arrow_back

Prisma Cloud Host Defender Auto Deploy from a SaaS Portal

Join Sign in

Prisma Cloud Host Defender Auto Deploy from a SaaS Portal

1 hour 30 minutes 5 Credits

This lab was developed with our partner, Palo Alto Networks. Your personal information may be shared with Palo Alto Networks, the lab sponsor, if you have opted in to receive product updates, announcements, and offers in your Account Profile.

Prerequisites

A Prisma Cloud SaaS portal. This lab is designed for current Prisma Cloud customers. If you are not a customer, please contact Palo Alto Networks prior to starting the lab to register for a free trial at https://marketplace.paloaltonetworks.com/s/trial.

GSP837

Google Cloud selp-paced labs logo

Overview

Prisma Cloud provides comprehensive visibility and threat detection for cloud workload in Google Cloud. Prisma Cloud software consists of two components: Console and Defender. Console is Prisma Cloud's management interface. It lets you define policy and monitor your environment. For the Prisma Cloud SaaS edition, the Console is hosted by Palo Alto Networks. Defender is deployed to Google Cloud environment to secure the cloud workload. Defender protects your environment according to the policies set in Console. There are a number of Defender types, Host Defender utilizes Prisma Cloud's model-based approach for protecting hosts that do not run containers.

Host Defender Auto Deployment allows Prisma Cloud customers to deploy Prisma Cloud Host Defender (Security agent) from SaaS based Prisma Cloud Console to the virtual machines (VM) aka compute engine instances in your Google Cloud project automatically. Google Cloud Guest Policy manages Host Defender Auto Deployment to VMs. You can choose the target VMs based on the Guest Policy Assignment. The auto deployment use two of Google Cloud Guest Policy Assignments to allow you to target a group of VMs by using one of the following characteristics:

Guest Policy supports various versions of Linux and Window OS, you can find a completed list of OS at LINK,

What you'll do

  1. Deploy Token Refresher

  2. Deploy Host Defender from Marketplace and create Guest Policy

  3. Deploy VM instance to get Host Defender auto deployed

Setup

Before you click the Start Lab button

Read these instructions. Labs are timed and you cannot pause them. The timer, which starts when you click Start Lab, shows how long Google Cloud resources will be made available to you.

This hands-on lab lets you do the lab activities yourself in a real cloud environment, not in a simulation or demo environment. It does so by giving you new, temporary credentials that you use to sign in and access Google Cloud for the duration of the lab.

To complete this lab, you need:

  • Access to a standard internet browser (Chrome browser recommended).
Note: Use an Incognito or private browser window to run this lab. This prevents any conflicts between your personal account and the Student account, which may cause extra charges incurred to your personal account.
  • Time to complete the lab---remember, once you start, you cannot pause a lab.
Note: If you already have your own personal Google Cloud account or project, do not use it for this lab to avoid extra charges to your account.

How to start your lab and sign in to the Google Cloud Console

  1. Click the Start Lab button. If you need to pay for the lab, a pop-up opens for you to select your payment method. On the left is the Lab Details panel with the following:

    • The Open Google Console button
    • Time remaining
    • The temporary credentials that you must use for this lab
    • Other information, if needed, to step through this lab
  2. Click Open Google Console. The lab spins up resources, and then opens another tab that shows the Sign in page.

    Tip: Arrange the tabs in separate windows, side-by-side.

    Note: If you see the Choose an account dialog, click Use Another Account.
  3. If necessary, copy the Username from the Lab Details panel and paste it into the Sign in dialog. Click Next.

  4. Copy the Password from the Lab Details panel and paste it into the Welcome dialog. Click Next.

    Important: You must use the credentials from the left panel. Do not use your Google Cloud Skills Boost credentials. Note: Using your own Google Cloud account for this lab may incur extra charges.
  5. Click through the subsequent pages:

    • Accept the terms and conditions.
    • Do not add recovery options or two-factor authentication (because this is a temporary account).
    • Do not sign up for free trials.

After a few moments, the Cloud Console opens in this tab.

Note: You can view the menu with a list of Google Cloud Products and Services by clicking the Navigation menu at the top-left. Navigation menu icon

Prepare your Google Cloud Project

You will need to prepare your Google Cloud Project with the required API, service account, and secret before launching the Host Defender Auto Deployment.

