1. Overview

In some environments, access to the Internet must go through a proxy. Prisma Cloud can be configured to route requests through your proxy. Proxy settings are applied to both Console and Defender containers.

Proxy settings are configured in the UI after Console is installed. Console immediately starts using your settings after saving them. Any Defenders deployed after saving your settings will use your proxy settings. Any Defenders deployed before saving your settings must be redeployed.

2. Console

Console has a number of connections that might traverse a proxy.

configure proxy console
  • Retrieving Intelligence Stream updates.

  • Connecting to services, such as Slack and JIRA, to push alerts.

3. Defenders

Defender has a number of connections that might traverse a proxy.

configure proxy defender
  • Connecting to Console. If you deploy Defenders in a remote region, they might need to connect to Console through a proxy.

  • Connecting to external systems, such as Docker Hub or Google Container Registry, for scanning.

  • Connecting to your secrets store to retrieve secrets for injection into your containers.

4. Settings

A number of settings let you specify how Prisma Cloud interfaces with your proxy.

4.1. Proxy bypass

You can provide a list of addresses that Prisma Cloud can contact directly without connecting through the proxy. Specify DNS names, IP addresses, or a combination of both. Specifying a block of IP addresses in CIDR notation is currently not supported.

4.2. CA certificate

Console verifies server certificates for all TLS connections. With TLS intercept proxies, the connection from Console to the Internet passes through a proxy, which may be transparent. To facilitate traffic inspection, the proxy terminates the TLS connection and establishes a new connection to the final destination.

If you have a TLS intercept proxy, it will break the Console’s ability to connect to external services, because Console won’t be able to verify the proxy’s certificate. To get Console to trust the proxy, provide the CA certificates for Console to trust.

4.3. Proxy authentication

If egress connections through your proxy require authentication, you can provide the credentials in Prisma Cloud’s proxy settings. Prisma Cloud supports Basic authentication for the Proxy-Authenticate challenge-response framework defined in RFC 7235. When you provide a username and password, Prisma Cloud submits the credentials in the request’s Proxy-Authorization header.

5. Configuring proxy settings

Configure your proxy settings in Console.

  1. Open Console, and go to Manage > System > Proxy.

  2. In HTTP Proxy, enter the address of the web proxy. Specify the address in the following format: <PROTOCOL>://<IP_ADDR|DNS_NAME>:<PORT>, such as http://proxyserver.company.com:8080.

  3. (Optional) In No Proxy, enter addresses that Prisma Cloud can access directly without connecting to the proxy. Enter a list of individual IP addresses and fully-qualified domain names. IP blocks in CIDR notation are not supported.

  4. (Optional) For TLS intercept proxies, enter the root trusted authority certificate, in PEM format, that Console should trust.

  5. (Optional) If your proxy requires authentication, enter a username and password.

  6. Click Save.

  7. Redeploy your Defenders to propagate updated proxy settings to them.

    Console does not need to be restarted. After proxy settings are saved, Console automatically uses the settings the next time it establishes a connection.

    Any newly deployed Defenders will use your proxy settings.

    Any already deployed Defenders must be redeployed. For single Container Defenders, uninstall then reinstall. For Defender DaemonSets, regenerate the DaemonSet YAML, then redeploy.

    $ kubectl apply -f defender.yaml