Deploy WAAS In-Line for Containers
Table of Contents
Prisma Cloud Enterprise Edition
Expand all | Collapse all
-
- Getting started
- System Requirements
- Cluster Context
-
- Defender Types
- Manage your Defenders
- Redeploy Defenders
- Uninstall Defenders
-
- Deploy Orchestrator Defenders on Amazon ECS
- Automatically Install Container Defender in a Cluster
- Deploy Prisma Cloud Defender from the GCP Marketplace
- Deploy Defenders as DaemonSets
- VMware Tanzu Application Service (TAS) Defender
- Deploy Defender on Google Kubernetes Engine (GKE)
- Google Kubernetes Engine (GKE) Autopilot
- Deploy Defender on OpenShift v4
- Deploy Defender with Declarative Object Management
-
- Agentless Scanning Modes
-
- Onboard AWS Accounts for Agentless Scanning
- Configure Agentless Scanning for AWS
- Onboard Azure Accounts for Agentless Scanning
- Configure Agentless Scanning for Azure
- Onboard GCP Accounts for Agentless Scanning
- Configure Agentless Scanning for GCP
- Onboard Oracle Cloud Infrastructure (OCI) Accounts for Agentless Scanning
- Configure Agentless Scanning for Oracle Cloud Infrastructure (OCI)
- Agentless Scanning Results
-
- Rule ordering and pattern matching
- Backup and Restore
- Custom feeds
- Configuring Prisma Cloud proxy settings
- Prisma Cloud Compute certificates
- Configure scanning
- User certificate validity period
- Enable HTTP access to Console
- Set different paths for Defender and Console (with DaemonSets)
- Authenticate to Console with Certificates
- Customize terminal output
- Collections
- Tags
- WildFire Settings
- Log Scrubbing
- Permissions by feature
-
- Prisma Cloud Vulnerability Feed
- Scanning Procedure
- Vulnerability Management Policies
- Vulnerability Scan Reports
- Scan Images for Custom Vulnerabilities
- Base images
- Vulnerability Explorer
- CVSS scoring
- CVE Viewer
-
- Configure Registry Scans
- Scan Images in Alibaba Cloud Container Registry
- Scan Images in Amazon Elastic Container Registry (ECR)
- Scan images in Azure Container Registry (ACR)
- Scan Images in Docker Registry v2 (including Docker Hub)
- Scan Images in GitLab Container Registry
- Scan images in Google Artifact Registry
- Scan Images in Google Container Registry (GCR)
- Scan Images in Harbor Registry
- Scan Images in IBM Cloud Container Registry
- Scan Images in JFrog Artifactory Docker Registry
- Scan Images in Sonatype Nexus Registry
- Scan images in OpenShift integrated Docker registry
- Scan Images in CoreOS Quay Registry
- Trigger Registry Scans with Webhooks
- Configure VM image scanning
- Configure code repository scanning
- Malware scanning
- Windows container image scanning
- Serverless Functions Scanning
- VMware Tanzu Blobstore Scanning
- Scan App-Embedded workloads
- Troubleshoot Vulnerability Detection
-
- Compliance Explorer
- Enforce compliance checks
- CIS Benchmarks
- Prisma Cloud Labs compliance checks
- Malware Scanning
- Serverless functions compliance checks
- Windows compliance checks
- DISA STIG compliance checks
- Custom compliance checks
- Trusted images
- Host scanning
- VM image scanning
- App-Embedded scanning
- Detect secrets
- OSS license management
-
- Alert Mechanism
- AWS Security Hub
- Cortex XDR alerts
- Cortex XSOAR alerts
- Email alerts
- Google Cloud Pub/Sub
- Google Cloud Security Command Center
- IBM Cloud Security Advisor
- JIRA Alerts
- PagerDuty alerts
- ServiceNow alerts for Security Incident Response
- ServiceNow alerts for Vulnerability Response
- Slack Alerts
- Splunk Alerts
- Webhook alerts
- API
Deploy WAAS In-Line for Containers
Create a WAAS In-Line rule for Containers
- Open Console, and go toDefend > WAAS > {Container|Host} > In-Line.
- SelectAdd rule.
- Enter aRule Name
- EnterNotes(Optional) for describing the rule.
- Choose the ruleScopeby specifying the resource collection(s) to which it applies.Collections define a combination of image names and one or more elements to which WAAS should attach itself to protect the web application:Applying a rule to all images using a wild card (*) is invalid - instead, only specify your web application images.
- (Optional) EnableAPI endpoint discoveryWhen enabled, the Defender inspects the API traffic to and from the protected API. Defender reports a list of the endpoints and their resource path inCompute > Monitor > WAAS > API discovery.
