Prisma Cloud Compute Known Issues

Review the list of known and addressed issues and deprecation notice for the Compute capabilities on Prisma Cloud Enterprise Edition.
The following table lists the known issues on Compute capabilities on Prisma Cloud Enterprise Edition.
Issue ID
Description
The auto-defend capability for deploying Defenders to secure hosts on GCP does not work.
After upgrading from 21.04 to 21.08, hosts with old Defenders (n-1) will not be displayed on Host observations. Only hosts with Defenders that match Console version are displayed. To resolve the issue, re-scan images and hosts after upgrading.
Email alerts show the Prisma Cloud logo. The logo is an image file hosted on our CDN. If you don’t have Internet access, the logo won’t be displayed.
Fixed
Defender name collisions in different EKS clusters on AWS caused an issue for registry scanning. This was due to reuse of network ranges in your VPCs, and Defenders had the same name.
Although this issue has been fixed, customers who encountered this issue and who explicitly selected specific Defenders for registry scanning, will need to reselect Defenders for registry scanning.
For
Code Repository
scans, with the support for Github Enterprise Server, the URL links in the scan results for the existing Github Cloud repositories scans got removed.
To make the links active, delete the current Git repository scan scopes and recreate a new one.
If you have the same custom compliance rule in use in a host policy (effect: alert) and a container policy (effect: block), the rules will enforce your policy (as expected), but the audit message for a blocked container will incorrectly refer to the host policy and host rule name.
For custom compliance checks for Kubernetes and OpenShift on CRIO, if you have configured "Reported results" to show both passed and failed checks, in the event that a check doesn’t run, Prisma Cloud still reports it as "passed".
Fixed
The
/util/twistcli
endpoint, that is supported for downloading the twistcli binary from the API is missing from both the OpenAPI spec file and the API reference documentation.
Fixed
High memory usage issue can cause Console to enter an infinite restart loop.
Fixed
Coordinates for the Azure West US 3 region do not properly map to Arizona on
Compute
Cloud
Radar
Fixed
Defender cannot run on systems with insufficient mlock limits.
This fix adds the CAP_IPC_LOCK kernel capability to the Defender DaemonSet so that it can run successfully.

Breaking Changes and Deprecations

Review the list of all the breaking changes and deprecations in Compute.

Breaking Changes

Be aware of the following breaking changes when upgrading to 21.08:
  • Starting in 21.08, the following audit collections in the database that weren’t previously capped are now capped. As part of this change, this audit data in these collections will be dropped on upgrade to 21.08. The impacted collections are:
    • App-embedded runtime audits - max of 25,000 entries or 50 MB, whichever limit is hit first.
    • Trust audits - max of 25,000 entries or 50 MB, whichever limit is hit first.
    • Container network firewall audits - max of 25,000 entries or 50 MB, whichever limit is hit first.
    • Host network firewall audits - max of 25,000 entries or 50 MB, whichever limit is hit first.

Breaking Changes in the API

The following endpoint has been deprecated in 21.08:
DELETE api/audits/runtime/app-embedded
Code copied to clipboard
Unable to copy due to lack of browser support.

Deprecated in this Release

  • Kubernetes dynamic audit configuration, which was deprecated in Kubernetes 1.19 is no longer supported. Dynamic audit configuration was previously used in Prisma Cloud Kubernetes auditing, which now uses regular webhook backend.
  • Auto-upgrade on Defenders is no longer supported.
  • New installs of Compute have empty container, host, and serverless runtime policies. Default rules are no longer created. Empty policies effectively disable runtime defense entirely. Runtime defense without tuning can generate an overwhelming amount of data. Often customers don’t have the bandwidth to properly plan and tune runtime defense during the initial deployment of Compute. Disabling runtime defense lets customers postpone runtime defense configuration to a more convenient time. Runtime defense can be enabled by creating a rule.

Upcoming Deprecations

  • Both docs.prismacloudcompute.com and docs.twistlock.com will be deprecated shortly. All Prisma Cloud Compute docs will be hosted on docs.paloaltonetworks.com only.
  • Support for Swarm will be deprecated in Joule, which is the next major release.

Recommended For You