1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Microsegmentation Administrator's Guide
    5. Secure
    6. Securing host communications

    Securing host communications

    About securing host traffic

    When you deploy the enforcer as a Linux or Windows service, Microsegmentation creates a processing unit that represents the host, allowing you to control and monitor all host communications.
    We deploy enforcers in discovery mode, a very permissive initial configuration. This allows the host to function as it was before you deployed the enforcer, with no impact to its accustomed communications or applications.
    We recommend allowing your host to run in discovery mode for some time, perhaps a week. During this interval, Microsegmentation collects the URLs, IP addresses, protocols, and ports it communicates with. A comprehensive list of its communications ensures that you don’t miss anything when you allow the connections, ensuring a seamless experience when you disable discovery mode. After disabling discovery mode, your host rejects any traffic not explicitly allowed.
    Do not disable discovery mode before allowing the desired traffic. Doing so could cause you to lose access to the host.
    We provide guidance for the most common and critical traffic. You should gain enough familiarity with the process to be able to allow additional traffic on your own, according to the specificities of your circumstances.
    While the port numbers used in the following procedures should match up with yours, there is a small chance that they will not. You may need to modify the port numbers if the host deviates from well-known defaults.

    Before you begin

    We recommend reviewing basic network ruleset concepts.
    In the
    Network Security
     section of the Prisma Cloud web interface, select
    Agent
     under
    Manage
    , and navigate to the namespace of the enforcer. Expand the details of your target enforcer. Review the Microsegmentation tags of the enforcer and determine which one you want to use to identify it. In our examples, we use the enforcer’s ID, which is the 5f1f2ad0f0fe17061e24ed7d value in the following tag: $id=5f1f2ad0f0fe17061e24ed7d

    Review the flows

    Take a few moments to review your host’s communication patterns.
    1. In the
      Network Security
       section of the Prisma Cloud web interface, select
      App Dependency Map
      .
    2. Click the dashed green flows from the host to
      Somewhere
      .
    3. Select the
      Access
       tab.
    4. Scroll through the list of connections, paying particular attention to the ports.

    Allow SSH connections

    For Linux hosts, SSH often represents the primary means of access. Neglecting to allow inbound SSH connections to Linux hosts may lock you and others out of the host when you disable discovery mode.
    1. In the
      Network Security
       section of the Prisma Cloud web interface, select
      Network Lists
      , select
      External networks
      , and click the
      Create
       button.
    2. Type ssh in the
      Name
       field and click
      Next
      .
    3. Type 0.0.0.0/0 in the
      Networks
       field, press ENTER, and click
      Next
      .
    4. Click
      Create
      .
    5. Select
      Rulesets
       and click the
      Create
       button.
    6. Type a descriptive name like Allow incoming SSH connections in the
      Name
       field and click
      Next
      .
    7. Type the tag you wish to use to identify the enforcer in the
      Applies to
       field.
      If we were using the enforcer’s ID, we would type $enforcerid=5f1f2ad0f0fe17061e24ed7d
    8. Under
      Incoming
      , click
      Add Ingress Rule
      .
    9. Click the
      From
       field, click in the empty box, type externalnetwork:name=ssh, and click outside of the dialog to close it.
    10. Click the
      Protocols/Ports
       field, delete Any, type tcp/22, and click outside of the dialog to close it.
    11. Click
      Create
      .
    12. SSH into the host.
    13. Select
      App Dependency Map
      .
    14. You should see a new external network named
      ssh
       with a solid green flow to your host, as shown below.

    Allow network time protocol communications

    Microsegmentation requires accurate time-keeping. If you have not already configured the host to synchronize times with authoritative sources, take a few moments to do so now.
    Complete the following steps to allow network time protocol (NTP) traffic from the host to UDP port 123.
    1. In the
      Network Security
       section of the Prisma Cloud web interface, select
      Network Lists
      , select
      External networks
      , and click the
      Create
       button.
    2. Type ntp in the
      Name
       field and click
      Next
      .
    3. Type 0.0.0.0/0 in the
      Networks
       field, press ENTER, and click
      Next
    4. Click
      Create
      .
    5. Select
      Rulesets
       and click the
      Create
       button.
    6. Type a descriptive name such as Allow outgoing NTP traffic in the
      Name
       field and click
      Next
      .
    7. Type the tag you wish to use to identify the enforcer in the
      Applies to
       field.
      If we were using the enforcer’s ID, we would type $enforcerid=5f1f2ad0f0fe17061e24ed7d
    8. Under
      Outgoing
      , click
      Add Egress Rule
      .
    9. Click the
      To
       field, click in the empty box, type externalnetwork:name=ntp, and click outside of the dialog to close it.
    10. Click the
      Protocols/Ports
       field, delete Any, type udp/123, and click outside of the dialog to close it.
    11. Click
      Create
      .
    12. Select
      App Dependency Map
      .
    13. After some time, you should see a new external network named
      ntp
       with a solid green flow from your host, as shown below.
      To see the results immediately, you can restart the NTP service.
      You should observe UDP port 123 flows from the host to the
      Somewhere
       external network, as well as to the the
      ntp
       external network. Compare the time stamps. The flows to the
      ntp
       external network are newer. The
      ntp
       external network contains all of the UDP port 123 flows from now on.

