Prisma Cloud Administrator’s Guide (Compute)
    : Deploy WAAS Agentless
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Administrator’s Guide (Compute)
    5. WAAS
    6. Deploy WAAS
    7. Deploy WAAS Agentless
    Download PDF

    Prisma Cloud Administrator’s Guide (Compute)

    Deploy WAAS Agentless

    Table of Contents

    Deploy WAAS Agentless

    WAAS agentless rules inspect HTTP requests and responses through a mirror of the traffic to provide WAAS detections. To optimize the CPU utlization while using WAAS, Prisma Cloud scanner samples only a subset of the mirrored data to discover just the APIs and the scanner does not inspect the request body field, the sensitive request, and the response data.
    WAAS can observe a mirror of HTTP traffic flowing to and from CSP (AWS) instances, even if they are not protected by a Prisma Cloud Compute Defender.
    VPC Observer is an EC2 instance running a Host defender for VPC Traffic Mirroring. The target instance is configured on a separate instance within the same VPC to receive Out-Of-Band traffic from the unprotected applications on the source instance. These Observers on the target instance inspect Out-Of-Band traffic and send audits of any events they identify to Prisma Cloud console.
    To set up WAAS agentless with VPC traffic mirroring, specify the EC2 instances to mirror (exact names or using wildcards or tags) in a VPC, the ports to mirror, and other AWS parameters in a VPC traffic mirroring rule. For each VPC traffic mirroring rule, a VPC Observer will be created in a VPC machine to receive the mirrored traffic (the VPC Observer is an EC2 instance running a host Defender).
    Monitoring applications with WAAS agentless through VPC traffic mirroring is subject to limitations, quotas, and checksum offloading as defined in the AWS documentation.

    Prerequisites

    • To configure WAAS agentless with AWS VPC traffic mirroring, apply the permission template ending in agentless_app_firewall_permissions_template.yaml to AWS CloudFormation console for your account. For detailed instructions on how to apply cloud formation templates, refer to the AWS documentation.
      Amazon EC2 Auto Scaling is integrated with this AWS CloudFormation permission template.
      Edit the template and replace the "USER-agentless-app-firewall" value with the actual username that you want to grant these permissions.
      WAAS agentless permissions policies created in AWS:
      WAAS agentless resources stack deployed in AWS:
    • Create an AWS Cloud account under
      Compute > Manage > Cloud accounts
       using the Access key from your AWS account.
      Cloud accounts require
      Cloud discovery
       to be enabled to discover the EC2 instances to mirror.

    Create a WAAS Agentless Rule for VPC Traffic Mirroring

    To deploy WAAS agentless with VPC traffic mirroring, create a new rule, configure VPC, define application endpoints, and select protections.
    1. Create a WAAS rule under
      Defend > WAAS > Agentless > Add rule
      .
    2. Enter a
      Rule Name
       and
      Notes
       (Optional) for describing the rule.
    3. Add
      VPC Configuration
       to allow the mirrored traffic to flow from the source instance to the Prisma Cloud Observer deployed on the target instance.
      1. Select
        Console address
         as the hostname of the Console to connect to.
      2. Select the credentials for the AWS
        Cloud account
         that you configured under
        Manage > Cloud accounts
        .
      3. Choose the AWS
        Region
         where the mirrored VMs are located in.
      4. Enter the
        VPC ID
         to look for instances to mirror and to deploy the Observer in.
      5. Enter the
        VPC Subnet ID
         to look for instances to be mirrored only in the selected Subnet ID, and to deploy the Observer in.
      6. Specify the
        Tags
         or wildcards identifying the EC2 instances to mirror in any of the following format:
        1. <key:value> = Match tags by key and value pair.
        2. <key:> = Match tags with key and empty value (for example, AWS tags allow just a key, with no value (empty string)).
        3. * = Match all tags.
      7. Enter
        Instance names
         or wildcards to identify the EC2 instances to mirror.
        The instance to mirror is mapped by machine tags:instance names.
      8. Enter the
        Ports
         to mirror.
        You can enter a maximum of 5 ports. Port ranges are not supported.
      9. Select the
        Observer Instance type
         to use for the VPC Observer instance.
      10. Enable
        Auto scaling
         to automatically scale WAAS Observers to handle a large amount of traffic volume or sudden decrease in traffic volume. You can set a limit of maximum instances between 1 and 10.
      11. Select
        Add
        .
        The Deployment will be done using a dynamically constructed AWS CloudFormation template, programmatically with CloudFormation API. The WAAS rule is not immediately applied, there will be stages of the rules as the VPC configuration is being deployed in AWS. You can track the status of the deployment in the AWS CloudFormation stack, and also on Prisma Cloud Console.
    4. (Optional) Toggle to enable
      API endpoint discovery
      .
      When enabled, the Observer inspects the mirrored traffic to and from the remote applications. The Observer reports a list of the endpoints and their resource path in
      Compute > Monitor > WAAS > API discovery
      .
    5. Save
       the rule.
      A scheduled scan runs every hour to check for new and deleted EC2 instances based on the VPC configurations instance names and tags. If a change is found in the list of EC2 instances to mirror, the AWS VPC traffic mirroring setup will be updated.
      To force a scan, you can click
      Update
      .

