Prisma Cloud: False positive Alert for policy "GCP VM instance that is internet reachable with unrestricted access (0.0.0.0/0)"

Prisma Cloud: False positive Alert for policy "GCP VM instance that is internet reachable with unrestricted access (0.0.0.0/0)"

3289
Created On 04/01/24 14:13 PM - Last Modified 10/14/24 16:58 PM


Symptom


Critical and high alerts occur due to a prism failure in detecting VMs exposed to the internet High:

GCP VM instance that is internet reachable with unrestricted access (0.0.0.0/0).

This is due to a source NAT by Google about the health check rules in the VPC firewall here . Users have VM instances exposed to the internet with a loadbalancer and those instances are protected by cloud armor.

Environment


  • Prisma Cloud CSPM
  • Policy

Cause


Cloud Armor is not supported as policy rules as of today. 

Resolution


Fixed in version PCS 24.3.1 customer is able to exclude assets based on tags.

* Clone policy GCP VM instance that is internet reachable with unrestricted access (0.0.0.0/0) and exclude asset based on the dest.tag using NOT IN ()
 

config from network where source.network = '0.0.0.0/0' and address.match.criteria = 'full_match' and dest.resource.type = 'Instance' and dest.cloud.type = 'GCP' and dest.resource.state = 'Active' and dest.tag NOT IN (key1=value1, key2=value2, etc) 


Additional Information


View our documentation here on Prisma Cloud policy. 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wo86CAA&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language