With Application Profiling, Prisma Cloud will observe the application during its entire lifecycle and suggest the rulesets that need to be added for the application to properly work while still being microsegmented.
The Application Profiling engine leverages the existing observed flows and then looks at the related processing units tags to add them to the rulesets.
You can then review the rulesets on the Prisma Cloud Administrator Console and approve/reject them using the graphical interface or export them in a yaml format for use in your CI/CD pipelines.
This capability enables you to allow very specific processes and flows while blocking everything else.
You can pick one of the following approaches for Application Profiling:
Deploy your application and create the rulesets using the UI
This is the recommended approach for deploying a non cloud-native application or if your application lifecycle does not use an automated deployment method.
In such environments, you can deploy your application (same if it’s already running), run Application Profile and review/approve/reject the resulting rulesets directly in the Prisma Cloud console.
Deploy your application and create the rulesets using your CI/CD process
This is the recommended approach if you are deploying a cloud native application or if your application lifecycle is managed using a CI/CD process or another automated deployment method.
In such environments, you can deploy your application in CI (dev or stage environments), run Application Profile, export the resulting rulesets template and add it to your automation process.
When your application is deployed on production, you can import the template in the respective Prisma Cloud microsegmentation namespace and have the application be immutable from a networking perspective, since you’re enforcing the behavior learned previously.
It enables you to proactively secure new or updated applications at the time of deployment without added complexity or delay.
It’s important that Application Profiling is able to observe the whole application lifecycle (start,run,terminate phases) as many applications execute some actions only at start/terminate phases (like readiness probes and data import/export events)