Features Introduced in September 2022

Learn about the new Compute capabilities on Prisma™ Cloud Enterprise Edition (SaaS) in September 2022.
The host, container, and serverless capabilities on the
Compute
tab are being upgraded on Prisma Cloud Enterprise Edition on October 2, 2022. When upgraded, the version will be 22.06.213.

New Features in Prisma Cloud Compute

Feature
Description
HTTPS Proxy Support for Agentless Scanning
Agentless scanning now supports connections over an HTTPS proxy server. If you use custom certificates for authentication, you can now configure custom certificates for the connection to Console when using Agentless scanning.
Support for Embedding a Defender in a CloudFormation Fargate Task
Prisma Cloud Compute now supports embedding a Defender to a CloudFormation Fargate task in the YAML format, in addition to the JSON format. You can use a full CloudFormation template that contains other objects in addition to the Fargate task to generate a protected Fargate task definition.
Use the Console (
Compute
Manage
Defenders
Deploy
Defenders
) or the APIs (/api/22.06/defenders/fargate.yaml, /api/22.06/defenders/fargate.json) to complete the workflow.
Cloud Native Network Segmentation
The Cloud Native Network Firewall (CNNF) is now renamed as Cloud Native Network Segmentation (CNNS) in
Compute
Radars
Settings
, and you can create policies for enforcing Layer 4 communication from hosts and containers on
Compute
Defend
CNNS
.
Update for CVE-2022-36085
As part of the 22.06.213 release, Prisma Cloud has rolled out an update to the vulnerability data stream for CVE-2022-36085. After updating to the enhanced intelligence feed, you may see alerts on vulnerabilities in Prisma Cloud components and Defender images of releases 22.06 or older versions. We have determined that Prisma Cloud components are not impacted by these vulnerabilities. There is no risk to continue running any of the supported Prisma Cloud releases.

Addressed Issues

ISSUE
DESCRIPTION
PCSUP-10988
Fixed an internal error that failed to refresh the vulnerability statistics under
Compute
Monitor
Vulnerabilities
Vulnerability Explorer
.
PCSUP-10841
Fixed an issue with permissions in the AWS Gov template for agentless scanning.
PCSUP-10791
Fixed an issue with editing WAAS rules. On upgrade to 22.06, you could not update or modify WAAS rules configured to protect the same port for multiple protocols, such as TLS, HTTP2, and gRPC.With this fix, such rules can now be modified.
PCSUP-10632
Fixed an issue that caused Defender to incorrectly report the Host OS as SLES15SP1 instead of SLES15.
PCSUP-10507
Fixed two issues with Defenders running on containerd/CRI-O nodes:
Defenders attempted to scan host file systems during image scans for containers that changed to the host mount namespace. This issue is fixed.
Defenders attempted to scan the host filesystem as some parent directory was a symlink. The issue was fixed by ignoring the images scans running from the host namespace to avoid false binary detections.

Supported Host Operating Systems and Orchestrators

Review the full system requirements for all supported operating systems and orchestrators.
TYPE
DESCRIPTION
Additional Orchestrators on x86 Architecture
  • Google Kubernetes Engine (GKE) version 1.24.2 with containerd version 1.6.6
  • Elastic Kubernetes Service (EKS) version 1.6.6
  • Azure Kubernetes Service (AKS) with containerd version 1.6.4+azure-4 running on Linux
  • AKS version 1.24.3 running with containerd version 1.6.6+azure on Windows
  • Lightweight Kubernetes (k3s) version v1.24.4+k3s1 with containerd v1.6.6-k3s1
  • Openshift version 4.11 with CRIO /1.24.1
  • Rancher Kubernetes Engine (RKE) version 1.24.4+rke2r1 with containerd 1.6.6-k3s1

End of Support Notifications

Notices
Maven system dependencies
With the End of Support for Maven system dependencies, Defender injection for Java functions is now implemented using the bundle as a Maven internal repository. With this update,
<systemPath>
dependency is no longer used.
Compile dependency in Gradle 7.0
With the End of Support for compile dependency in Gradle 7.0, Defender injection for Java functions is updated to an implementation dependency using an internal repository.

Breaking Change Notification

Breaking Change in Lagrange
On upgrade to the next release, code named Lagrange that is planned for the end of this CY, if you have configured an alert profile on
Compute
Manage
Alerts
and enabled
Image vulnerabilities (registry and deployed)
and
Immediately alert for deployed resources
, you will now receive immediate alerts for vulnerable registry images along with immediate alerts for deployed images.
The volume of immediate alerts that are generated maybe much higher than what you’ve seen in the previous releases because support for immediate alerting for registry images is being added in Lagrange. With this change, the
Image vulnerabilities (registry and deployed)
option is being separated into two:
Deployed images vulnerabilities
and
Registry images vulnerabilities
, and both these triggers will be automatically enabled on upgrade, if the original trigger was enabled in the alert profile.

Recommended For You