In the upper-right corner of the Cloud Console, click the Cloud Shell icon 9319135da2e0f0fa.png to open Cloud Shell.

Start by setting a variable for your Project ID with this command, replacing [YOUR PROJECT ID]with your Project ID:

export project_id=[YOUR PROJECT ID]

Verify the success of your variable creation by echoing the value:

echo $project_id

Next, click the right up corner to copy your student user ID - use the whole email address.

616c8b2b05e874ae.png

Create an environment variable for your username, use your student email address:

export user_id=[YOUR USER ID]

Verify the success of your variable creation by echoing the value:

echo $user_id

Run the following to set your account and project:

gcloud config set account $user_id gcloud config set project $project_id

Permission for creating Guest Policy

As the owners of the project, you have full access to create and manage the Guest Policy.

Enable the OS Config API in your project:

gcloud services enable osconfig.googleapis.com

Configure the project metadata:

gcloud compute project-info add-metadata \ --metadata=enable-guest-attributes=true,enable-osconfig=true,enable-os-config-debug=true,osconfig-log-level=debug

You will see an Updated message in the Cloud Shell output.

Run the following command to confirm the project metadata is set up properly:

gcloud compute project-info describe

(Output)

24db929adfbbe2b3.png

Deploy Token Refresher

The Prisma Cloud Compute API Token used to securely retrieve software is valid up to 60 minutes. The Host Defender Auto Deployment deploys Prisma Cloud Host Defender (Security agent) from Prisma Cloud Console to the virtual machines (VM) aka compute engine instances in your Google Cloud project per the guess policy you configure. This process requires a valid Prisma Cloud Compute API Token from time to time to ensure the automatic deployment of Host Defender when new compute instances spin up. To address this you will deploy a Token Refresher script to keep the token valid.

The Token Refresher script is a community supported script that refreshes the Prisma Cloud Console token associated with cert download for auto-install of defender agent.

Prepare for Token Refresher

Refreshing a secret stored in Secret Manager is how the Token Refresher works.

Enable the Following APIs using the gcloud command below:

  • Compute Engine API

  • Cloud Functions API

  • Cloud Logging API

  • Cloud Pub/Sub API

  • Cloud Build API (required by Google Cloud for the Functions API)

  • Cloud Scheduler API

  • Cloud Secretes Manager

  • Cloud Storage API (Different than Cloud Storage)

  • OS Config API

gcloud services enable compute.googleapis.com cloudfunctions.googleapis.com logging.googleapis.com pubsub.googleapis.com cloudscheduler.googleapis.com cloudbuild.googleapis.com storage.googleapis.com secretmanager.googleapis.com osconfig.googleapis.com

Create a Service Account for the token refresher script with the following command:

gcloud iam service-accounts create token-refresher-function \ --description "Token Refresher function SA" \ --display-name="Token Refresher function SA"

This will create a service account named "Token-Refresher-Function" and assign the service account a description of "Token Refresher function SA".

Verify the service account is created by running the following command and locate the service account:

gcloud iam service-accounts list

Look for the Token refresher function SA in the output:

d3f59478e32e83d5.png

Copy the full email ID of your newly created service account, and add it to an environment variable with the following command:

export service_account_id=[FULL SERVICE ACCOUNT EMAIL ID]

The Token Refresher script will require access to a storage bucket that will be created in a later step. To grant permission for the Token Refresher script to access the secretmanager admin role to the function service account with this gcloud command:

gcloud projects add-iam-policy-binding $project_id \ --member serviceAccount:$service_account_id \ --role roles/secretmanager.admin

Operational Steps Outline

  1. Cloud Scheduler is a cron tool that utilizes AppEngine to process Google-managed scheduled events. The Cloud Scheduler job will be used to trigger the Pub/Sub topic that will trigger a Cloud Function to refresh the API Token.
  2. The Pub/Sub Topic is the trigger that activates the Cloud Function.
  3. The Cloud Function runs the Python code to refresh the token by running a requests.get against the token endpoint on your Prisma instance.
  4. The Prisma instance returns the token to the Cloud Function.

In a production environment, all of these steps will need to be completed by an individual with Google Cloud organization admin or project admin rights, plus token management access, to the Prisma Cloud Compute Console. As a lab student you have been granted these permissions.

