Prisma Cloud’s Innovative Agentless Scanning

By Ivani Aviles, Customer Success Engineer

As you may know, as of January 2022, Prisma Cloud became the first security platform to offer both agent-based and agentless security for workload protection. We introduced agentless scanning in our Joule release (22.01), but we have since expanded Prisma Cloud in both its support and capabilities. Initially, Joule introduced vulnerability scanning for hosts in AWS, now Kepler (22.06) has extended those capabilities to include both vulnerability and compliance scanning for hosts in AWS, Azure, and GCP. There have also been some changes made to the UI in order to help you troubleshoot and to better accommodate agentless scanning in general.

Configuring cloud accounts for agentless scanning has never been easier, since there aren’t any agents to deploy, the onboarding process is already less involved in comparison to an agent-based approach, but we have tweaked the process to make it even easier. Configuring agentless scanning begins by navigating to Manage > Cloud Accounts within the Compute console. Once there, you can click through the wizard to set up your cloud accounts and configure the discovery settings.You can also begin to troubleshoot any potential issues you may face after configuration (see screenshot below). If you do happen to run into any trouble, the “Agentless scan” column will generally give you a brief description on what may be causing the issue. Another option to gain a better understanding of your agentless scanning status is to simply check out your console logs. The console logs can prove helpful in discovering errors, but also in determining scan time duration and checking what regions are being scanned.

Some common issues with agentless configuration include setting the wrong console URL in the scan specification or a misconfigured security group that doesn’t allow communication to the console. By default, Prisma Cloud will look for the default VPC and its associated default security group, however, you can bypass this behavior by specifying a custom security group associated with your VPC of interest in the agentless configuration settings. After setup, you can manually trigger an agentless scan or even change the agentless scan frequency by navigating to Manage > System > Scan (the default scan frequency is 24 hours).

Not only has the UI changed to better streamline the agentless configuration process, but there have also been other notable changes within the Compute console as well. Now you are able to more easily filter the vulnerabilities produced, either by Scanning type (Agentless or Defender) or by Host Status (Running or Stopped), in addition to filtering based on Cluster, Collection, or Distribution. You will also be able to filter by scan type in the Radars view, simply tick the “Defender scan only” box to filter by agent-based scanning, or leave it blank to view all workloads, regardless of how they were scanned.

Compared to the agentless approach, Defenders are more difficult to configure and will occasionally require upgrading. However, Defenders are an integral part of workload security and due to their architecture, they are able to have a near real time view of kernel-level activities. For more sensitive workloads, It is important to have that additional arsenal that Defenders provide, such as blocking anomalous processes and stopping containers that may be compromised.

While our agentless scanning capabilities have quickly expanded to provide better insights into the health of your workloads, there are some limitations that can only be addressed by utilizing Defenders. With that said, both agent-based and agentless scanning should be deployed together and both are here to stay. The two approaches to workload security will be developed alongside one another and will ensure that Palo Alto Networks will continue to be the one-stop shop for your security needs.