How to Embed App-Embedded Defender into AWS Fargate tasks in Pr... - Knowledge Base - Palo Alto Networks

How to Embed App-Embedded Defender into AWS Fargate tasks in Prisma Cloud Compute?

12955

Created On 12/08/21 07:32 AM - Last Modified 04/21/22 21:01 PM

AWS

Prisma Cloud Compute Edition Self-Hosted

Objective

How to Embed App-Embedded Defender into Fargate tasks in Prisma Cloud Compute?

Environment

Prisma Cloud Compute
AWS

Procedure

Prior going through the configuration steps, Refer to the "additional Information" to confirm the prerequisites

Configuration Steps :

Log into Prisma Cloud Console.
Go to Manage > Defenders > Deploy > Defenders.
Select Single defender
In the Defender Type drop-down list, choose App-Embedded
Set the Deploy App-Embedded Defender to Fargate Task
Embed the Fargate Defender into your task definition.

6a. Copy and paste your task definition into the left-hand box.
6b. Click Generate Protected Task
6c. Copy the updated task definition from the right-hand box.

CLOUD Step 2 Deploy Defenders step 3 Step 6a Step 4 step 5 Step 6b Step 6c

Creating a task definition in AWS

Create a new task definition in AWS with the output from the previous section.
If you already have an existing task definition, create a new revision.

This section is geared to creating a new task definition based on the sample task.

Log into the AWS Management Console.
Go to Services > ECS
Click Task Definitions then click Create new Task Definition

3.1 Select Fargate then click Next step
3.2 Scroll to the bottom of the page, and click Configure via JSON
3.3 Delete the prepopulated JSON, then paste the JSON generated for task from the previous section.
3.4 Click Save

4. Validate task content.

4.1 Task name should be as described in the JSON.
4.2 Select the Task Role
4.3 The task should include the TwistlockDefender container.
4.4 Click Create
4.5 Click View task definition

Testing the Task

Log into the AWS Management Console.
Go to Services > ECS
Click Clusters then select one of your Fargate cluster.
Click the Services tab, then click Create

D New ECS Experience Clusters An Amazon ECS cluster is a regional grouping of one or more container instances on which you can run task requests. Each account receives a default cluster the first time you use Amazon ECS the Amazon ECS service. Clusters may contain more than one Amazon EC2 instance type. Clusters For more information, see the ECS documentation. Task Definitions Account Settings Amazon EKS Clusters list Amazon ECR Repositories AWS Marketplace Discover software ubscriotio Create Cluster View Get Started Create.new cluster card view all I-lofl CloudWatch monitoring pcc > Default Monitoring

New ECS Experience Tea Amazon ECS Clusters Task Definitions Account Settings Amazon EKS Clusters Amazon ECR Repositories AWS Marketplace Discover software Subscriptions Clusters > PCC Cluster : pcc Get a detailed view of the resources on your cluster. Update Cluster Delete Cluster Cluster ARN Status Registered container instances Pending tasks count Running tasks count Active service count Draining service count arn:aws:ecs:us-east- 1 :482660645658:cluster/pcc ACTIVE O Fargate, O EC2, O Fargate, O EC2 O Fargate, O EC2 O Fargate, O EC2, O External , O External , O External O External Scheduled Tasks Servic s Create Tasks ECS Instances Metrics Tags Update Capacity Providers Last updated on November 20, 2021 7:24:04 PM (0m ago) Delete Actions Launch type Filter in this page Service Name ALL Service type ALL Status Service ty. Task Defin. No results Desired ta... Running Launch Platform

4.1 For Launch type select Fargate
4.2 For Task Definition select your pre-defined task.
4.3 Enter a Service name
4.4 For Number of tasks enter 1

Create Service Step 1: Configure service Step 2: Configure network Step 3: Set Auto Scaling (optional) Step 4: Review Configure service A service lets you specify how many copies of your task definition to run and maintain in a cluster. You can optionally use an Elastic Load Balancing load balancer to distribute incoming traffic to containers in your service. Amazon ECS maintains that number of tasks and coordinates task scheduling with the load balancer. You can also optionally use Service Auto Scaling to adjust the number of tasks in your service. Launch type Operating system family Task Definition Platform version Cluster Service name Service type* Number Of tasks @ FARGATE o EXTERNAL Switch to capacity provider strategy Linux Family twistlock-fargate-18_11 Revision 1 (latest) LATEST pcc o o Enter a value •o o o o

