The network exposure query attributes "UNTRUST_INTERNET" and "address.match.criteria = 'full_match' " cannot return the instance which only allows a particular IP address.

The network exposure query attributes "UNTRUST_INTERNET" and "address.match.criteria = 'full_match' " cannot return the instance which only allows a particular IP address.

1920
Created On 09/01/23 03:21 AM - Last Modified 02/10/25 21:27 PM


Symptom


This article is regarding the specification of "UNTRUST_INTERNET" and "address.match.criteria = 'full_match' " in the network exposure query.
If you used the above two attributes in the network exposure query(example as below) and the instance's security group only allows a particular IP address, regardless the IP is in the Trusted IP Address List or not, the query will not return the target instance.

E.g.
- RQL :

config from network where source.network = UNTRUST_INTERNET and address.match.criteria = 'full_match' and dest.resource.type = 'Instance' and dest.cloud.type = 'AWS' and dest.resource.state = 'Active' and protocol.ports in ( 'tcp/22', 'tcp/3389' )


- Target instance's security group inbound rule: Port 22 allows from "5.5.5.5/32". And this IP not in the Trusted IP Address List.
- RQL executed result: Not return the target instance.

Environment


  • Prisma Cloud
  • Network RQL

Cause


With the current specification, using "UNTRUST_INTERNET" and "address.match.criteria = 'full_match' " in the network exposure query, that means the target instance has to get exposed on every single public IP that falls in untrusted internet.
If the instance allows only one particular IP address, it will not be returned in the query result.


Generally, the following two parts are equal.

  • "source.network = UNTRUST_INTERNET and address.match.criteria = 'full_match'"
  • "source.network = '0.0.0.0/0' and address.match.criteria = 'full_match'"

Resolution


If you would like the "UNTRUST_INTERNET" to detect a specific IP, please try the following two options in your network exposure query.
  1. Remove "address.match.criteria = 'full_match' ";
  2. Use "partial_match" instead of "full_match".

If the query either had "partial_match" or no "address.match.criteria", and the instance allows any one of the IPs in the "UNTRUST_INTERNET", the instance will be returned in the query result.


Note: 

  • Even though the "address.match.criteria" is not given in the query, it defaults equal to "address.match.criteria = 'partial_match' ".
  • With the current specification, when any IPs are added, deleted, or modified in the trusted IP Address List, it takes 24 hours for the changes to get synced.

Additional Information


Reference:
- Network Exposure Query Attributes
"Any IP addresses or CIDR that you have not defined as Trusted IP Addresses on Prisma Cloud and are not part of your cloud environment are considered as UNTRUST_INTERNET."

Regarding the "full_match" and "partial_match": "full_match" is always a "partial_match". A "partial_match" is not necessarily a "full_match".
See examples below:
  • RQL has 1.0.0.0/24 and Security Group has 1.0.0.0/24, then it will match both "full_match" and "partial_match".
  • RQL has 1.0.0.0/25 and SG has 1.0.0.0/24, then it will match both "full_match" and "partial_match".
  • RQL has 1.0.0.0/24 and SG has 1.0.0.0/25, then it will NOT match "full_match" BUT "partial_match".
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000g28PCAQ&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail