https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/can-prisma-cloud-defender-attempt-to-connect-to-ports/m-p/1238402#M1531 <P>Hello!&nbsp;</P> <DIV class="c-message_kit__gutter"> <DIV class="c-message_kit__gutter__right" role="presentation" data-qa="message_content"> <DIV class="c-message_kit__blocks c-message_kit__blocks--rich_text"> <DIV class="c-message__message_blocks c-message__message_blocks--rich_text" data-qa="message-text"> <DIV class="p-block_kit_renderer" data-qa="block-kit-renderer"> <DIV class="p-block_kit_renderer__block_wrapper p-block_kit_renderer__block_wrapper--first"> <DIV class="p-rich_text_block" dir="auto"> <DIV class="p-rich_text_section">I don't think a defender can perform that command.&nbsp;</DIV> <DIV class="p-rich_text_section"> <DIV class="c-message_kit__gutter"> <DIV class="c-message_kit__gutter__right" role="presentation" data-qa="message_content"> <DIV class="c-message_kit__blocks c-message_kit__blocks--rich_text"> <DIV class="c-message__message_blocks c-message__message_blocks--rich_text" data-qa="message-text"> <DIV class="p-block_kit_renderer" data-qa="block-kit-renderer"> <DIV class="p-block_kit_renderer__block_wrapper p-block_kit_renderer__block_wrapper--first"> <DIV class="p-rich_text_block" dir="auto"> <DIV class="p-rich_text_section">Some defender logs would provide more clarity and additional details to troubleshoot the issue further.</DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> <DIV class="c-message_actions__container c-message__actions" role="group"> <DIV class="c-message_actions__group" role="group" aria-label="Message actions" data-qa="message-actions"> <DIV class="container__z3l0C"> <DIV class="c-message_kit__gutter"> <DIV class="c-message_kit__gutter__right" role="presentation" data-qa="message_content"> <DIV class="c-message_kit__blocks c-message_kit__blocks--rich_text"> <DIV class="c-message__message_blocks c-message__message_blocks--rich_text" data-qa="message-text"> <DIV class="p-block_kit_renderer" data-qa="block-kit-renderer"> <DIV class="p-block_kit_renderer__block_wrapper p-block_kit_renderer__block_wrapper--first"> <DIV class="p-rich_text_block" dir="auto"> <DIV class="p-rich_text_section">I would recommend opening a support case for further assistance.&nbsp;</DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> <DIV class="c-message_actions__container c-message__actions" role="group">&nbsp;</DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> <DIV class="c-message_actions__container c-message__actions" role="group"> <DIV class="c-message_actions__group" role="group" aria-label="Message actions" data-qa="message-actions"> <DIV class="container__z3l0C">&nbsp;</DIV> </DIV> </DIV> Fri, 19 Sep 2025 19:51:41 GMT LMegrelis 2025-09-19T19:51:41Z https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/can-prisma-cloud-defender-attempt-to-connect-to-ports/m-p/1238358#M1530 <P>I understood that Prisma Cloud Defender does not directly attempt to connect to ports or perform scans,</P> <P>but it seems to have executed the <CODE>curl -X OPTIONS <A href="http://localhost:8355" target="_blank">http://localhost:8355</A></CODE> command on the tomcat shutdown port.</P> <P>Since such a command was executed, there are daily logs of it being blocked by the tomcat shutdown port.</P> <P>Please tell me the reason why Prisma Cloud Defender performs such a command:&nbsp;<CODE>curl -X OPTIONS <A href="http://localhost:8355" target="_blank">http://localhost:8355</A></CODE>&nbsp;</P> Fri, 19 Sep 2025 05:07:58 GMT https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/can-prisma-cloud-defender-attempt-to-connect-to-ports/m-p/1238358#M1530 S.Choi879310 2025-09-19T05:07:58Z https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/can-prisma-cloud-defender-attempt-to-connect-to-ports/m-p/1238402#M1531 <P>Hello!&nbsp;</P> <DIV class="c-message_kit__gutter"> <DIV class="c-message_kit__gutter__right" role="presentation" data-qa="message_content"> <DIV class="c-message_kit__blocks c-message_kit__blocks--rich_text"> <DIV class="c-message__message_blocks c-message__message_blocks--rich_text" data-qa="message-text"> <DIV class="p-block_kit_renderer" data-qa="block-kit-renderer"> <DIV class="p-block_kit_renderer__block_wrapper p-block_kit_renderer__block_wrapper--first"> <DIV class="p-rich_text_block" dir="auto"> <DIV class="p-rich_text_section">I don't think a defender can perform that command.&nbsp;</DIV> <DIV class="p-rich_text_section"> <DIV class="c-message_kit__gutter"> <DIV class="c-message_kit__gutter__right" role="presentation" data-qa="message_content"> <DIV class="c-message_kit__blocks c-message_kit__blocks--rich_text"> <DIV class="c-message__message_blocks c-message__message_blocks--rich_text" data-qa="message-text"> <DIV class="p-block_kit_renderer" data-qa="block-kit-renderer"> <DIV class="p-block_kit_renderer__block_wrapper p-block_kit_renderer__block_wrapper--first"> <DIV class="p-rich_text_block" dir="auto"> <DIV class="p-rich_text_section">Some defender logs would provide more clarity and additional details to troubleshoot the issue further.</DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> <DIV class="c-message_actions__container c-message__actions" role="group"> <DIV class="c-message_actions__group" role="group" aria-label="Message actions" data-qa="message-actions"> <DIV class="container__z3l0C"> <DIV class="c-message_kit__gutter"> <DIV class="c-message_kit__gutter__right" role="presentation" data-qa="message_content"> <DIV class="c-message_kit__blocks c-message_kit__blocks--rich_text"> <DIV class="c-message__message_blocks c-message__message_blocks--rich_text" data-qa="message-text"> <DIV class="p-block_kit_renderer" data-qa="block-kit-renderer"> <DIV class="p-block_kit_renderer__block_wrapper p-block_kit_renderer__block_wrapper--first"> <DIV class="p-rich_text_block" dir="auto"> <DIV class="p-rich_text_section">I would recommend opening a support case for further assistance.&nbsp;</DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> <DIV class="c-message_actions__container c-message__actions" role="group">&nbsp;</DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> <DIV class="c-message_actions__container c-message__actions" role="group"> <DIV class="c-message_actions__group" role="group" aria-label="Message actions" data-qa="message-actions"> <DIV class="container__z3l0C">&nbsp;</DIV> </DIV> </DIV> Fri, 19 Sep 2025 19:51:41 GMT https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/can-prisma-cloud-defender-attempt-to-connect-to-ports/m-p/1238402#M1531 LMegrelis 2025-09-19T19:51:41Z https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/can-prisma-cloud-defender-attempt-to-connect-to-ports/m-p/1241465#M1544 <P>I too observed this in my EKS setup where prisma defender is running as container&nbsp; , where these calls and logs are through out .&nbsp;</P> <P>Upon checking with security team&nbsp; some upgrades were performed, but none seem to have stopped it.&nbsp;</P> <P>I was thinking of blocking this via network or network policies ,rather than blocking at the application or mesh level.&nbsp;</P> <P>in my observation there is scan utility with in who is performing this .&nbsp;</P> <P>Any one attempted&nbsp; ?&nbsp;</P> Sat, 08 Nov 2025 06:06:53 GMT https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/can-prisma-cloud-defender-attempt-to-connect-to-ports/m-p/1241465#M1544 mailvk23 2025-11-08T06:06:53Z