Features Introduced in April 2023
The host, container, and serverless capabilities on the
Compute
tab are being upgraded starting on Apr 23, 2023. When upgraded, the version will be 30.00.140.New Features in Prisma Cloud Compute
Feature | Description |
CVE Coverage Update | |
As part of the 30.00 release, Prisma Cloud has rolled out updates to its vulnerability data for Common Vulnerabilities and Exposures (CVEs) in the Intelligence Stream. The new additions are as follows:
| |
Enhancements | |
Tanzu Blobstore Update | Improved the web interface to add and configure a VMWare Tanzu blobstore under Defend > Access > VMWare Tanzu blobstore . |
Defender Settings | Improved the web interface for the advanced Defender settings under Manage > Defenders > Settings . |
Collections | Improved the web interface for Collections ( Manage > Collections and Tags ). You can now view a summary of each collection in the sidecar, which covers resource data and usage data of the collection. |
New Features in Agentless Security | |
Agentless Scanning Support for Windows Hosts | You can now use agentless scanning to scan Windows hosts for vulnerabilities and compliance issues on Amazon Web Services, Google Cloud Platform, and Microsoft Azure. Agentless scanning supports the following versions of Windows.
Agentless scanning is not supported for containers running on Windows hosts. |
Support for Bottlerocket | Agentless scanning for vulnerabilities and compliance is now supported on Bottlerocket. |
Support for Encrypted Volume Agentless Scanning with AWS Hub Accounts | You can now use agentless scanning with your AWS hub accounts to scan encrypted volumes. |
Support for Shared VPC in GCP | Agentless scanning in GCP now supports specifying a shared subnet to communicate back to Prisma Cloud. Using a shared VPC requires you to grant Prisma Cloud additional permissions to create and manage the VPC. If you are not using a shared VPC, you can use the existing permission template to configure agentless scanning. |
New Features in Core | |
New Release Numbering Format | Starting from this release, that is named 30.00.140, the Prisma Cloud versions have a new release numbering format major release.minor release.build.
The major release is a number 30, in this case, followed by the minor release sequence that will start with 00 (first release), 01 (minor 1), 02 (minor 2), and so on. For example, the next maintenance release will be 30.01.build, and maintenance update 2 will be 30.02.build. |
Cloud Radar Improvements | Improved filters and performance in Radars > Cloud . |
Runtime Protection Support for Photon OS 4.0 Hosts | Added runtime protection using Defenders for your Photon OS 4.0 hosts. |
Support Vulnerability Management for CentOS Stream 9 | Added support for CentOS Stream 9 for vulnerability scanning. |
Support .NET NuGet Package | Added support for vulnerability scanning of the NuGet package for .NET for images, functions, and hosts. For hosts, the scan is supported using twistcli only. |
Support OEL 7 | Added support for Oracle Enterprise Linux 7 on x86. |
Support for RHEL 9 | Added support for RedHat Enterprise Linux 9 on x86 and on ARM. |
Host VM Tags Collection Update | VM tags are now identified during the platform cloud discovery. You can create new host collections using the tag metadata of the cloud hosts. The tags propagate to your images and containers belonging to the host. Additional tags captured during Defender deployment are appended to the existing tag list and are also available to you when creating new host collections. |
New Features in Host Security | |
Support for CBL-Mariner on Hosts | Added support for CBL-Mariner 2.0 on x86 for vulnerability scanning, compliance scanning, and runtime protection. Prisma Cloud tested CBL-Mariner on AKS running on HCI environment. |
New Features in Serverless Security | |
Cloud Account Onboarding includes Serverless Scanning | To make it easier to configure serverless scanning, you can now configure serverless scanning when you add a new cloud account.
The change the serverless configuration, select Compute > Manage > Cloud accounts , click Edit . |
New features in Web Application and API Security (WAAS) | |
Customizable CAPTCHA for WAAS Bot Protection | You can now embed a custom reCAPTCHA page branded to fit your application and protect your website from spam and abuse. The WAAS Bot Protection is available on Defend > WAAS > Active Bot Detection . |
Amazon EC2 Auto Scaling Support for WAAS Agentless | The agentless app firewall permissions template for AWS has been revised to include a policy to support Auto Scaling of EC2 instances.
