Prisma Cloud Compute: Cannot connect to Console address
12982
Created On 11/18/19 17:51 PM - Last Modified 12/20/23 17:03 PM
Symptom
Depending on your setup, you might need to configure a DNS entry for use in a multi-cloud configuration, or choose an IP address from the drop-down list. Note that if you select an IP address, and Console’s IP address changes, communication between Defender and Console will be interrupted. Therefore, we recommended that you use DNS names instead.
Environment
- SaaS
- Self-Hosted 19.11 or later
Resolution
Choosing Console name for Defender deployment
1. Choose the name that Defenders use to access Console.
When installing Defender using the curl command generated by Console, be sure it contains a hostname (or IP address) that your host can resolve.
2. Go to the Manage > Defenders > Deploy page in Console.
The drop down list at the top (a. Choose the name that clients and Defenders use to access this Console) selects the hostname that gets used in the auto-generated curl command.
3. Try pinging Console’s hostname from the host where you want to install Defender. If you get an error, you need to fix Console’s hostname.
$ ping cto-dev-console.c.cto-sandbox-internal
ping: unknown host cto-dev-console.c.cto-sandbox-internal
ping: unknown host cto-dev-console.c.cto-sandbox-internal
Certificate Error
4. Under Manage > Defender > Names, you can optionally add a Subject Alternative Name that the Defenders can use to connect to the Console. This name is also applied to Deploy Daemonset Tab and needs to be added if the Daemonset uses a different name / IP to connect. Failure to do so may result in certificate error.
Defender installs properly, but Console dashboard does not list it.
5. If Defender installs without any issues, but Console does not list it in Manage > Defenders > Manage, then Defender cannot connect to Console. By default, Defender is configured to communicate with Console on port 8084. If port 8084 is closed, then Defender cannot communicate with Console.
Verify that port 8084 on Console’s host machine is open. On Defender’s host machine, run the following command to verify that a connection can be established:
$ sudo lsof -i
defender 2196 root 15u IPv4 31535 0t0 TCP
cto-dev-coreos.internal:37562->cto-dev-console.internal:8084 (ESTABLISHED)
http: TLS handshake error from 10.10.1.1:8084: remote error: tls: bad certificate
Resolve the issue by setting the load balancer to pass-through, or by ensuring that the certificate is on all three stages of the load balanced connection (Console > Load Balancer > Defender).