Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
Prisma Cloud Compute: Agentless Scanning in Azure with Custom N... - Knowledge Base - Palo Alto Networks

Prisma Cloud Compute: Agentless Scanning in Azure with Custom Network Resources (Custom Subnet ID and Security Group)

7471
Created On 11/13/23 08:21 AM - Last Modified 11/15/23 08:00 AM


Objective


  • This article describes the Agentless Scanning in Azure with Custom Network Resources (Custom Subnet ID and Security Group) and the permissions required.

Environment


  • Prisma Cloud Compute Edition
    • SaaS
    • Self Hosted
    • Azure

Procedure


When configuring Agentless scanning for Azure within Prisma, specific subnets or security groups (SGs) can be designated for the scanning process. The scanners will adopt the configuration settings of the specified subnet/SG. However, it is identified by the resource named "prismacloud-scan-XXXXXXXXXXX."  

Configuration Process:
  • In the Azure environment, the provided custom network resources are not directly used for the Agentless scan. 
  • This is due to the current limitation of supporting only a single identifier for subnet/security-group, and Azure prohibits having identical subnet/security-group names within the same resource group.
  • Consequently, it cannot be assumed that the specified subnet/security-group will exist in every region.
  • To address this, network resources are created with the same configuration as the supplied resources under the Prisma Agentless resource group and identified as "prismacloud-scan-XXXXXXXXXX".

Creation of Network Resources:
  • Prisma takes the initiative to create new subnets and security groups even when opting for a custom network configuration through the Prisma UI.
  • This approach ensures consistency and adherence to the desired configuration.
  • The newly created network resources mirror the supplied resources with the Prisma Cloud Agentless identifier "prismacloud-scan-XXXXXXXXXX".

 Permissions Requirements:
  • Despite selecting custom network resources through the Prisma UI, it is important to note that non-mandatory permissions outlined in the Azure Agentless Permissions documentation are still necessary for the successful execution of Agentless scans in Azure with custom network resources.
Permissions
Purpose
Microsoft.Network/networkInterfaces/writeCreate the scanner instance network interface
Microsoft.Network/networkInterfaces/deleteDelete the scanner instance network interface
Microsoft.Network/networkSecurityGroups/writeCreate the scanner instance security group
Microsoft.Network/networkSecurityGroups/deleteDelete the scanner instance security group
Microsoft.Network/virtualNetworks/writeCreate the scanner instance network
Microsoft.Network/virtualNetworks/deleteDelete the scanner instance network

Additional Information


Here is the example of Azure Agentless Scan with Custom Security Group and Subnet ID.

Azure Configuration:
  • To illustrate the process of an Azure Agentless Scan with custom Security Group and Subnet ID for Azure, we'll use custom Security Group and Subnet ID in the PCCAgentlessScanResourceGroup. This is the default resource group for the Prisma Agentless scan. Please note that in a real-world scenario, customers may have the custom Security Group and Subnet ID in different resource groups.
image.png
  • Azure Subnet ID to be used for Agentless: 
image.png
  • Azure Security Group to be used for Agentless is:
image.png

Prisma Configuration:
  • Configure Azure Agentless Scan in Prisma with the "Network Resources" section using the provided Subnet ID and Security Group.
  • Scanning Modes:
    • Same Account: Networking infrastructure is required on every account. If you use custom network resources, you need to create the networking infrastructure in every region in every account
    • Hub Account : Networking infrastructure is only required on the hub account. If you use custom network resources, you only need to create the networking infrastructure in all regions of the hub account.

image.png

Agentless Scan Execution:
  • Once the Agentless Scanis initiated, Prisma creates all resources under the Resource Group named "PCCAgentlessScanResourceGroup"
  • Monitoring this Azure Resource Group reveals all resources created for Agentless on Azure and their respective statuses.
  • Despite creating custom resources in Azure, Prisma generates new resources for network security groups and virtual networks instead of utilizing existing resources directly, as configured in the Prisma UI for the Agentless scan. However, resources created with the name "prismacloud-scan-XXXXXXXXXXX" establish the configuration using the settings of the configured custom subnet/SG.
image.png


Prisma Agentless Created Resources:
  • Virtual Network (named prismacloud-scan-XXXXXXXXXXX) has the same configuration as the Custom Virtual Network with subnet 10.0.0.0/24:
    • The subnet 10.0.0.0/24 of the custom subnet ID is used under the Prisma Agentless resources for scanning.
image.png
 
  • Network Security Group created for Agentless has the same configuration as the Custom Security Group:
image.png



 
Other users also viewed:
How to download GlobalProtect from the Customer Support Portal
Download and Install the GlobalProtect App for Windows
Resource List: GlobalProtect Configuring and Troubleshooting
PAN-OS Software Updates
Where to find the current preferred software versions? (PAN-OS, GlobalProtect, User-ID Agent, Plugins)
Results 1-5 of 240,142
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008Vq3CAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language