Prisma Cloud Compute : After enabling WAAS Host in-line policy, the protected port is inaccessible while WAAS does not see any packet come in
1996
Created On 12/14/22 08:03 AM - Last Modified 07/16/24 04:47 AM
Symptom
- Prisma Cloud Compute : After enabling WAAS Host in-line policy, the protected port is inaccessible while WAAS does not see any packet come in
Environment
- Prisma Cloud Compute
- WAAS: Host in-line policy
- Host Defender
Cause
- When WAAS Host in-line policy is enabled, it utilises the following iptables to redirect the protected port to WAAS listen port (between 30000 - 31000). E.g. The protected port is 443:
# iptables -S -t nat ... -A TWISTLOCK-APP-PREROUTING -p tcp -m tcp --dport 443 -m comment --comment twistlock-rule-443 -j REDIRECT --to-ports 30000 ...
- Later, if the port 30000 - 31000 is not "Accepted" in the original iptables, redirected traffic will be blocked by the iptables as per their design
Resolution
- Before enabling WAAS Host in-line policy, open the necessary ports used by WAAS (30000 - 31000) E.g.
- iptables:
-
sudo iptables -I INPUT 1 -p tcp --dport 30000:31000 -j ACCEPT
- To make this rule permanent (survive over reboot):
- Debian and Ubuntu Linux:
-
sudo /sbin/iptables-save > /etc/iptables/rules.v4
-
- CentOS/RHEL:
-
sudo /sbin/iptables-save > /etc/sysconfig/iptables
-
- Debian and Ubuntu Linux:
-
- firewall-cmd:
-
sudo firewall-cmd --permanent --zone=public --add-port=30000-31000/tcp sudo firewall-cmd --reload
-
- iptables:
Additional Information
- After WAAS is enabled, if you have restarted the iptables or firewalld due to any reason, Restart the Defender process : UI > Manage > Defenders > Deployed-Defenders > Actions > Restart
- This will ensure the iptables rules used by WAAS is injected properly