Document:Prisma Cloud Administrator’s Guide (Compute)

Deploy WAAS for Containers

Download PDF

Search the Table of Contents

Welcome
- Getting started
- Compute SaaS maintenance updates
- NAT gateway IP addresses
- Product architecture
- Support lifecycle
- Security Assurance Policy on Prisma Cloud Compute
- Licensing
- Prisma Cloud Enterprise Edition vs Compute Edition
- Utilities and plugins
Install
- Getting started
- System Requirements
- Prisma Cloud container images
- Kubernetes
- OpenShift v4
- Amazon ECS
- Windows
- Defender types
- Cluster Context
- Install Defender
Upgrade
- Support lifecycle for connected components
- Upgrade process
- Kubernetes
- OpenShift
- Helm charts
- Amazon ECS
- Manually upgrade single Container Defenders
- Manually upgrade Defender DaemonSets
- Manually upgrade Defender DaemonSets (Helm)
Technology overviews
- Intelligence Stream
- Prisma Cloud Advanced Threat Protection
- App-specific network intelligence
- Container Runtimes
- Radar
- Serverless Radar
- Prisma Cloud Rules Guide - Docker
- Defender architecture
- Host Defender architecture
- TLS v1.2 cipher suites
- Telemetry
Configure
- Rule ordering and pattern matching
- Backup and restore
- Custom feeds
- Configuring Prisma Cloud proxy settings
- Prisma Cloud Compute certificates
- Configure Agentless Scanning
- Configure scanning
- User certificate validity period
- Enable HTTP access to Console
- Set different paths for Defender and Console (with DaemonSets)
- Authenticate to Console with certificates
- Customize terminal output
- Collections
- Tags
- WildFire settings
- Log Scrubbing
- Permissions by feature
Authentication
- Access keys
- Prisma Cloud Compute User Roles
- Compute user roles
- Assign roles
- Credentials store
- Cloud accounts
Vulnerability management
- Prisma Cloud vulnerability feed
- Vulnerability Explorer
- Vulnerability management rules
- Search CVEs
- Scan reports
- Scanning procedure
- Customize image scanning
- Configure Registry Scans
- Registry scanning
  - Scan images in Alibaba Cloud Container Registry
  - Scan images in Amazon EC2 Container Registry (ECR)
  - Scan images in Azure Container Registry (ACR)
  - Scan images in Docker Registry v2 (including Docker Hub)
  - Scan images in Google Artifact Registry
  - Scan images in Google Container Registry (GCR)
  - Scan images in Harbor Registry
  - Scan images in IBM Cloud Container Registry
  - Scan images in Artifactory Docker Registry
  - Scan Images in Sonatype Nexus Registry
  - Scan images in OpenShift integrated Docker registry
  - Trigger registry scans with Webhooks
- Base images
- Configure VM image scanning
- Configure code repository scanning
- Agentless scanning
- Malware scanning
- Vulnerability risk tree
- Detect vulnerabilities in unpackaged software
- CVSS scoring
- Windows container image scanning
- Serverless function scanning
- VMware Tanzu blobstore scanning
- Scan App-Embedded workloads
- Troubleshoot vulnerability detection
Access control
- Role-based access control for Docker Engine
- Admission control with Open Policy Agent
Compliance
- Compliance Explorer
- Enforce compliance checks
- CIS Benchmarks
- Prisma Cloud Labs compliance checks
- Serverless functions compliance checks
- Windows compliance checks
- DISA STIG compliance checks
- Custom compliance checks
- Trusted images
- Host scanning
- VM image scanning
- App-Embedded scanning
- Detect secrets
- Cloud discovery
- OSS license management
Runtime defense
- Runtime defense for containers
- Runtime defense for hosts
- Runtime defense for serverless functions
- Runtime defense for App-Embedded
- Event Aggregation
- Custom runtime rules
- Import and export individual rules
- ATT&CK Explorer
- Runtime Audits
- Image analysis sandbox
- Incident Explorer
- Incident types
Continuous integration
- Jenkins plugin
- Jenkins Freestyle project
- Jenkins Maven project
- Jenkins Pipeline project
- Run Jenkins in a container
- Jenkins pipeline on Kubernetes
- CI plugin policy
- Code repo scanning
WAAS
- Deploy WAAS
- Web-Application and API Security (WAAS)
- WAAS Explorer
- App Firewall Settings
- API Protection
- DoS protection
- Bot Protection
- WAAS Access Controls
- Advanced Settings
- WAAS Analytics
- API observations
- API definition scan
- WAAS custom rules
- Detecting unprotected web apps
- WAAS Log Scrubbing
Firewalls
- Cloud Native Network Firewall (CNNF)
Secrets
- Secrets manager
- Integrate with secrets stores
- Secrets Stores
- Inject secrets into containers
- Injecting secrets: end-to-end example
Alerts
- Alert mechanism
- AWS Security Hub
- Cortex XDR alerts
- Cortex XSOAR alerts
- Email alerts
- Google Cloud Pub/Sub
- Google Cloud Security Command Center
- IBM Cloud Security Advisor
- JIRA Alerts
- PagerDuty alerts
- ServiceNow alerts
- ServiceNow alerts
- Slack Alerts
- Splunk alerts
- Webhook alerts
Audit
- Event viewer
- Host activity
- Administrative activity audit trail
- Annotate audit event records
- Delete audit logs
- Syslog and stdout integration
- Log rotation
- Throttling audits
- Prometheus
- Kubernetes auditing
Tools
- twistcli
- Scan images with twistcli
- Scan code repos with twistcli
- Scan Infrastructure as Code (IaC)
Deployment patterns
- Best practices for DNS and certificate management
- Storage limits for audits and reports
- Performance planning
API
Howto
- Disable automatic learning
- Debug data

Deploy WAAS for Containers

Edit on GitHub

Create a WAAS rule for Containers

Open Console, and go to Defend > WAAS > *Container
.

