Deploy WAAS for Containers Protected By App-Embedded Defender

In some environments, Prisma Cloud Defender must be embedded directly inside the container it is protecting. This type of Defender is known as an App-Embedded Defender. App-Embedded Defender can secure these types of containers with all WAAS protection capabilities.
The only difference is that App-Embedded Defender runs as a reverse proxy to the container it’s protecting. As such, when you set up WAAS for App-Embedded, you must specify the exposed external port where App-Embedded Defender can listen, and the port (not exposed to the Internet) where your web application listens. WAAS for App-Embedded forwards the filtered traffic to your application’s port - unless an attack is detected and you set your WAAS for App-Embedded rule to
Prevent
.
When testing your Prisma Cloud-protected container, be sure you update the security group’s inbound rules to permit TCP connections on the external port you entered in the WAAS rule. This is the exposed port that allows you to access your web application’s container. To disable WAAS protection, disable the WAAS rule, and re-expose the application’s real port by modifying the security group’s inbound rule.
To embed App-Embedded WAAS into your container or Fargate task:

Create a rule for App-Embedded

  1. Open Console, and go to
    Defend > WAAS > *App-Embedded
    .
  2. Click
    Add rule
    .
  3. Enter a
    Rule Name
    and
    Notes
    (Optional) for describing the rule.
  4. Choose the rule
    Scope
    by specifying the resource collection(s) to which it applies.
    Collections define a combination of App IDs to which WAAS should attach itself to protect the web application:
  5. Save
    the rule.

Add an App (policy) for App-Embedded

  1. Select a WAAS App-Embedded rule to add an App in.
  2. Click
    Add app
    .
  3. In the App Definition tab, specify the endpoints in your web application that should be protected. Each defined application can have multiple protected endpoints. If you have a Swagger or OpenAPI file, click Import, and select the file to load. Otherwise, skip to the next step to manually define your app’s endpoints.
  4. If you don’t have a Swagger or OpenAPI file, manually define each endpoint by specifying the host, port, and path.
    1. In the
      Endpoint Setup
      tab, click on
      Add Endpoint
      .
    2. Specify endpoint details:
    3. Enter
      App port (required)
      Specify the TCP port protected app listens on, WAAS sends traffic to your app over this port.
    4. Enter
      WAAS Port (required)
      .
      The external port is the TCP port for the App-Embedded Defender to listen on for inbound HTTP traffic.
    5. Enter
      HTTP host
      (optional, wildcards supported).
      HTTP host names are specified in the form of [hostname]:[external port].
      The external port is defined as the TCP port on the host, listening for inbound HTTP traffic. If the value of the external port is "80" for non-TLS endpoints or "443" for TLS endpoints it can be omitted. Examples: "*.example.com", "docs.example.com", "www.example.com:8080", etc.
    6. Enter
      Base path
      (optional, wildcards supported):
      Base path for WAAS to match on when applying protections.
      Examples: "/admin/", "/" (root path only), "/*", /v2/api/", etc.
    7. If your application uses TLS, set
      TLS
      to
      On
      .
      WAAS must be able to decrypt and inspect HTTPS traffic to function properly.
      To facilitate that, after creating all endpoints click on
      View TLS settings
      in the endpoint setup menu
      TLS settings:
      1. Certificate
        - Copy and paste your server’s certificate and private key into the certificate input box (e.g. cat server-cert.pem server-key > certs.pem).
      2. Minimum TLS version
        - A minimum version of TLS can be enforced by WAAS to prevent downgrading attacks (the default value is "1.2").
      3. HSTS
        - The HTTP Strict-Transport-Security (HSTS) response header lets web servers tell browsers to use HTTPS only, not HTTP. When enabled, WAAS adds the HSTS response header to all HTTPS server responses (if not already present) with the preconfigured directives - max-age, includeSubDomains, and preload.
        • max-age=<expire-time> - The time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS.
        • includeSubDomains (optional) - If selected this HSTS protection applies to all of the site’s subdomains as well.
        • preload (optional) - for more details please refer to the following link.
    8. If your application uses gRPC, set
      gRPC
      to
      On
      .
    9. If your application uses HTTP/2, set
      HTTP/2
      to
      On
      .
    10. Click
      Create Endpoint
    11. If your application requires API protection, select the "API Protection" tab and define for each path allowed methods, parameters, types, etc. See detailed definition instructions in the API protection help page.
    12. Click on the
      Response headers
      tab to add or override HTTP response headers in responses sent from the protected application.
  5. Continue to
    App Firewall
    tab, select protections to enable and assign them with actions.
  6. Continue to
    Access Control
    tab and select access controls to enable.
  7. Continue to
    DoS protection
    tab and configure DoS protection thresholds.
  8. Continue to
    Bot protection
    tab and select bot protections to enable.
  9. Click
    Save
    .
  10. You should be redirected to the
    Rule Overview
    page.
    Select the new rule to display
    Rule Resources
    and for each application a list of
    protected endpoints
    and
    enabled protections
    .
  11. Test protected container using the following sanity tests.
  12. Go to
    Monitor > Events
    , click on
    WAAS for App-Embedded
    and observe the events generated.
    For more information please see the WAAS analytics help page

Recommended For You