    Add an App (policy) to the Rule

    1. Select a WAAS rule to add an App in.
    2. Select
      Add app
      .
    3. In the
      App Definition
       tab, enter an
      App ID
      .
      The combination of
      Rule name
       and
      App ID
       must be unique across In-Line and Out-Of-Band WAAS policies for Containers, Hosts, and App-Embedded.
      If you have a Swagger or OpenAPI file, click
      Import
      , and select the file to load.
      If you do not have a Swagger or OpenAPI file, manually define each endpoint by specifying the host, port, and path.
      1. In
        Endpoint Setup
        , select
        Add endpoint
        .
      2. Specify an endpoint in your web application that should be protected. Each defined application can have multiple protected endpoints.
      3. Enter
        HTTP host
         (optional, wildcards supported).
        HTTP hostnames are specified in the form of [hostname]:[external port].
        The external port is defined as the TCP port on the host, listening for inbound HTTP traffic. If the value of the external port is "80" for non-TLS endpoints or "443" for TLS endpoints, it can be omitted. Examples: "*.example.site", "docs.example.site", "www.example.site:8080", etc.
      4. Enter
        Base path
         (optional, wildcards supported) for WAAS to match.
        Examples: "/admin", "/" (root path only), "/*", /v2/api", etc.
      5. Enable
        TLS
         if your application uses the TLS protocol.
      6. Select
        Create
        .
      7. To facilitate inspection, after creating all endpoints, select
        View TLS settings
         in the endpoint setup menu.
        WAAS TLS settings:
      8. If your application requires API protection, select the "API Protection" tab and define for each path the allowed methods, parameters, types, etc. See detailed definition instructions in the API protection help page.
    4. Continue to
      App Firewall
       tab, and select the protections as shown in the screenshot below:
      For more information, see App Firewall settings.
    5. Continue to
      DoS protection
       tab and select DoS protection to enable.
    6. Continue to
      Access Control
       tab and select access controls to enable.
    7. Continue to
      Bot protection
       tab, and select the protections as shown in the screenshot below:
      For more information, see Bot protections.
    8. Continue to
      Custom rules
       tab and select Custom rules to enable.
    9. Continue to
      Advanced settings
       tab, and set the options shown in the screenshot below:
      For more information, see Advanced settings.
    10. Select
      Save
      .
    11. You should be redirected to the
      Rule Overview
       page.
      Select the created new rule to display
      Rule Resources
       and for each application a list of
      protected endpoints
       and
      enabled protections
      .
    12. Test protected endpoint using the following sanity tests.
    13. Go to
      Monitor > Events > WAAS for Agentless
       to observe the events generated.
      For more information, see the WAAS analytics help page

    VPC Configuration Status

    Once the VPC configuration is saved, a CloudFormation template will be created and deployed in the selected region. You can track the stack deployment stages through Prisma Console.
    • Deploying
      : The WAAS rule is getting ready as the Observer is being deployed in the AWS instance and the session is being established between the Observer and the resources.
      Refresh
       to view the updated deployment status.
    • Ready
      : The WAAS rule is ready to be protecting the selected resources. The Observer will check for new instances (based on the selected tags or instance names) once every hour.
    • Error
      : The rule is in error and the deployment failed. Fix the error, and click
      Update
       to reapply the configuration.
    • Deletion in progress
      : The Observer deployment is being torn down, and the session is being terminated.
    • Deletion error
      : Error in tearing down the Observer setup on AWS VPC.
    Use
    Refresh
     to see the updated status of the rules on the UI.
    When the VPC configuration is in
    Error
     status, an
    Update
     is allowed to reapply the configuration.
    You can
    Delete
     an Agentless rule, that will tear down the entire VPC stack configuration and resources. Once the rule deletion is complete, the rule will disappear from the Console and the Observer will be uninstalled.
    The VPC Observer is installed under
    Manage > Defenders > Deployed Defenders
    . A VPC observer can only be deleted if you delete the rule from the Console.