    Allow domain name system communications

    Microsegmentation requires domain name system (DNS) resolution. If you do not allow DNS, the enforcers won’t be able to connect to the Microsegmentation Console.
    Complete the following steps to allow DNS connections.
    1. In the
      Network Security
       section of the Prisma Cloud web interface, select
      Network Lists
      , select
      External networks
      , and click the
      Create
       button.
    2. Type dns in the
      Name
       field and click
      Next
      .
    3. Type 0.0.0.0/0 in the
      Networks
       field, press ENTER, and click
      Next
      .
    4. Click
      Create
      .
    5. Select
      Rulesets
       and click the
      Create
       button.
    6. Type a descriptive name such as Allow outgoing DNS queries in the
      Name
       field and click
      Next
      .
    7. Type the tag you wish to use to identify the enforcer in the
      Applies to
       field.
      If we were using the enforcer’s ID, we would type $enforcerid=5f1f2ad0f0fe17061e24ed7d
    8. Under
      Outgoing
      , click
      Add Egress Rule
      .
    9. Click the
      To
       field, click in the empty box, type externalnetwork:name=dns, and click outside of the dialog to close it.
    10. Click the
      Protocols/Ports
       field, delete Any, type udp/53, and click outside of the dialog to close it.
    11. Click
      Create
      .
    12. Select
      App Dependency Map
      .
    13. After some time, you should see a new external network named
      dns
       with a solid green flow from your host, as shown below.
      To see the results immediately, you can flush the DNS cache and run ping google.com.
      You should observe UDP port 53 flows from the host to the
      Somewhere
       external network, as well as to the the
      dns
       external network. Compare the time stamps. The flows to the
      dns
       external network are newer. The
      dns
       external network contains all of the UDP port 53 flows from now on.

    Allow dynamic host configuration protocol communications

    If your host uses dynamic host configuration protocol (DHCP), you must enable it by creating an external network to represent UDP ports 67-68. Then create two bidirectional network policies with source and target inverted.
    Failure to allow communications between the host and the DHCP server can result in a total lack of access to the host. If the host is using DHCP, ensure that you allow this traffic to prevent yourself from getting locked out. If you’re not sure, after allowing the host to run in discovery mode for some time, click the
    Somewhere
     flow, select the
    Access
     tab, click the search icon, select
    Port
    , press ENTER twice, type "67" and "68" as filters.
    1. In the
      Network Security
       section of the Prisma Cloud web interface, select
      Network Lists
      , select
      External networks
      , and click the
      Create
       button.
    2. Type dhcp in the
      Name
       field and click
      Next
      .
    3. Type 0.0.0.0/0 in the
      Networks
       field, press ENTER, and click
      Next
      .
    4. Click
      Create
      .
    5. Select
      Rulesets
       and click the
      Create
       button.
    6. Type a descriptive name such as Allow bidirectional DHCP traffic in the
      Name
       field and click
      Next
      .
    7. Type the tag you wish to use to identify the enforcer in the
      Applies to
       field.
      If we were using the enforcer’s ID, we would type $enforcerid=5f1f2ad0f0fe17061e24ed7d
    8. Under
      Incoming
      , click
      Add Ingress Rule
      .
    9. Click the
      From
       field, click in the empty box, type externalnetwork:name=dhcp, and click outside of the dialog to close it.
    10. Click the
      Protocols/Ports
       field, delete Any, type udp/67, press ENTER, then type udp/68, and click outside of the dialog to close it.
    11. Under
      Outgoing
      , click
      Add Egress Rule
      .
    12. Click the
      To
       field, click in the empty box, type externalnetwork:name=dhcp, and click outside of the dialog to close it.
    13. Click the
      Protocols/Ports
       field, delete Any, type udp/67, press ENTER, then type udp/68, and click outside of the dialog to close it.
    14. Click
      Create
      .
    15. Select
      App Dependency Map
      .
    16. After some time, you should see a new external network named
      dhcp
       with a solid green flow from your host, as shown below.
      This could take up to a half hour.
      To see the results immediately, you can install and run sudo dhcping against the IP address of your DHCP server.