Navigate to Prisma Cloud Console

  1. In your browser, open the Application hub in a separate tab.

  2. Sign in to your Palo Alto Networks account.

  3. After signing in, you should see the Prisma Cloud icon in your appliction hub.

prisma_cloud_icon.png

If you do not see the Prisma Cloud icon, request a free trial at the Palo Alto Network prisma cloud trial request link.
  1. Double click on the icon to be redirected to the Prisma Cloud Console.

Retrieve Prisma Cloud Compute console URL and token

Next you are going to get a valid API token from Prisma Cloud and use it to create a secret in Google Cloud Secret Manager.

To get the authentication API Token, navigate to Prisma Cloud Console - Prisma Cloud > Compute.

In the Compute, scroll down to the Manage section, click Authentication. Copy the API Token.

bd13457675e4a64e.png

Create Secret for Prisma Cloud Token

In the Cloud Console, navigate to the Google Cloud Secrete Manager in the Cloud Console (Navigation menu > Security > Secret Manager).

Click Create Secret.

Add the following:

  • Name: host-defender-gcp-secure-deployment
  • Secret value: the token you copied in the previous step

dbd246baf286227.png

Note: You must use the exact secret Name above, or the auto deployment will fail.

Click Create Secret.

Create a Pub/Sub Topic

Now that you have the service account for your Cloud Function, you need to create a Pub/Sub Topic that acts as the trigger for the function.

In Cloud Shell run the following:

gcloud pubsub topics create token-refresher

(Output)

54364ec15a0d529b.png

From the Navigation menu, select Pub/Sub > Topics, and verify that the token-refresher topic is listed.

4a6cfe29feb95f91.png

Create a Cloud Function

Clone the repository containing the Token Refresher source code and go to the host-defender-token-refresher directory:

git clone https://github.com/PaloAltoNetworks/host-defender-token-refresher.git cd host-defender-token-refresher

A Cloud Function requires two main code files - main.py and requirements.txt. Google Cloud has API-specific Python libraries to interact with their services. You use the requirements.txt to add the required libraries and APIs reference.

Get the Console address of Prisma Cloud Compute Console

In your Prisma Cloud Console copy your Compute Console URL by going to:

Prisma Cloud> Compute >Manage> System, then click the Downloads tab. Locate Path to Console at the bottom of the page, click the copy button.

a90c5de3e01fed0d.png

Save the URL somewhere. The URL should be in this format:

https://us-west1.cloud.twistlock.com/us-3-159237196

Your URL will be different!

Configure Cloud Function

You will update the main.py script with your Prisma Cloud Compute Console URL. Make sure to replace the URL only and leave the rest in place.

In Cloud Shell use the Open in new window icon (c289e7e83257e072.png) to bring Cloud Shell into a new window. Then click the Cloud Shell Editor (a7604a54d99b014c.png) icon and navigate to main.py under the host-defender-token-refresher folder.

Replace the console_address with the URL you copied from Prisma Cloud Console. Only replace the section shown below, which is everything before api/v1/authentication/renew.

e31d7fcd3047cd16.png

Save and Close the file.

In the Cloud Shell terminal, run the following command to deploy the Cloud Function:

gcloud functions deploy pcc-token-refresher --region "us-central1" --trigger-topic=token-refresher --entry-point=refresh_token --runtime=python37 --service-account $service_account_id

It may take several minutes for your Cloud Function to complete deploying. The important pieces of the command above are:

  • The entry point, which simply means the first function that should run during the operation
  • Your service account
  • The trigger topic, which is the Pub/Sub topic created previously

4e113accc2af6271.png

Wait for a minute or two to allow the Cloud Function to fully deploy. To check if the Cloud Function is deployed, go to Navigation menu > Cloud Functions.

ff938bb7acae28f5.png

Your screen should look like this:

cde478b7972dadaf.png

Use the Refresh button to make sure you're seeing the latest information.

Create cron job via Cloud Scheduler

Cloud Scheduler is a cron tool that utilizes AppEngine to process Google-managed scheduled events. The Cloud Scheduler job will be used to trigger the Pub/Sub topic that acts as the trigger for the Cloud Function.

Run the following:

gcloud scheduler jobs create pubsub refresh-token-cron --schedule="*/5 * * * *" --topic=token-refresher --message-body=foobar --attributes region=us-central1

Type "y" to create to add the App Engine app to your project and type in the number associated with the region to add the app.

