[Prisma Cloud Compute]: Should we deploy the defender with fsmon_v2 environment variable in Quinn (34.00.x) when running the Defenders with Filesystem monitoring in 'Prevent' actions?

[Prisma Cloud Compute]: Should we deploy the defender with fsmon_v2 environment variable in Quinn (34.00.x) when running the Defenders with Filesystem monitoring in 'Prevent' actions?

433
Created On 05/22/25 04:50 AM - Last Modified 02/10/26 21:33 PM


Question


Should we deploy the defender with fsmon_v2 environment variable in Quinn (34.00.x) when running the Defenders with Filesystem monitoring in 'Prevent' actions? 

Environment


  • Prisma Cloud and Compute

Answer


  1. To enhance the handling of file system events in the runtime, a new version, fsmon_v2, has been developed and introduced in Quinn (34.00.x).  This is is not enabled by default.
  2. The fsmon_v2 improves stability by managing timeouts more promptly and robustly, which reduces bottlenecks and enhances overall stability.
  3. When deploying the Quinn (34.00.x) defender and prefers to run the defender with runtime rules such as Cryptominer events set in Prevent actions then it is necessary that the defender is deployed with the FSMON_v2 environment variable set.
    Note: Starting from Quinn Update1 release (version 34.01), fsmon_v2 is the default file system monitoring process and runs by default when the defender launches. So, when running 34.01.x there is no need to explicitly enable this environment variable.
  4. The following env variables are needed before deploying the defender:

     

    Mandatory parameters:

    - name: FSMON_V2
    value: "true"
    - name: DISABLE_NFS_TRACKING
    value: "true"

    Optional parameters, needed for fine tuning:

    - name: FANOTIFY_SYSTEM_LIMITS
    value: "true"
    - name: FSMON_PREVENT_ QUEUE _LIMITS
    value: "4000"
    - name: FSMON_APPROVE_ALL
    value: "false"
    - name: RESPONSE_TIMEOUT_MS
    value: "10"

    Note:  When deployed through helm add those above env in the values.yaml and reference these variables in the templates/daemonset.yaml too:

    Example:

     

    • In values.yaml , the following variables are being added  (These are added at the end)

    FSMON_V2: "true"
    DISABLE_NFS_TRACKING: "true"

     

    • Then in the templates/daemonset.yaml , the reference of these variables are as below:

    - name: FSMON_V2
    value: "{{ .Values.FSMON_V2 }}"
    - name: DISABLE_NFS_TRACKING
    value: "{{ .Values.DISABLE_NFS_TRACKING }}"

    Additional Information


    Link to the Quinn Update-1 Release notes that explains about the fsmon_v2 environment variable:

    34.01.x RN - FSMON_v2
    Other users also viewed:
    Actions
    • Print
    • Copy Link

      https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA1Ki000000TNFHKA4&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail