1. Overview

Prisma Cloud Defenders enforce the policies defined in Console and send event data up to the Console for correlation. There are several types of Defenders, and depending on the assets in your environment that require protection you may end up deploying all of them or a subset. Defenders support the full variety of workloads in cloud native environments:

  • Container Defender: This Defender type is deployed as a container on every asset running containers in your infrastructure.

  • Host Defender: This Defender type is deployed for Virtual Machines that do not run containers.

  • Fargate Defender: This Defender type deploys as part of your Fargate deployment.

  • Serverless Defender: This Defender type deploys as part of your serverless function and provides Runtime Application Self Protection (App Embedded) capabilites.

Defender can be installed one of the following ways:

  • One at a time, on each host that you want to protect. Use this method when you’re not using an orchestrator, or for simple proof-of-concept environments. You can also install Defenders via whatever configuration management or automation tools you are already using, Ansible, Puppet, or Chef for example.

  • As a orchestrator-native construct. For example, you can deploy Defender as a DaemonSet in Kubernetes and OpenShift environments or as a global service in Docker Swarm environments. Orchestrator-native constructs ensure that Defender is automatically deployed to every node in the cluster, even as the cluster dynamically scales up or down.

  • As a systemd service on hosts that do not have Docker.

  • As a windows system service on hosts that do not have Docker.

  • As a part of your Fargate deployment, Serverless function, or other cloud native workload deployment.

By default, Defender establishes a connection to Console on TCP port 8084 but you can customize the port to meet the needs of your environment. All traffic between the Defender and the console is TLS encrypted.

To use Prisma Cloud registry scanning capabilities, different container Defenders in your environment can be designated to scan each registry, allowing you to balance registry scanning based on geographic or other concerns; container based Defenders can simultaneously protect its host and scan registry images. These Defenders must be able to connect to the registries over the network, and the type (Linux or Windows) must match the kind of images you want it to scan. If you have a hybrid Linux and Windows environment, one Defender of each type must be running.

As with Console, Prisma Cloud provides automation in the product to generate the artifacts required to deploy Defender across a variety of environments.