Click Add Rule
.

Enter a Rule Name
and Notes
(Optional) for describing the rule.

Choose the rule Scope
by specifying the resource collection(s) to which it applies.

Collections define a combination of image names and one or more elements to which WAAS should attach itself to protect the web application:

Applying a rule to all images using a wild card (*) is invalid - instead, only specify your web application images.

(Optional) Enable Automatically detect ports
for an endpoint to protect the ports identified in the unprotected web apps report Monitor > WAAS > Unprotected web apps
for each of the workloads in the rule scope.

As an additional measure, you can specify additional ports by specifying them in the protected HTTP endpoints within each app to also include the ports that may not have been detected automatically.

(Optional) Enable API endpoint discovery
.

When enabled, the Defender inspects the API traffic to and from the protected API. Defender reports a list of the endpoints and their resource path in Compute > Monitor > WAAS > API observations > Out-of-band observations.

By enabling both Automatically detect ports
and API endpoint discovery
, you can monitor your API endpoints and ports without having to add an application and without configuring any policies.

Save
the rule.

Add an App (policy) to the rule

Select a WAAS container rule to add an App in.

Click Add app
.

In App Definition
, specify the endpoints in your web application that should be protected.

Each defined application can have multiple protected endpoints. If you have a Swagger or OpenAPI file, click Import
, and select the file to load. Otherwise, skip to the next step to manually define your application’s endpoints.

If you do not have a Swagger or OpenAPI file, manually define each endpoint by specifying the host, port, and path.

In the Endpoint setup
tab, click Add Endpoint
.

Enter HTTP host
(optional, wildcards supported).

HTTP host names are specified in the form of [hostname]:[external port].

External port is defined as the TCP port on the host, listening for inbound HTTP traffic. If the the value of the external port is "80" for non-TLS endpoints or "443" for TLS endpoints it can be omitted. Examples: "*.example.site", "docs.example.site", "www.example.site:8080", etc.

Enter App ports
(optional, if you selected Automatically detect ports
while creating the rule).

When Automatically detect ports
is selected, any ports specified in a protected endpoint definition will be appended to the list of protected ports.

Specify the TCP port listening for inbound HTTP traffic.

If your application uses TLS
or gRPC
, you must specify a port number.

Enter Base path
(optional, wildcards supported):

Base path for WAAS to match on, when applying protections.

Examples: "/admin", "/" (root path only), "/*", /v2/api", etc.

If your application uses TLS, set TLS
to On
.

If your application uses HTTP/2, set HTTP/2
to On
.

WAAS must be able to decrypt and inspect HTTPS traffic to function properly.

If your application uses gRPC, set gRPC
to On
.

Click Response headers
to add or override HTTP response headers in responses sent from the protected application.

Click Create Endpoint
.

To facilitate inspection, after creating all endpoints, click View TLS settings
in the endpoint setup menu.

TLS settings:

Certificate
- Copy and paste your server’s certificate and private key into the certificate input box (e.g., cat server-cert.pem server-key > certs.pem).

Minimum TLS version
- A minimum version of TLS can be enforced by WAAS to prevent downgrading attacks (the default value is TLS 1.2).

HSTS
- The HTTP Strict-Transport-Security (HSTS) response header lets web servers tell browsers to use HTTPS only, not HTTP. When enabled, WAAS would add the HSTS response header to all HTTPS server responses (if it is not already present) with the preconfigured directives - max-age, includeSubDomains, and preload.

max-age=<expire-time> - Time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS.

includeSubDomains (optional) - If selected, HSTS protection applies to all the site’s subdomains as well.

preload (optional) - For more details, see the following link.

If your application requires [API protection], select the API Protection
tab and define for each path the allowed methods, parameters, types, etc. See detailed definition instructions on the [API protection] help page.

Continue to App Firewall
tab, select protections to enable and assign them with WAAS Actions.

Continue to Access Control
tab and select access controls to enable.

Continue to DoS protection
tab and configure DoS protection thresholds.

Continue to Bot protection
tab and select bot protections to enable.

Click Save
.

You should be redirected to the Rule Overview
page.

Select the created new rule to display Rule Resources
and for each application a list of protected endpoints
and enabled protections
.

Test protected endpoint using the following sanity tests.

Go to Monitor > Events
, click on WAAS for containers
and observe events generated.

For more information please see the WAAS analytics help page.

Document:Prisma Cloud Administrator’s Guide (Compute)

Deploy WAAS for Containers

Table of Contents

Deploy WAAS for Containers

Create a WAAS rule for Containers

Add an App (policy) to the rule

Most Popular

Recommended For You

Document:Prisma Cloud Administrator’s Guide (Compute)

Deploy WAAS for Containers

Table of Contents

Deploy WAAS for Containers

Create a WAAS rule for Containers

Add an App (policy) to the rule

Most Popular

Recommended For You

Recommended Videos