4.5 Click Next step
4.6 Select a Cluster VPC and Subnets then click Next step

Create Service Step 1: Configure service I Step 2: Configure network Step 3: Set Auto Scaling (optional) Step 4: Review Configure network VPC and security groups VPC and security groups are configurable when your task definition uses the awsvpc network mode. Cluster vpc• vpc-02d3df3ef91f571e1 (172.31 Subnets* subnet-02c361 28f5a940c (172.31.48.0/20) - us-east-le assign ipv6 on creation: Disabled subnet-0664a78ae9bdc60ff (172.31.16.0/20) - us-east-Id assign ipv6 on creation: Disabled Security groups• pccsrv- 1393 Edit o o o o Auto-assign public IP Health check grace period ENABLED If your service's tasks take a while to start and respond to ELB health checks, you can specify a health check grace period of up to 2,147,483,647 seconds during which the ECS service scheduler will ignore ELB health check status. This grace period can prevent the ECS service scheduler from marking tasks as unhealthy and stopping them before they have time to come up. This is only valid if your service is configured to use a load balancer. Health check grace period requires a load balancer. o

4.7 For Service Auto Scaling, select then click Next step

Do not adjust the service’s desired count

Create Service Step 1: Configure service Step 2: Configure network Step 3: Set Auto Scaling (optional) Step 4: Review Set Auto Scaling (optional) Automatically adjust your service's desired count up and down within a specified range in response to CloudWatch alarms. You can modify your Service Auto Scaling configuration at any time to meet the needs of your application. Service Auto Scaling O *Required Do not adjust the service's desired count Configure Service Auto Scaling to adjust your service's desired count Cancel Previous Next step

5. Review your settings, then click Create Service

5.1 Validate the results.
5.2 Click View Service

Create Service Step 1 : Configure sen.'ice Step 2: Configure network Step 3: Set Auto Scaling (optional) Step 4: Review Review Cluster Launch type Operating system family Task Definition Platform version Service name Service type Number of tasks Minimum healthy percent Maximum percent Deployment circuit breaker Configure network VPC Id Subnets Create new security group Auto assign IP Set Auto Scaling (optional) PCC FARGATE Linux twistlock-fargate- 18_ 11 : 1 LATEST pccsrv REPLICA 100 200 Disabled vpc-02d3df3ef91f571e1 subnet-02c361 c128f5a940c, subnet- 0664a78ae9bdc60ff pccsrv- 1393 ENABLED not configured Cancel Previous Edit Create Service

Launch Status ECS Service status - 3 of 3 completed Configure Task Networking Create security group Create security group pccsrv-1393 succeeded sg-Oa3fd669efcf05695 Set inbound rules Set inbound rules succeeded sg-Oa3fd669efcf05695 Create Service Create service: pccsrv Service created Service created. Tasks will start momentarily. Mew: pccsrv Additional integrations you can connect to your ECS service Code Pipeline Setup a CI/CD process from your service. You can build from source or have an ECR repository as the source for your deployment. Create a pipeline c? Back View Service

When Last status is Running, your Fargate task is running.

The containers are running.

6. View the defender in the Prisma Cloud Console: Go to Manage > Defenders > Manage Defenders and search the fargate task by adding the filters Fargate and Status: Connected

o CLOUD Defen&rs must Manage Manage deployed Defenders Polkies in mnt to def«1 O Akts Cmm.te 2108525 Advmi wrings Shows connected Cmted 1 min csv t Llpgruie all

o CLOUD Defen&rs must Manage Manage deployed Defenders Polkies in mnt to def«1 O Akts Cmm.te 2108525 Advmi wrings Shows connected Cmted 1 min csv t Llpgruie all

Fimall Host Network 20.2021 PM Not Ani Enabled Not Ani Not Available

Additional Information

Prisma Cloud cleanly separates the code developers produce from the Fargate containers we protect.
Developers don’t need to change their code to accommodate Prisma Cloud.
Developers also don’t need to load any special libraries, add any files, or change any manifests.
When a container is ready to be deployed to test or production, run the task definition through a transform tool to automatically embed the Fargate Defender before loading the new task definition into AWS.
This method for embedding the Fargate Defender was designed to seamlessly integrate into the CI/CD pipeline.
Developers can call the Prisma Cloud API to embed the Fargate Defender into your task definition.

Prerequisites:

The task where you’re embedding the App-Embedded Defender can reach Console’s port 8084 over the network.
A valid task task definition.
Already created an ECS cluster.
Cluster VPC and subnets.
Task role.

NOTE:

The task definition must include matching entrypoint and cmd parameters from Dokerfile(s) of the image(s) in the task.
Because Prisma Cloud does not see the actual images as part of embedding flow, it depends on having these parameters present to reliably insert the App-Embedded Defender into the task startup flow.
If Dokerfile does not include an entrypoint parameter, a default one such as /bin/sh must be used in the task definition.
However, because the cmd parameter is optional, if Dokerfile does not include a cmd parameter, one is not required in the task definition.

Other users also viewed:

How to download GlobalProtect from the Customer Support Portal

Download and Install the GlobalProtect App for Windows

Resource List: GlobalProtect Configuring and Troubleshooting

PAN-OS Software Updates

Where to find the current preferred software versions? (PAN-OS, GlobalProtect, User-ID Agent, Plugins)