    Allow lightweight directory access protocol communications

    If the host needs to connect to an lightweight directory access protocol (LDAP) server, you must enable TCP communications, typically over port 389. We assume in this procedure that your LDAP servers use IPv4 addresses.
    If you are using LDAPS, open ports 636, 3268, and 3269 instead of port 389.
    1. In the
      Network Security
       section of the Prisma Cloud web interface, select
      Network Lists
      , select
      External networks
      , and click the
      Create
       button.
    2. Type ldap in the
      Name
       field and click
      Next
      .
    3. Type 0.0.0.0/0 in the
      Networks
       field, press ENTER, and click
      Next
      .
    4. Click
      Create
      .
    5. Select
      Rulesets
       and click the
      Create
       button.
    6. Type a descriptive name such as Allow outgoing LDAP queries in the
      Name
       field and click
      Next
      .
    7. Type the tag you wish to use to identify the enforcer in the
      Applies to
       field.
      If we were using the enforcer’s ID, we would type $enforcerid=5f1f2ad0f0fe17061e24ed7d
    8. Under
      Outgoing
      , click
      Add Egress Rule
      .
    9. Click the
      To
       field, click in the empty box, type externalnetwork:name=ldap, and click outside of the dialog to close it.
    10. Click the
      Protocols/Ports
       field, delete Any, type tcp/389, and click outside of the dialog to close it.
    11. Click
      Create
      .
    12. Select
      App Dependency Map
      .
    13. After some time, you should see a new external network named
      ldap
       with a solid green flow from your host, as shown below.
      You should observe TCP port 389 flows from the host to the
      Somewhere
       external network, as well as to the the
      ldap
       external network. Compare the time stamps. The flows to the
      ldap
       external network are newer. The
      ldap
       external network contains all of the TCP port 389 flows from now on.

    Allow internet control message protocol

    To prevent denial of service and other attacks, we recommend allowing just the internet control message protocol (ICMP) types and codes used for troubleshooting, as described below.
    1. If you do not already see ICMP connections, SSH into the enforcer host and issue a ping request.
    2. In the
      Network Security
       section of the Prisma Cloud web interface, select
      Network Lists
      , select
      External networks
      , and click the
      Create
       button.
    3. Type icmp in the
      Name
       field and click
      Next
      .
    4. Type 0.0.0.0/0 in the
      Networks
       field, press ENTER, and click
      Next
      .
    5. Type externalnetwork:name=icmp, press ENTER, and click
      Create
      .
    6. Select
      Rulesets
       and click the
      Create
       button.
    7. Type a descriptive name such as Allow bidirectional ICMP traffic in the
      Name
       field and click
      Next
      .
    8. Type the tag you wish to use to identify the enforcer in the
      Applies to
       field.
      If we were using the enforcer’s ID, we would type $enforcerid=5f1f2ad0f0fe17061e24ed7d
    9. Under
      Incoming
      , click
      Add Ingress Rule
      .
    10. Click the
      From
       field, click in the empty box, type externalnetwork:name=icmp, and click outside of the dialog to close it.
    11. Click the
      Protocols/Ports
       field, delete Any, type icmp/8/0, press ENTER, type icmp/0/0, press ENTER, type icmp/11/0, press ENTER, type icmp/3/4, and click outside of the dialog to close it.
    12. Under
      Outgoing
      , click
      Add Egress Rule
      .
    13. Click the
      To
       field, click in the empty box, type externalnetwork:name=icmp, and click outside of the dialog to close it.
    14. Click the
      Protocols/Ports
       field, delete Any, type icmp/8/0, press ENTER, type icmp/0/0, press ENTER, type icmp/11/0, press ENTER, type icmp/3/4, and click outside of the dialog to close it.
    15. Click
      Create
      .
    16. Access the enforcer host and issue a ping request.
    17. Return to the
      Network Security
       section of the Prisma Cloud web interface and select
      App Dependency Map
      . .
    18. You should see a new external network named
      icmp
       with a solid green flow from your host, as shown below.
      You should observe ICMP flows from the host to the
      Somewhere
       external network, as well as to the the
      icmp
       external network. Compare the time stamps. The flows to the
      icmp
       external network are newer. The
      icmp
       external network contains all of the ICMP flows from now on.

