Prisma Cloud- Troubleshooting for the Alert which remains Open even after Remediation for the Policy "GCP VM instance that is internet reachable with unrestricted access (0.0.0.0/0) on Admin ports 22/3389 "

Prisma Cloud- Troubleshooting for the Alert which remains Open even after Remediation for the Policy "GCP VM instance that is internet reachable with unrestricted access (0.0.0.0/0) on Admin ports 22/3389 "

204
Created On 01/20/25 16:01 PM - Last Modified 01/26/26 21:55 PM


Symptom


It is observed that the Alert remains open even after remediating for the Policy "GCP VM instance that is internet reachable with unrestricted access (0.0.0.0/0) on Admin ports 22/3389 ".

For example:

The AlertID: N-469641 associated to the policy "GCP VM instance that is internet reachable with unrestricted access (0.0.0.0/0) on Admin ports 22/3389" and the Asset Name: gps-tnas-d-cin-sg-sftp-vm shows not resolved even after fixing the network rules in the GCP account . It can also be seen that the Network (0.0.0.0/0) on Admin ports 22/3389 is no longer displayed in Prisma Cloud ,still the Alert status has not been changed to Resolved.

GUI Path: Alerts > Select Policy

GUI Path: Alerts > Select Policy > Select Asset name

The asset also is seen when searched in the 'Investigate' page too

GUI Path: Investigate Page

Below is the Screenshot from the GCP account that shows the Network rules and we can see that there are no firewall rules that has open incoming traffic allowed on port 22 or 3389

GCP Console: VPC > VPC network details

 

 

Environment


  • Prisma Cloud
  • GCP

Cause


  • The VM "gps-tnas-d-cin-sg-sftp-vm" is exposed via a Load Balancer and because of which the Alert remains open even though the Network rules of the specific VPC network associated to the Asset does not contain any rules exposed to the internet

Resolution


  • Check the entire network path and see if an Asset for which the Alert remains open is exposed via a Load Balancer

  • Check if the VM/Asset that is exposed through the Load Balancer is of type TCP Proxy Network Load Balancer as this is not declared as supported type in CNA and it is not fully qualified

  • Though it’s not a fully supported feature, the cloud data are ingested in backend and CNA does calculate the Network Path for it, and in this case, the vm is exposed as expected with current network configurations those are shown above in the 'Symptoms' section
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HEr0CAG&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail