Does Prima Cloud install agents on the kubernetes containers or it uses the CN-Series container firewall for control?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Does Prima Cloud install agents on the kubernetes containers or it uses the CN-Series container firewall for control?

L6 Presenter

Hello,

 

 

I am still not so good with Prisma Cloud, so I have to ask if  Prima Cloud installs agents on the kubernetes containers or it uses the CN-Series container firewall for control? As prima cloud can control the container communication I have to ask if the management software is installed on the container/image or on the kubernetes node like a Palo Alto CN firewall ?

 

 

Also if Prisma cloud can control virtual or cn series firewalls does it work together with Panorama you have to select which is the management system or Panorama manages the config and the monitoring is send to Prisma Cloud?

1 accepted solution

Accepted Solutions

Well, if you're looking at a defender as a drop-in replacement for a CN-series firewall, then no. I'd say their concepts and use case are different. They both protect the container environment and the network, but on slightly different levels and in slightly different ways. For instance, the defender can block a container from even starting if it detects that the container tries to start a malicious process or if the container image has dependencies that are vulnerable. You could also configure it to block certain processes from running inside a container even though they aren't malicious. As a simple example if you don't want anyone to be able to start vim inside a container, then you could block it with a rule that the defender then enforces. This type of control afaik is not possible with a CN-series firewall.

 

On the other hand, the CN-series firewall is better at analysing the communication to and from the container. It can do threat prevention, url filtering, wildfire analysis on all ports/protocols, etc. Basically anything a NGFW can do. Compared to it, I'd say the defender firewall is fairly simplistic as it only uses iptables to allow/prevent traffic, and once it has determined that a connection to some other endpoint is allowed it won't look at that traffic anymore (like you said, it allows the connection and after that the containers talk directly with each other). Prisma Cloud does however also provide a WAAS, which can be used to lock down e.g. access to a public API using swagger/OpenAPI definitions. As to your question on wildfire analysis, afaik the defender only looks at files on the host/container, it does not look at the traffic.

 

Another example of a difference in handling is micro-segmentation, where a CN-firewall works with Tag-based layer7 microsegmentation, whereas the defenders work with identity based microsegmentation (not actually sure what that really means, haven't done any experiments myself yet. But that's what I've read).

 

So in conclusion, the CN-series and Prisma Cloud defender have different use cases. And which one you choose depends on what your priorities are for the system that needs protection. Ideally of course you'd deploy both 🙂 

 

This page maybe gives a better understanding of how the defenders work: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/technology_overview...

Also, here is a description on the firewall of the defender:

https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/firewalls/cnnf_saas...

And the WAAS:

https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/waas/waas-intro.htm...

 

 

View solution in original post

4 REPLIES 4

L2 Linker

Prisma Cloud needs to install defenders in a kubernetes cluster for workload protection: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/install/install_kub...

It installs one container defender per node. With that you also get the host defender capabilities. These defenders then talk to the Prisma Cloud console, which is used for management.

 

Neither Prisma Cloud console or the defenders afaik talk directly to a CN-series firewall. It's a separate thing, which is deployed separately, and managed through Panorama. 

L6 Presenter

Thanks for the information, so the defender is like the CN series firewall but it is managed by the prisma cloud if I am not wrong?

 

Also can I just ask if the traffic is routed through the defender or the defender just allows the containers to talk to each other and after it is allowed the container data plane traffic does not go through the defender ? I am asking this as when reading for Prisma Cloud I saw that it checks the container images for bad files with wildfire but I couldn't understand if like the Cn-series firewall if it monitors the traffic in real time for viruses, spam etc.

 

Also somewhere it was mentioned that Prisma cloud can manage also virtual cloud firewalls  and Cn-Series and thought that like Prisma Access where the cloud can be used an alternative  GUI management web interface than panorama but I see that this maybe not the case and only the defender is managed by prisma cloud and panorama is still needed for the firewalls.

Well, if you're looking at a defender as a drop-in replacement for a CN-series firewall, then no. I'd say their concepts and use case are different. They both protect the container environment and the network, but on slightly different levels and in slightly different ways. For instance, the defender can block a container from even starting if it detects that the container tries to start a malicious process or if the container image has dependencies that are vulnerable. You could also configure it to block certain processes from running inside a container even though they aren't malicious. As a simple example if you don't want anyone to be able to start vim inside a container, then you could block it with a rule that the defender then enforces. This type of control afaik is not possible with a CN-series firewall.

 

On the other hand, the CN-series firewall is better at analysing the communication to and from the container. It can do threat prevention, url filtering, wildfire analysis on all ports/protocols, etc. Basically anything a NGFW can do. Compared to it, I'd say the defender firewall is fairly simplistic as it only uses iptables to allow/prevent traffic, and once it has determined that a connection to some other endpoint is allowed it won't look at that traffic anymore (like you said, it allows the connection and after that the containers talk directly with each other). Prisma Cloud does however also provide a WAAS, which can be used to lock down e.g. access to a public API using swagger/OpenAPI definitions. As to your question on wildfire analysis, afaik the defender only looks at files on the host/container, it does not look at the traffic.

 

Another example of a difference in handling is micro-segmentation, where a CN-firewall works with Tag-based layer7 microsegmentation, whereas the defenders work with identity based microsegmentation (not actually sure what that really means, haven't done any experiments myself yet. But that's what I've read).

 

So in conclusion, the CN-series and Prisma Cloud defender have different use cases. And which one you choose depends on what your priorities are for the system that needs protection. Ideally of course you'd deploy both 🙂 

 

This page maybe gives a better understanding of how the defenders work: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/technology_overview...

Also, here is a description on the firewall of the defender:

https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/firewalls/cnnf_saas...

And the WAAS:

https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/waas/waas-intro.htm...

 

 

L4 Transporter

Q1: Does Prima Cloud install agents on the kubernetes containers?

A1: No, the agents are installed via Daemon sets on the nodes.
Q2: Does PC use the CN-Series container firewall for control?

A2: No
Q3: Controlling the container communication, the management software is installed on the container/image or on the kubernetes node like a Palo Alto CN firewall?
A3: No, the management software (Defender agent) is installed via Daemon sets on the nodes.
Q4: Also if Prisma cloud can control virtual or CN series firewalls, does it work together with Panorama? A4: No.
Q5: Do you have to select which is the management system? or Panorama manages the config and the monitoring is send to Prisma Cloud?
A5: The Defender is manually installed and has no relationship to Panorama. Configuration management is done on the Prisma Cloud Compute console.

None
  • 1 accepted solution
  • 4652 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!