    Update VPC Configurations

    You can edit the VPC configurations only to update the Tags, Instance names, Ports, and Observer instance type. This will update the AWS CloudFormation template, and AWS will create/destroy only the updated AWS resources.
    If you update the instance type of the VPC Observer, then AWS will recreate the EC2 instance and there will be a downtime.
    Edit the fields and
    Save
     to reapply the configurations.

    WAAS Actions for Out-Of-Band Traffic

    The following actions are applicable for the HTTP requests or responses related to the
    Out-Of-Band traffic
    :
    • Alert
       - An audit is generated for visibility.
    • Disable
       - The WAAS action is disabled.

    Limitations

    Limitations for setting traffic mirroring imposed by AWS
    • Not all AWS instance types support traffic mirroring, for example, T2 is not supported (relevant for both source and target EC2 instances).
    • Some regions don’t currently support the 'm5n.2xlarge' and 'm5n.4xlarge' instance types, so these types cannot be used for VPC Observer (For example, Paris).
    TLS Limitations
    • TLS settings for agentless support TLS 1.0, 1.1, and 1.2.
    • Only the following RSA Key Exchange cipher suites are supported:
      • TLS_RSA_WITH_AES_128_CBC_SHA256
      • TLS_RSA_WITH_3DES_EDE_CBC_SHA
      • TLS_RSA_WITH_RC4_128_SHA
    • TLS connections using extended_master_secret(23) in the negotiation are not supported as part of this feature.
    • Out-Of-Band does not support HTTP/2 protocol.
    • DHKE is not supported due to a lack of information required to generate the encryption key.
    • The full handshake process must be captured. Partial transmission or session resumption process inspection won’t be decrypted.
    • Same VPC configuration cannot be used to inspect both HTTP and HTTPS traffic, you must create two different Agentless rules, one for each HTTP and HTTPS traffic monitoring.
      You must upgrade the VPC Observer through
      Manage > Defenders
      .
    WAAS Agentless Limitations
    • An EC2 instance can only be attached to one agentless rule.
    • An agentless rule can only inspect machines from one VPC and Subnet combination.
    • Each agentless rule can only have a maximum of 5 ports in the VPC configuration.
    • Changing the VPC observer instance types involves downtime.
    • Once the AWS setup is created/updated in the agentless rule, the Observer status is only available on
      Manage > Defenders > Deployed defenders
       page.

    Troubleshoot VPC Traffic Mirroring Errors

    When the configuration status shows the following error, as shown in the screenshot below, check the AWS CloudFormation stack events for the error.
    Some scenarios in the AWS CloudFormation that may lead to the above error are as follows:

    You are not authorized to perform this operation

    This is because the selected AWS cloud account doesn’t have enough permissions for deployment.
    1. Modify the account with the correct permissions as mentioned in the agentless_app_firewall_permissions_template.json file, and select
      Update
       to retry the deployment.
    2. Delete the rule in error and create a new rule in the AWS Cloud account with the permissions as mentioned in the agentless_app_firewall_permissions_template.json file to AWS CloudFormation console for your account.

    SessionNumber 1 already in use for eni-*

    Trying to mirror an already mirrored EC2 instance (either by WAAS or another product).
    1. Edit the VPC configuration and remove the instance from the tags or instance names list, and click
      Update
       to retry the deployment.
    2. Remove the mirroring from the machine from the other rule/other product, and click
      Update
       to retry the deployment.

    WaitCondition received failed message: 'Defender deployment failed' for uniqueid: i-xxxx.

    AWS CloudFormation stack failed to deploy the WAAS agentless resources because Prisma Console is not accessible from AWS.
    1. Make sure that the IP address of Prisma Console in the VPC configuration is public.
    2. Check if the Defender instance has a public IP address.
    3. Check if AWS account can connect with the Prisma Cloud Console with Console URL that you selected in the VPC configuration.
      1. If the Console is not reachable, delete the rule and create a new rule with a valid Prisma Cloud Console URL.
      2. If the Console is not reachable due to a firewall rule or other blocking rules, fix the rule to allow the connectivity to the Console, and click
        Update
         to retry the deployment.
      3. Ensure that the Console’s IP address and the ports are reachable by the Defender. Also, the firewall is open with the relevant port and source IPs.

    Failed to find VMs to mirror

    The security token included in the request is invalid.
    1. Edit Configuration
       to ensure that the AWS cloud account exists for the user, and also ensure that a correct secret key is used,
      Save
       the configuration.
    2. Click
      Update
       to reapply the configuration.

    Recommended For You

    © 2023 Palo Alto Networks, Inc. All rights reserved.