Prisma Cloud Compute：GCP 连接错误，未定义无无代理扫描中出现的自定义网络资源

• 无代理扫描未反映 GCP 项目的任何扫描结果。
• 管理 > 帐户下 GCP 项目存在连接问题。

• 控制台日志中出现以下错误：

(agentless/orchestrator.go:635) agentless scan error for spec: {target="xxxx" hub="" region="xxxx" availabilityDomain=""} target identity: {xxxx  } hub identity: {  }: all scans were stopped due to connectivity issues target="xxxx" hub="" region="xxxx" availabilityDomain="" job="Scan" workerID="xxxx"

• Prisma Cloud Compute SaaS版本
• Prisma Cloud Compute 自托管版本 22.06 及以上
• 无代理扫描
• 地理信息中心

由于 GCP 项目中的配额问题，可能会遇到此问题。

• 通过查看 GCP 日志来验证配额限制是否是根本原因。您应该会看到如下条目：

{
    "protoPayload": {
      "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
      "status": {
        "code": 8,
        "message": "QUOTA_EXCEEDED",
        "details": [
          {
            "@type": "type.googleapis.com/google.protobuf.Struct",
            "value": {
              "quotaExceeded": {
                "metric": "SSD_TOTAL_GB",
                "limit": 1500,
                "resource": {
                  "resourceType": "DISK",
                  "resourceName": "prismacloud-scan-xxxx-prisma-agentless-scan-x",
                  "project": {
                    "canonicalProjectId": "xxxx"
                  },
                  "scope": {
                    "scopeType": "ZONE",
                    "scopeName": "xxxx"
                  }
                },
                "scope": {
                  "scopeType": "REGION",
                  "scopeName": "xxxx"
                },
                "metricName": "compute.googleapis.com/ssd_total_storage",
                "limitName": "SSD-TOTAL-GB-per-project-region"
              }
            }
          }
        ]
      },
      "authenticationInfo": {
        "principalEmail": "xxxx",
        "serviceAccountKeyName": "//iam.googleapis.com/projects/xxxx/serviceAccounts/xxxx/keys/xxxx",
        "principalSubject": "serviceAccount:xxxx"
      },
      "requestMetadata": {
        "callerIp": "xxxx",
        "callerSuppliedUserAgent": "google-api-go-client/0.5,gzip(gfe)",
        "requestAttributes": {},
        "destinationAttributes": {}
      },
      "serviceName": "compute.googleapis.com",
      "methodName": "v1.compute.instances.insert",
      "resourceName": "projects/xxxx/zones/xxxx/instances/prismacloud-scan-xxxx-prisma-agentless-scan",
      "request": {
        "@type": "type.googleapis.com/compute.instances.insert"
      }
    },
    "insertId": "xxxx",
    "resource": {
      "type": "gce_instance",
      "labels": {
        "project_id": "xxxx",
        "zone": "xxxx",
        "instance_id": "xxxx"
      }
    },
    "timestamp": "xxxx",
    "severity": "ERROR",
    "labels": {
      "compute.googleapis.com/root_trigger_id": "xxxx"
    },
    "logName": "projects/xxxx/logs/cloudaudit.googleapis.com%2Factivity",
    "operation": {
      "id": "xxxx",
      "producer": "compute.googleapis.com",
      "last": true
    },
    "receiveTimestamp": "xxxx"
  }

• GCP 日志应该指出哪些配额需要增加。
• 在 GCP 中的“配额和系统限制”下根据需要增加适用的配额值。

如果定义了自定义网络资源，请验证扫描器是否能够与 Prisma Cloud Console 通信。如果是SaaS部署，请参考Prisma Cloud Console 先决条件文档，了解所需的NAT网关 IP 地址。