To enable auto scaling, you must update your AWS CloudFormation permission template. |
API Changes
CHANGE | DESCRIPTION |
Adds Cache-control Header for all API Responses | Adds a header Cache-control: no-store in the API response to control storing of cache for all API requests. |
Supports Amazon EC2 Auto Scaling in WAAS Agentless Deployment | WAAS agentless deployment now supports automatic scaling of WAAS observers to handle a large amount of network traffic or sudden increase of traffic volume. By default, the feature is disabled. You can enable the feature by using the PUT method in the following API endpoint: /api/vVERSION/policies/firewall/app/agentless
|
Breaking Changes in API
Cloud Discovery API Endpoint Updates for Response Pagination
The
GET, /api/vVERSION/cloud/discovery
API endpoint now returns a paginated response of 50 results instead of all results in a single response.This change is implemented in n-2 versions.
The request and response schema of this API are updated. In the reponse, the
entities
object in GET, /api/vVERSION/cloud/discovery
is moved to another endpoint GET, /api/v1/cloud/discovery/entities
. For more information, see the new parameters.DISA STIG Scan Findings and Justifications
Every release, we perform an SCAP scan of the Prisma Cloud Compute Console and Defender images. The process is based upon the U.S. Air Force’s Platform 1 "Repo One" OpenSCAP scan of the Prisma Cloud Compute images. We compare our scan results to IronBank’s latest approved UBI8-minimal scan findings. Any discrepancies are addressed or justified.
Backward Compatibility for New Features
FEATURE NAME | Unsupported Component (Defender/twistcli) | DETAILS |
Customizable CAPTCHA page for WAAS Bot Protection | Defenders | Previous versions of Defenders will not support customizing eCAPTCHA for WAAS Bot protection. |
End of Support Notifications
Notices | |
|---|---|
End of Support for the Serverless Scan API Endpoint | The /api/vVERSION/settings/serverless-scan API route is no longer supported. |
Changes in Existing Behavior
Defender Upgrade Based on Collection Filter | The API endpoint /api/vVERSION/defenders/upgrade supports upgrading to all the eligible Defenders by filtering based on the query parameter collections that are assigned to your user role.
This change was introduced in 22.12.694 build. If you are upgrading from a version earlier than 22.12.694 to 30.00, this behavior will now be in effect. |
API Discovery Retention Policy | On the WAAS API Discovery database, if the database has reached its storage capacity and new path entries are added for API endpoints, the Console utilizes the 'Last Observed' date to remove older entries and improve the utilization of the available resources.
When an image or an API endpoint is deleted from the database, an alert is generated, and the details are written to the Console logs. This change was introduced in 22.12.582. If you are upgrading from a version earlier than 22.12.582 to 30.00, this retention policy will now be in effect. |
Name Resolution Change in AKS Clusters | Previous versions show the value of the server field of the cluster kubeconfig file with the node running the Defender. Now, daemonset Defenders report the same cluster name displayed in the Azure portal in their scans. This change only applies to nodes in resource groups using the default format Azure assigns to AKS node resource groups. If you have a custom name for the AKS node resource group or the name can’t be resolved, the value of the server field of the cluster kubeconfig file is shown. |
API Versioning with new Release Numbering Format | Starting with version 30.xx, each maintenance release (like 30.01, 30.02, and so on) may contain new features and improvements. As a result, the URLs for the APIs will be updated to reflect the version. You can use different .xx versions of the API at the same time for your automation requirements as we continue to support backward compatibility for two major including minor (maintenance) release versions behind the current one (n-2). For example, while on build 30.01, you can continue to use the API paths such as api/v30.00 , api/v22.12 , and api/v22.06 due to backward compatibility.Though we recommend you to update scripts to use the current or new API paths, you won’t need to worry about making changes to your code immediately when a new major or minor (maintenance) release is announced. |
