1. Overview

This section provides a snapshot of the new features introduced in Prisma™ Cloud Compute Edition version 20.04.

2. New features

  • Provides a new mechanism to automatically protect serverless functions with Serverless Defender directly from Console or the API.

  • Streamlines operations by automatically upgrading all Container Defenders, Defender DaemonSets, and Host Defenders when Console is upgraded. (Serverless Defenders can be upgraded by way of the new auto-protect feature. App Embedded Defenders must still be manually upgraded).

  • Consolidates all CI policy in Console (previously, policy was partially specified in the Jenkins plugin or twistcli).

  • Extends and improves the Trusted Images feature with trust groups, which let you capture related images in entities that can then be used in policy rules.

  • Adds the ability to tag vulnerability findings, filter views based on tags, and set policy based on tags.

  • Extends Prisma Cloud support for registries, with support for Harbor registries, Nexus Registry webhooks, certificate-based authentication for Docker v2 registries, and jFrog Artifactory virtual repositories.

  • Adds the ability to scan VM images, specifically Amazon Machine Images (AMIs).

  • Integrates the Open Policy Agent into Prisma Cloud Compute so that you can specify admission control logic using the Rego language.

  • Maps Prisma Cloud roles to Prisma Cloud Compute roles for better control over what users and groups can see and do in the Compute tab.

  • Automatically maps Prisma Cloud API access keys to the corresponding Compute role. Previously, an administrator would manually need to create the mapping.

  • Collects AWS tags for VM instances, and lets you create collections based on these tags.

  • Enhances the Vulnerability Explorer UI to better allow security and risk teams to quickly prioritize risk across any cloud native environment.

  • Adds the ability to append a custom string to all Console and Defender syslog messages. Useful when you want to be able to identify syslog messages from different Prisma Cloud deployments (where a deployment consists of one Console and all the Defenders connected to it).

  • Aligns UI look and feel with the rest of the Prisma Cloud product, along with other UI/UX improvements.

  • Improves the Jenkins plugin UI, including a better interface for viewing vulnerabilities.

  • Eliminates Jenkins plugin dependencies on the "Dashboard View" and "Static Analysis Utilities" plugins.

  • Adds a project parameter to the pipeline to scan resources in specific projects only

  • [Prisma Cloud Enterprise Edition] Introduces a unified integrated navigation bar for accessing the Compute tab, and navigating through Compute pages.

  • Adds support for deep linking to Console’s pages so that you can copy links from your browser’s nav bar to share and return to specific pages in the Console UI.

  • Lets you quickly clear out column filters by clicking Clear all filters.

  • Adds filters for registry scan results (registry, repo), users (name, role) and groups (name, role).

  • Adds the notion of capabilities to runtime profiles to better model container images that have one or more aspects that can’t be modeled strictly by process, file system, and network rules.

  • Adds the ability to monitor your environment for raw sockets, which can indicate suspicious activity.

  • Extends twistcli to scan infrastructure as code (IaC) files, such as CloudFormation, Terraform, and Kubernetes YAML files, for compliance issues.

  • Adds native support for Demisto as a sink for Compute alerts and events.

  • Improves readability and formatting of twistcli’s scan report output.

  • Adds VMware Photon OS as a supported host OS.

  • Fortifies Python vulnerability data in our Intelligence Stream.

  • Adds a new dedicated vulnerability policy for serverless functions.

  • Adds support for custom runtime rule, custom compliance rules, Kuberneres audit rules, CNNF, and assigned collections to tenant Projects.

  • Adds support for certificate-based authentication for the Twistlock for Pivotal tile (now Twistlock for VMware Tanzu tile).

  • Disables Console’s unencrypted HTTP listener by default for better out-of-the-box security.

  • Extends runtime protection on file systems with controls for preventing existing files from being modified.

  • Adds new user roles for better control over what users can do in Prisma Cloud Compute. The new roles are Vulnerability Manager and DevSecOps User. The DevSecOps role has read only access to all pages under Monitor and Radar.

  • Enhances runtime process monitoring capabilities.

  • Enhances malware detection capabilities.

  • Updates base image for Console and Defender containers to Red Hat Universal Base Image (UBI) 8.

  • Improves runtime system to properly capture and model initial startup events.

  • Improves Container Radar layout so that network traffic flows from left to right.

  • Extends support for Kubernetes labels, including labels defined and applied at runtime and namespace labels.