    Allow cloud instance metadata queries

    Instances hosted in public clouds like AWS, GCP, and Azure make periodic requests to a link-local address at 169.254.169.254 over port 80. This is the cloud instance metadata endpoint. Complete the following steps to allow these connections.
    1. In the
      Network Security
       section of the Prisma Cloud web interface, select
      Network Lists
      , select
      External networks
      , and click the
      Create
       button.
    2. Type metadata in the
      Name
       field and click
      Next
      .
    3. Type 169.254.169.254 in the
      Networks
       field, press ENTER, and click
      Next
      .
    4. Click
      Create
      .
    5. Select
      Rulesets
       and click the
      Create
       button.
    6. Type a descriptive name such as Allow outgoing metadata requests in the
      Name
       field and click
      Next
      .
    7. Type the tag you wish to use to identify the enforcer in the
      Applies to
       field.
      If we were using the enforcer’s ID, we would type $enforcerid=5f1f2ad0f0fe17061e24ed7d
    8. Under
      Outgoing
      , click
      Add Egress Rule
      .
    9. Click the
      To
       field, click in the empty box, type externalnetwork:name=meta, and click outside of the dialog to close it.
    10. Click the
      Protocols/Ports
       field, delete Any, type tcp/80, and click outside of the dialog to close it.
    11. Click
      Create
      .
    12. Select
      App Dependency Map
      .
    13. After some time, you should see a new external network named
      metadata
       with a solid green flow from your host, as shown below. These connections may occur infrequently, such as once an hour. You can trigger one immediately with the following command curl http://169.254.169.254
      You should observe TCP port 80 flows from the host to the
      Somewhere
       external network, as well as to the the
      metadata
       external network. Compare the time stamps. The flows to the
      metadata
       external network are newer. The
      metadata
       external network contains all of the cloud metadata flows from now on.

    Allow additional communications

    After completing the procedures above, you should observe a much shorter list of flows from your host to the
    Somewhere
     external network. Next, you must decide which of the remaining flows you want to allow and which you want to deny. Create external networks and policies for the protocol and port(s) you want to allow, as in the previous procedures.
    If you see connections to
    Somewhere
     on port 443, expand
    Monitor
    , select
    Logs
    , and click
    DNS Lookup Logs
    . If you see domain names listed which seem legitimate, create external networks and network policies to allow the traffic, using the domain name. For example, Ubuntu instances may make periodic requests to api.snapcraft.io to check for snap package updates.
    To assist you, a list of common additional traffic follows, along with hyperlinks to their common ports.
    The Internet Assigned Numbers Authority (IANA) provides a searchable Service Name and Transport Protocol Port Number Registry that may be useful as you complete your list of allowed traffic.

    Harden further

    You may also wish to further harden your security by modifying the external networks from 0.0.0.0/0 to a specific IP or CIDR. We recommend this when you have static IPs or at least a known range.

    Disable discovery mode

    Prerequisites
    : to disable discovery mode, you must have
    namespace administrator
     privileges in the namespace above the VM namespace and apoctl.
    1. Set a VM_NS to the namespace of your host.
      This should be a grandchild-level namespace. An example follows.
       export VM_NS=/803920923337065472/aws-dev-826088932159/vm
    2. Set a CLOUD_NS to the namespace above the host’s namespace.
      This should be a child-level namespace. An example follows.
       export CLOUD_NS=/803920923337065472/aws-dev-826088932159
    3. Issue the following command to disable discovery mode.
       cat <<EOF | apoctl api update namespace $VM_NS -n $CLOUD_NS -f -
 name: $VM_NS
 namespace: $CLOUD_NS
 defaultPUIncomingTrafficAction: Reject
 defaultPUOutgoingTrafficAction: Reject
 EOF
    4. You may see a new external network named
      Somewhere
       with red flows or red flows between pods.
      If you click on the red lines you can see that the connections were denied due to Microsegmentation’s default
      Reject all
       ruleset.
      Congratulations! You have secured your host. Microsegmentation denies any traffic not explicitly allowed by a network ruleset.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2023 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo