Trusted IP Addresses on Prisma Cloud

Add trusted IP addresses to permit access to the management interfaces or to label your internal networks on Prisma™ Cloud and exclude them from anomaly alerts and RQL queries.
Prisma™ Cloud enables you to specify IP addresses or CIDR ranges for:
  • Trusted Login IP Addresses
    —Restrict access to the Prisma Cloud administrator console and API to only the specified source IP addresses.
  • Trusted Alert IP Addresses
    —If you have internal networks that connect to your public cloud infrastructure, you can add these IP address ranges (or CIDR blocks) as trusted on Prisma Cloud. When you add IP addresses to this list, you can create a label to identify your internal networks that are not in the private IP address space to make alert analysis easier. When you visualize network traffic on the Prisma Cloud
    Investigate
    tab, instead of flagging your internal IP addresses as internet or external IP addresses, the service can identify these networks with the labels you provide.
    Prisma Cloud default network policies that look for internet exposed instances also do not generate alerts when the source IP address is included in the trusted IP address list and the account hijacking anomaly policy filters out activities from known IP addresses. Also, when you use RQL to query network traffic, you can filter out traffic from known networks that are included in the trusted IP address list.
  • Anomaly Trusted List
    —Exclude trusted IP addresses when conducting tests for PCI compliance or penetration testing on your network. Any addresses included in this list do not generate alerts against the Prisma Cloud Anomaly Policies that detect unusual network activity such as the policies that detect internal port scan and port sweep activity, which are enabled by default.
    You can also choose various resource types or identifiers for which you want to Suppress Alerts for Prisma Cloud Anomaly Policies.
To add an IP address to the trusted list:
  1. Add an Alert IP address.
    1. Select
      Settings
      Trusted Alert IP Addresses
      + Add New
      You must have the System Administrator role on Prisma Cloud to view or edit the Trusted IP Addresses page. See Prisma Cloud Administrator Permissions.
    2. Enter a name or label for the
      Network
      .
    3. Enter the
      CIDR
      and, optionally, add a
      Description
      , click the
      Save
      icon ( ), and then click
      Done
      .
      Enter the CIDR block for IP addresses that are routable through the public Internet, you cannot add a private CIDR block. The IP addresses you enter may take up to 15 minutes to take effect, and when you run a network query, the trusted IP addresses are appropriately classified for new data ingested.
      Because Trusted IP lists are applied during ingestion, any modifications to the list are not retroactive on previously ingested data. If you add or remove an IP address to the list, the classification for the IP address is in effect for queries against data ingested after you make the change.
  2. Add a Login IP address.
    1. Select
      Settings
      Trusted Login IP Addresses
      + Add New
      .
      You must have the System Administrator role on Prisma Cloud to view or edit the Trusted IP Addresses page. See Prisma Cloud Administrator Permissions.
    2. Enter a
      Name
      and, optionally a
      Description
      .
    3. Enter the
      CIDR
      and
      Create
      the new login IP address entry.
      As an example, if you enter 199.167.52.5/32, only one IP address is allowed. If you enter 199.167.52.0/24, it allows all IP addresses within the range of 199.167.52.0 to 199.167.52.255.
      When specifying a range of IP addresses, the last bit must be a 0. So, if you are logged in from the IP address 199.167.52.5, you can enter 199.167.52.5/32 or 199.167.52.0/24, but not 199.167.52.5/24.
    4. Verify that the IP addresses for your users who access the Prisma Cloud administrative console are included in the list.
      For the System Administrator role by default, Prisma Cloud checks that you are logged in from an IP address that is included within the CIDR range you have added, and you cannot delete your current IP address from the list. If the CIDR you entered does not include the IP addresses for all users who access the Prisma Cloud administrator console and API interface, they will be logged out as soon as you save your changes and will lose access to the Prisma Cloud administrator console and API interface.
    5. Enable
      the IP address.
  3. Add an IP Address to the
    Anomaly Trusted List
    .
    1. Select
      Settings
      Anomalies
      Anomaly Settings
      Anomaly Trusted List
      .
      You must have the correct role, such as the System Administrator role on Prisma Cloud to view or edit the Anomaly Settings page. See Prisma Cloud Administrator Permissions for the roles that have access.
    2. Get your IP address.
      Make sure that you know the IP address that you are logged in from and the CIDR range to which your IP address belongs.
    3. Add Trusted List
      IP Address
      .
    4. Enter a
      Trusted List Name
      and, optionally a
      Description
      .
    5. Select the Anomaly Policies for which you do not want to generate alerts.
    6. Click
      Next
      .
    7. Enter the
      IP Addresses
      .
      You can enter one or more IP addresses in the CIDR format, which means you also include the network address. For example, 199.167.52.5/32 to specify an IP address or 199.167.52.0/24 to include all addresses within the range of 199.167.52.0 to 199.167.52.255. By default, the IP addresses you add to the trusted list are excluded from generating alerts against any (all) cloud accounts that are onboarded to Prisma Cloud.
    8. (
      Optional
      ) Select an
      Account ID
      and
      VPC ID
      from the drop-down list.
      You can select only one Account and VPC ID, or set it to
      Any
      to exclude any account that is added to Prisma Cloud.
    9. Save
      the list.
      When you save the list, for the selected anomaly policies that detect network issues such as network reconnaissance, network evasion, or resource misuse, Prisma Cloud will not generate alerts for the IP addresses included in this list.
      Only the administrator who created the list can modify the name, description, Account ID and VPC ID; Other administrators with the correct role can add or delete IP address entries on the trusted list.
  4. Add one or more Domain Names to the
    Anomaly Trusted List
    .
    1. Select
      Settings
      Anomalies
      Anomaly Settings
      Anomaly Trusted List
      .
      You must have the correct role, such as the System Administrator role on Prisma Cloud to view or edit the Anomaly Settings page. See Prisma Cloud Administrator Permissions for the roles that have access.
    2. Add Trusted List
      Domain
      .
    3. Enter the
      Trusted List Name
      and (
      optional
      )
      Description
      .
    4. Select the Anomaly Policy for which you want alerts to be triggered when they detect suspicious domains in DNS queries.
    5. Next
      .
    6. Enter one or more
      Domains
      and (
      optional
      )
      Account ID
      from the drop-down list.
      You can select only one Account or set it to
      Any
      to exclude any account that is added to Prisma Cloud.
    7. Save
      .
      For the domain names that you’ve added to this Domain Trusted List, the DNS anomaly policies will not generate alerts.

Recommended For You