https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/unable-to-get-container-defender-to-detect-denied-ip-address-on/m-p/521616#M808 <P>Hi JensWegar,</P> <P>&nbsp;</P> <P>Yes, they are very similar. The key difference is&nbsp;<SPAN>host protection is more geared towards the system services/apps that reside on the hosts - typically they need to be systemd services</SPAN></P> <P>&nbsp;</P> <P><SPAN>Regards,</SPAN></P> Fri, 18 Nov 2022 00:59:58 GMT USheikh 2022-11-18T00:59:58Z https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/unable-to-get-container-defender-to-detect-denied-ip-address-on/m-p/520312#M785 <P>For some reason I am unable to see any events being generated for denied IP addresses when running a container defender on one of our hosts.</P> <P>&nbsp;</P> <P>Did the following:</P> <UL> <LI>installed a container defender on a linux host.</LI> <LI>created a host policy that targets the host where the container defender runs.</LI> <LI>Added google dns (8.8.8.8) to list of denied IP addresses in the host policy.</LI> <LI>Tried to run ping/curl against that IP address.</LI> </UL> <P>Based on the above I expected to see host audit events alerting me to the denied IP address under Admin-&gt;Compute-&gt;Monitor-&gt;Events. But there is no activity.&nbsp;</P> <P>&nbsp;</P> <P>If I do the exact same steps, but instead of adding an IP i add a port (e.g. 80,443) to the denied ports list, then I start to see activity in Monitor-&gt;Events immediately. So looks like the defender is able to detect some things from the host, but not IP connectivity for some reason.</P> <P>&nbsp;</P> <P>Anybody have an idea of what is going on? And perhaps how to debug the issue? Or is there something fundamental I don't understand with host protection and container defenders.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>But for some reason I don't see any events/alerts being generated when I try to ping or curl an IP that</P> Fri, 04 Nov 2022 12:39:55 GMT https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/unable-to-get-container-defender-to-detect-denied-ip-address-on/m-p/520312#M785 JensWegar 2022-11-04T12:39:55Z https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/unable-to-get-container-defender-to-detect-denied-ip-address-on/m-p/521489#M804 <P>Hi JensWegar,</P> <P>&nbsp;</P> <P>To block dns at the host level, please install host defender on your linux host, and create a host policy.&nbsp;</P> <P>&nbsp;</P> <P>Here is the documentation of runtime defense for hosts:</P> <P><A href="https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/runtime_defense/runtime_defense_hosts" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/runtime_defense/runtime_defense_hosts</A></P> <P>&nbsp;</P> <P>And to install host defender please refer to the following documentation:</P> <P><A href="https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/install/install_defender/install_host_defender" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/install/install_defender/install_host_defender</A></P> <P>&nbsp;</P> <P>Regards,</P> Wed, 16 Nov 2022 23:52:37 GMT https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/unable-to-get-container-defender-to-detect-denied-ip-address-on/m-p/521489#M804 USheikh 2022-11-16T23:52:37Z https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/unable-to-get-container-defender-to-detect-denied-ip-address-on/m-p/521520#M806 <P>Thanks for your reply, USheikh. My understanding of the container defender vs host defender is that the container defender does everything that the host defender does, so if a host runs the docker daemon then one should install a container defender (<A href="https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/install/defender_types" target="_blank">https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/install/defender_types</A>). But based on your answer, do I have to install both a container defender AND host defender to get full protection on the host?</P> Thu, 17 Nov 2022 08:01:08 GMT https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/unable-to-get-container-defender-to-detect-denied-ip-address-on/m-p/521520#M806 JensWegar 2022-11-17T08:01:08Z https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/unable-to-get-container-defender-to-detect-denied-ip-address-on/m-p/521616#M808 <P>Hi JensWegar,</P> <P>&nbsp;</P> <P>Yes, they are very similar. The key difference is&nbsp;<SPAN>host protection is more geared towards the system services/apps that reside on the hosts - typically they need to be systemd services</SPAN></P> <P>&nbsp;</P> <P><SPAN>Regards,</SPAN></P> Fri, 18 Nov 2022 00:59:58 GMT https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/unable-to-get-container-defender-to-detect-denied-ip-address-on/m-p/521616#M808 USheikh 2022-11-18T00:59:58Z