(Output)

6b231e9241bb2687.png

If you run into error, repeat the command

Run the following to confirm the job is scheduled:

gcloud scheduler jobs list

You should see this confirmation:

36f169bc4228923b.png

Verify the token is refreshing

In the Cloud Console, navigate to Navigation menu > Logging> Log Explorer.

Enter the following into the Query builder and click Run Query.

resource.type="cloud_function" resource.labels.function_name="pcc-token-refresher"

Use the Jump to now button to refresh the query results a few times.

Locate "DEBUG: <Response [200]>", it is the indicator of a successful run of pcc-token-refresher.

21f48a7e30d16c5d.png

The token you use has an intentional short lifespan. You will now recreate the token, to make sure it lasts while you're workin on this lab. To recreate the token, return to the Cloud Console and go to Security > Secret Manager.

Delete the secret host-defender-gcp-secure-deployment by clicking on the 3 dots at the end of the secret, then select Delete.

5cc496d993ddc73e.png

Type the name of the secret, then click Delete.

Click Create Secret.

d104ac32583f989b.png

Recreate the secret with updated token from Prisma Cloud.

bd13457675e4a64e.png

You can also see that the secrets get updated every 5 minutes in Security Manager. In the search bar type in "secret".

7b41524b69a9c948.png

2e72de7d598c7321.png

Select secret host-defender-gcp-secure-deployment, click Action and View secret value to confirm that the secret value has been updated with a new token.

d56b3c3301f08bce.png

721d3c32e52aad68.png

Click Check my progress to verify the objective. Verify token is refreshing

Deploy Host Defender

Prepare Compute instance

VM instances need permission to access the secret host-defender-gcp-secure-deployment you created in the section above. You will add the Secret Admin role to the service account you use for VM instances. The following is using the default service account, you may use another service account.

Navigate to Navigation menu > IAM & Admin > Service accounts, then locate the default service account for VM instance - look for the Name "Compute Engine default service account". Copy the emails for the account.

6848852b533ea9e3.png

Navigate to Secret Manager, select the secret host-defender-gcp-secure-deployment, click Show info panel at up right corner if the panel isn't open already.

4e8589b31f8d7694.png

Click Add Member.

db745631bc6c4ab6.png

Paste the Compute Engine service account under New members.

Select a role of Secret Manager Admin and Save.

Your screen should look like this:

1d5ce50efc2b784.png

Click Check my progress to verify the objective. Deploy Host Defender

Deploy Host Defender

You need to use the Console URL again, which you previously saved. If you need to copy it again, here's how to find it: Prisma Cloud > Compute > Manage > System, then click the Downloads tab. Locate Path to Console at the bottom of the page, click the copy button.

This is what the URL it looks like:

https://us-west1.cloud.twistlock.com/us-3-159237196

In the next step you will split up the console address to create a Guest Policy - us-3-159237196 is the Tenant ID.

Create a Guest Policy

Use this link to install Prisma Cloud Host Defender to your Google Cloud project.

Enter a name of the Guest Policy ID you would like to use.

Select Prisma Console endpoint (from the Console URL you saved) and Prisma Tenant ID (discussed in the previous step).

5270c47e09587d16.png

You may choose Add label or add VM name prefix to your guest policy. If you do, don't forget what they are! You'll need them when you create a VM in the next step. Refer to the Google Cloud link for more details. ca4753145ecf9d4d.png

Click Deploy it will bring you to the Guest Policy page.

Click VIEW DETAILS at right to view the details of the guest policy created.

c51aaa7adc155599.png

OPTIONAL: Review the guest policy status with gcloud command

You may use the gcloud command-line tool to inspect the guest policies associated with your project and the compute instance.

  1. Use the os-config guest-policies list command to list all your guest policies.

gcloud beta compute os-config guest-policies list

To review the guest policy in Cloud Console

https://console.cloud.google.com/security/agent/deployment/policies?project={project_id}

Deploying Host Defender creates OS Guest Policy. Click VIEW DETAILS to review the details of the Guest Policy.

  1. From the list of guest policies, copy the IDs of the guest policies you would like to inspect, and then run the command to inspect each of the guest policies. Replace POLICY_ID with the policy ID that you want to review.

gcloud beta compute os-config guest-policies describe POLICY_ID

Create a VM instance

Navigate to Cloud Console, select Compute Engine>VM Instances, then click Create.

