
    4. Choose the rule
      Scope
       by specifying the resource collection(s) to which it applies.
      Collections define a combination of App IDs to which WAAS should attach itself to protect the web application:
    5. (Optional) Enable
      API endpoint discovery
      .
      When enabled, the Defender inspects the API traffic to and from the protected API. Defender reports a list of the endpoints and their resource path in
      Compute > Monitor > WAAS > API discovery
      .
    6. Save
       the rule.

    Add an App (policy) to the rule

    1. Select a WAAS rule to add an App in.
    2. Select
      Add app
      .
    3. In the
      App Definition
       tab, enter an
      App ID
      .
      The combination of
      Rule name
       and
      App ID
       must be unique across In-Line and Out-Of-Band WAAS policies for Containers, Hosts, and App-Embedded.
      If you have a Swagger or OpenAPI file, click
      Import
      , and select the file to load.
      If you do not have a Swagger or OpenAPI file, manually define each endpoint by specifying the host, port, and path.
      1. In
        Endpoint Setup
        , click
        Add Endpoint
        .
        Specify endpoint in your web application that should be protected. Each defined application can have multiple protected endpoints.
      2. Enter
        HTTP host
         (optional, wildcards supported).
        HTTP hostnames are specified in the form of [hostname]:[external port].
        The external port is defined as the TCP port on the host, listening for inbound HTTP traffic. If the value of the external port is "80" for non-TLS endpoints or "443" for TLS endpoints it can be omitted. Examples: "*.example.site", "docs.example.site", "www.example.site:8080", etc.
      3. Enter
        App ports
         as the internal port your app listens on. Specify the TCP port listening for inbound HTTP traffic.
        If your application uses
        TLS
         or
        gRPC
        , you must specify a port number.
      4. Enter
        Base path
         (optional, wildcards supported):
        Base path for WAAS to match when applying protections.
        Examples: "/admin", "/" (root path only), "/*", /v2/api", etc.
      5. Enter
        WAAS port (only required for Windows, App-Embedded or when using "Remote host" option)
         as the external port WAAS listens on. The external port is the TCP port for the App-Embedded Defender to listen on for inbound HTTP traffic.
      6. If your application uses TLS, set
        TLS
         to
        On
        .
        You can select the TLS protocol (1.0, 1.1, 1.2, and 1.3 for WAAS In-Line, and 1.0, 1.1, and 1.2 for WAAS Out-Of-Band) to protect the API endpoint and enter the TLS certificate in PEM format.
        Limitations
        1. TLS connections using extended_master_secret(23) in the negotiation are not supported as part of this feature.
        2. DHKE is not supported due to a lack of information required to generate the encryption key.
        3. Out-of-Band does not support HTTP/2 protocol.
        4. TLS inspection for Out-of-Band WAAS is not supported on earlier versions of Console and Defender.
          • If your application uses HTTP/2, set
            HTTP/2
             to
            On
            .
            WAAS must be able to decrypt and inspect HTTPS traffic to function properly.
          • If your application uses gRPC, set
            gRPC
             to
            On
            .
      7. You can select
        Response headers
         to add or override HTTP response headers in responses sent from the protected application.
      8. Select
        Create response header
        .
      9. To facilitate inspection, after creating all endpoints, click
        View TLS settings
         in the endpoint setup menu.
        WAAS TLS settings:
        • Certificate
           - Copy and paste your server’s certificate and private key into the certificate input box (e.g., cat server-cert.pem server-key > certs.pem).
        • Minimum TLS version
           - A minimum version of TLS can be enforced by WAAS In-Line to prevent downgrading attacks (the default value is TLS 1.2).
        • HSTS
           - The HTTP Strict-Transport-Security (HSTS) response header lets web servers tell browsers to use HTTPS only, not HTTP. When enabled, WAAS would add the HSTS response header to all HTTPS server responses (if it is not already present) with the preconfigured directives - max-age, includeSubDomains, and preload.
          1. max-age=<expire-time> - Time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS.
          2. includeSubDomains (optional) - If selected, HSTS protection applies to all the site’s subdomains as well.
          3. preload (optional) - For more details, see the following link.
      10. If you application requires API protection, for each path define the allowed methods and the parameters.
    4. Continue to
      App Firewall
       settings, select the protections to enable and assign them with WAAS Actions.
    5. Configure the DoS protection thresholds.
    6. Continue to
      Access Control
       tab and select access controls to enable.
    7. Select the bot protections you want to enable.
    8. Select the required Custom rules.
    9. Proceed to Advanced settings for more WAAS controls.
    10. Select
      Save
      .
    11. The
      Rule Overview
       page shows all the WAAS rules created.
      Select a rule to display the
      Rule Resources
      , and for each application a list of protected endpoints and the protections enabled for each endpoint are displayed.
    12. Test protected endpoint using the following sanity tests.
    13. Go to
      Monitor > Events
      , click on
      WAAS for containers/hosts/App-Embedded
      , and observe the events generated.
      For more information, see the WAAS analytics help page

    Recommended For You

    © 2023 Palo Alto Networks, Inc. All rights reserved.