- (Optional) EnableAutomatically detect portsfor an endpoint to deploy WAAS protection on ports identified in the unprotected web apps report inMonitor > WAAS > Unprotected web appsfor each of the workloads in the rule scope.As an additional measure, you can specify additional ports by specifying them in the protected HTTP endpoints within each app to also include the ports that may not have been detected automatically.By enabling bothAutomatically detect portsandAPI endpoint discovery, you can monitor your API endpoints and ports without having to add an application and without configuring any policies.
- Savethe rule.
Add an App (policy) to the rule
- Select a WAAS rule to add an App in.
- SelectAdd app.
- In theApp Definitiontab, enter anApp ID.The combination ofRule nameandApp IDmust be unique across In-Line and Out-Of-Band WAAS policies for Containers, Hosts, and App-Embedded.If you have a Swagger or OpenAPI file, clickImport, and select the file to load.If you do not have a Swagger or OpenAPI file, manually define each endpoint by specifying the host, port, and path.
- InEndpoint Setup, clickAdd Endpoint.Specify endpoint in your web application that should be protected. Each defined application can have multiple protected endpoints.
- EnterHTTP host(optional, wildcards supported).HTTP hostnames are specified in the form of [hostname]:[external port].The external port is defined as the TCP port on the host, listening for inbound HTTP traffic. If the value of the external port is "80" for non-TLS endpoints or "443" for TLS endpoints it can be omitted. Examples: "*.example.site", "docs.example.site", "www.example.site:8080", etc.
- EnterApp portsas the internal port your app listens on.(You can skip to enter App ports, if you selectedAutomatically detect portswhile creating the rule).WhenAutomatically detect portsis selected, any ports specified in a protected endpoint definition will be appended to the list of protected ports. Specify the TCP port listening for inbound HTTP traffic.If your application usesTLSorgRPC, you must specify a port number.
- EnterBase path(optional, wildcards supported):Base path for WAAS to match when applying protections.Examples: "/admin", "/" (root path only), "/*", /v2/api", etc.
- If your application uses TLS, setTLStoOn.You can select the TLS protocol (1.0, 1.1, 1.2, and 1.3 for WAAS In-Line, and 1.0, 1.1, and 1.2 for WAAS Out-Of-Band) to protect the API endpoint and enter the TLS certificate in PEM format.Limitations
- TLS connections using extended_master_secret(23) in the negotiation are not supported as part of this feature.
- DHKE is not supported due to a lack of information required to generate the encryption key.
- Out-of-Band does not support HTTP/2 protocol.
- TLS inspection for Out-of-Band WAAS is not supported on earlier versions of Console and Defender.
- If your application uses HTTP/2, setHTTP/2toOn.WAAS must be able to decrypt and inspect HTTPS traffic to function properly.
- If your application uses gRPC, setgRPCtoOn.
- You can selectResponse headersto add or override HTTP response headers in responses sent from the protected application.
- SelectCreate response header.
- To facilitate inspection, after creating all endpoints, clickView TLS settingsin the endpoint setup menu.WAAS TLS settings:
- Certificate- Copy and paste your server’s certificate and private key into the certificate input box (e.g., cat server-cert.pem server-key > certs.pem).
- Minimum TLS version- A minimum version of TLS can be enforced by WAAS In-Line to prevent downgrading attacks (the default value is TLS 1.2).
- HSTS- The HTTP Strict-Transport-Security (HSTS) response header lets web servers tell browsers to use HTTPS only, not HTTP. When enabled, WAAS would add the HSTS response header to all HTTPS server responses (if it is not already present) with the preconfigured directives - max-age, includeSubDomains, and preload.
- max-age=<expire-time> - Time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS.
- includeSubDomains (optional) - If selected, HSTS protection applies to all the site’s subdomains as well.
- If you application requires API protection, for each path define the allowed methods and the parameters.
- Continue toApp Firewallsettings, select the protections to enable and assign them with WAAS Actions.
- Configure the DoS protection thresholds.
- Continue toAccess Controltab and select access controls to enable.
- Select the bot protections you want to enable.
- Select the required Custom rules.
- Proceed to Advanced settings for more WAAS controls.
- SelectSave.
- TheRule Overviewpage shows all the WAAS rules created.Select a rule to display theRule Resources, and for each application a list of protected endpoints and the protections enabled for each endpoint are displayed.
- Test protected endpoint using the following sanity tests.
- Go toMonitor > Events, click onWAAS for containers/hosts/App-Embedded, and observe the events generated.For more information, see the WAAS analytics help page