  • Brings feature parity for Docker-less environments, including registry scanning, twistcli scanning, and Jenkins plugin scanning.

  • Adds support for downloading backup files from the Console UI or the API.

  • Adds the capability to rotate Console’s self-signed certificates (valid for 3 years) a month before expiration.

  • Adds the ability to minimize the scan progress bar, while still monitoring scan progress.

  • Updates support for the Microsoft Edge browser. Prisma Cloud only supports the new Microsoft Edge Chromium-based browser (version 80.0.361 and later).

3. Breaking Changes

  • [Prisma Cloud Enterprise Edition] Any previously created API access keys that were manually mapped to a Compute role will be deleted. These keys are found in the Compute tab in Manage > Authentication > Prisma Cloud Access Key Mapping. In 20.04, API access keys created in Prisma Cloud are automatically mapped to their corresponding Compute role.

  • Existing CI policies defined with twistcli parameters, such as --vulnerability-threshold, --compliance-threshold, etc, have been deprecated. All those parameters are now centrally defined in Console in a new dedicated CI policy page. If you try to pass these parameters to twistcli version 20.04.163, twistcli will exit with an error: Incorrect Usage: flag provided but not defined. When upgrading to 20.04, you must fix how twistcli is called in your pipeline (remove deprecated policy params) and re-implement your policy in Console’s new CI policy engine.

  • Due to restructuring the Jenkins plugin:

    • All CI scan reports in Console will be deleted when you upgrade.

    • The name and artifact ID of the Jenkins plugin has changed from Twistlock to Prisma Cloud. When upgrading, install the new plugin and remove the old one.

    • All global plugin configurations will be lost. After upgrading, re-enter them.

    • All non-pipeline build project build steps will be lost. After upgrading, re-enter them.

    • Update your pipeline scripts. Pipeline function names have changed from twistlockScanXXX to prismaCloudScanXXX.

  • When upgrading, all container/host profiles will be deleted, and Radar will be cleared. Updated profiles and Radar view will be populated immediately after upgrading.

  • When upgrading, CNNF rules will be migrated to the new 20.04 format. Note that 19.11 let you define rules that wouldn’t work. The migration logic tries to fix broken rules when they’re upgraded. Review all rules after upgrading. Rules are upgraded as follows:

Rule type Migration behavior Details

Source to multiple entities

Stays the same.

Source → Entity_1 | effect:allow

Source → Entity_2 | effect:allow

Source → Entity_x | effect:allow

Source → all other entities | effect: alert/deny based on existing rule

Source to only subnets

Stays the same.

Source → Subnet_1 | effect:allow

Source → Subnet_2 | effect:allow

Source → Subnet_x | effect:allow

Source → all other subnets | effect: alert/deny based on existing rule

Source to mix of subnets and entities

Different behavior. These types of rules didn’t work in 19.11. When migrating to 20.04, only keep entities, drop subnets, and set effect to alert.

Source → Entity_1 | effect:allow

Source → Entity_2 | effect:allow

Source → Entity_x | effect:allow

Source → all other entities | alert (since we remove all subnet rules)

Fallback rule

Different behavior

If only entity → entity rules are defined add:

All other entities → all other entities + learning | effect: allert

If only entity → subnet rules are defined add:

All other entities → subnet | effect: alert

  • The default Prisma Cloud Compute configuration now disables the HTTP listener. If you retain your previous configuration when upgrading, the HTTP port will be open. If not, HTTP connections will be blocked by default.

  • The Defender Manager role has changed. It now only allows access to Manage > Defenders.

  • The API for evaluating functions has changed to support evaluating multiple functions.

  • The following API endpoints have been deprecated:

    • /containers/filters

    • /hosts/filters

    • /scans/filters

    • /profiles/container/filters

    • /audits/mgmt/filters

    • /audits/incidents/filters

  • Default expiration of access tokens was reduced from 24 hours to 30 minutes.

4. Known issues

  • The exit code from twistcli always returns 0, regardless of your policy’s failure criteria. This causes problems when using twistcli to fail builds based on twistcli’s exit code.

5. Deprecated this release

  • Support for system calls in runtime models and policy has been deprecated.

  • Dashboard portlets (graphs) in the Jenkins plugin have been deprecated.

6. Deprecated next release

  • Prisma Cloud High Availability (HA) will be deprecated in the next release of Prisma Cloud (second half of 2020). For your HA needs, use a container orchestrator, such as Kubernetes, to run and manage the Console container.