2964af235c2ebd0f.png

Select a name for your VM instance, make sure it matches the prefix you used if you added one when creating the guest policy in the previous step.

b7bf3b86afd49412.png

If you added a label when creating the guest policy in the previous step, add the matched label to your VM instance.

83c4892fff4ca238.png

Since you're using the Compute Engine default Service Account for your VM instance, make sure to select Allow full access to all Cloud APIs:

269c1381c1ac7c9e.png

Click Create.

Once the instance is created, the Host Defender should be installed automatically.

Validate the Host Defender is deployed

Here are the steps to verify that Defender is installed and connected to the Cloud Console.

In your Prisma Cloud Console and confirm that the defender is deployed, Prisma Cloud > Compute > Manage > Defender. Under Manage > Defenders you'll see your instance listed.

d8beb731b934afcf.png

Your new Defender should be listed in the table, and the status box should be green and checked.

Validate a successful defender deployment in Google Cloud

Get the VM instance ID

Navigate to Cloud Console, and go to Compute Engine > VM Instances. Click the name of your instance to see the details. Locate Instance ID and copy it. You will use it to query the instance in logs.

e58535a3d8c584cb.png

Navigate to Logging > Logs Explorer and run this query, replacing [your instance ID] with the instance ID from the above step:

resource.type="gce_instance" resource.labels.instance_id="your instance ID" logName="projects/your-project_id/logs/OSConfigAgent"

Wait a minute, then click the Jump to now button a few times to see results. Here is an example of a successful run:

76ac253ecc358524.png 8ff20102754f148c.png

Click Check my progress to verify the objective. Validate the Host Defender

Troubleshooting

If the VM instance doesn't show up at Prisma Cloud Compute console defender list, go through the following steps:

Confirm the guest-policy desired state at the VM instance is "Installed".

You can also run the lookup command for a given instance to see which configurations apply to that VM instance.

gcloud beta compute os-config guest-policies lookup VM_NAME

c9456d5aeb6194c5.png

Review guest policy logs

Review OSConfigAngent (Guest Policy) logs if any error.

Locate the Instance ID in Compute Engine:

a5ddee1db0ec8537.png

Troubleshooting other possible errors

Navigate to Logs Explorer and run this query:

resource.type="gce_instance" resource.labels.instance_id="your instance ID" logName="projects/your-project_id/logs/OSConfigAgent"

Connection timeout error

Failed downloading twistlock.cfg - curl: (7) Failed to connect to us-west1.cloud.twistlock.com port 443: Connection timed out.

571ee2d9e64fc503.png

Solution: There was a connection issue. Deploy the VM again

Permission denied error

783e6699fa25064c.png

  1. Make sure the secret is refreshing, you should see code 200. If you see 401, recreate the secret with the current token. Use the following for log query:

resource.type="cloud_function" resource.labels.function_name="pcc-token-refresher" "DEBUG"
  1. Give the full API access when deploying VM if use the default service account. You get Access Scope error if you select default

9a647b839dcef421.png

  1. Provide VM service account the access of secret manager admin to the secret host-defender-gcp-secure-deployment before you deploy the VM.

Congratulations!

You have now successfully deployed Prisma Cloud Host Defender automatically when you created a VM Instance in your Google Cloud project. You have validated that the Host Defender was connected to the Prisma Cloud console. You will be able to review the security posture of the VM Instance and define security policies to protect the VM Instance. For more information, refer to Prisma Cloud Compute Administrator Guide.

Next Steps / Learn More

End your lab

When you have completed your lab, click End Lab. Qwiklabs removes the resources you’ve used and cleans the account for you.

You will be given an opportunity to rate the lab experience. Select the applicable number of stars, type a comment, and then click Submit.

The number of stars indicates the following:

  • 1 star = Very dissatisfied
  • 2 stars = Dissatisfied
  • 3 stars = Neutral
  • 4 stars = Satisfied
  • 5 stars = Very satisfied

You can close the dialog box if you don't want to provide feedback.

For feedback, suggestions, or corrections, please use the Support tab.

Manual Last Updated: October 07, 2021
Lab Last Tested: February 12, 2021

Copyright 2022 Google LLC All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.