Prisma Cloud Runtime Policy

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Prisma Cloud Runtime Policy

L1 Bithead
Spoiler
Hello. I hope you're well.
I have a simple but perhaps complex question.
Scenario: I have two hosts, A and B, and Prisma Cloud mounted on another server. I create a policy in Defender>Runtime by which I am preventing the nmap process. Once I logged in to host A and ran nmap, I obviously don't have permission due to Prisma Cloud policy, but the problem is that if I run nmap from another external computer with connection to hosts A and B, I can run nmap against host A. or host B without any problem and it is possible to obtain information from those hosts. So my question is that the Defense>Runtime policy applies only for actions generated from host A and host B or in this example the policy should have stopped the attack from a third external computer by running an nmap command against host A and host B. as a firewall?

Thank you very much.

 

1 accepted solution

Accepted Solutions

L0 Member

@LUCIO2047BeBallPlayers wrote:
Spoiler
Hello. I hope you're well.
I have a simple but perhaps complex question.
Scenario: I have two hosts, A and B, and Prisma Cloud mounted on another server. I create a policy in Defender>Runtime by which I am preventing the nmap process. Once I logged in to host A and ran nmap, I obviously don't have permission due to Prisma Cloud policy, but the problem is that if I run nmap from another external computer with connection to hosts A and B, I can run nmap against host A. or host B without any problem and it is possible to obtain information from those hosts. So my question is that the Defense>Runtime policy applies only for actions generated from host A and host B or in this example the policy should have stopped the attack from a third external computer by running an nmap command against host A and host B. as a firewall?

Thank you very much.

 


Hello,

 

The runtime policy for hosts is defined by models and rules that specify what actions to take when certain conditions are met. The models are generated by machine learning based on the normal behavior of the hosts, and the rules are either predefined or custom expressions that you can add to the policy.

 

One of the predefined rules is to block network reconnaissance tools, such as nmap, from running on the protected hosts. This rule applies to the processes that are executed on the hosts themselves, not to the incoming connections from external sources. Therefore, if you run nmap from host A or host B, the Prisma Cloud Defender will prevent it and generate an alert.

 

However, if you run nmap from another external computer, the Prisma Cloud Defender will not block it, unless you have a custom rule that explicitly denies the outgoing connections to the external computer.

 

If you want to protect your hosts from external scans, you need to configure a firewall or a network security group that filters the incoming traffic based on the source IP, port, and protocol. Prisma Cloud can help you monitor and audit the firewall rules, but it does not act as a firewall itself. Prisma Cloud focuses on the runtime defense of the hosts, containers, and applications, not on the network perimeter.

 

Best regards,

Latonyadodson

 

 

 

 

 

View solution in original post

3 REPLIES 3

L0 Member

@LUCIO2047BeBallPlayers wrote:
Spoiler
Hello. I hope you're well.
I have a simple but perhaps complex question.
Scenario: I have two hosts, A and B, and Prisma Cloud mounted on another server. I create a policy in Defender>Runtime by which I am preventing the nmap process. Once I logged in to host A and ran nmap, I obviously don't have permission due to Prisma Cloud policy, but the problem is that if I run nmap from another external computer with connection to hosts A and B, I can run nmap against host A. or host B without any problem and it is possible to obtain information from those hosts. So my question is that the Defense>Runtime policy applies only for actions generated from host A and host B or in this example the policy should have stopped the attack from a third external computer by running an nmap command against host A and host B. as a firewall?

Thank you very much.

 


Hello,

 

The runtime policy for hosts is defined by models and rules that specify what actions to take when certain conditions are met. The models are generated by machine learning based on the normal behavior of the hosts, and the rules are either predefined or custom expressions that you can add to the policy.

 

One of the predefined rules is to block network reconnaissance tools, such as nmap, from running on the protected hosts. This rule applies to the processes that are executed on the hosts themselves, not to the incoming connections from external sources. Therefore, if you run nmap from host A or host B, the Prisma Cloud Defender will prevent it and generate an alert.

 

However, if you run nmap from another external computer, the Prisma Cloud Defender will not block it, unless you have a custom rule that explicitly denies the outgoing connections to the external computer.

 

If you want to protect your hosts from external scans, you need to configure a firewall or a network security group that filters the incoming traffic based on the source IP, port, and protocol. Prisma Cloud can help you monitor and audit the firewall rules, but it does not act as a firewall itself. Prisma Cloud focuses on the runtime defense of the hosts, containers, and applications, not on the network perimeter.

 

Best regards,

Latonyadodson

 

 

 

 

 

Hello Latonyadodson,

First of all, thank you very much for your response. Your explanation is very clear. But I have an additional question: Considering my example above, if I set the IP of host A inside the block IP list rule inside host B when I run a ping or nmap command from host A to host B the host B does not block the ping or nmap command.

 

Is it normal?

 

Thank you so much.

L1 Bithead

Hi @Latonyadodson , hope you are well. Could you check my last post? Thank you very much.

  • 1 accepted solution
  • 2951 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!