From abf32decac00559e902e523856ce702500634b08 Mon Sep 17 00:00:00 2001 From: "arane@paloaltonetworks.com" Date: Mon, 22 Jul 2024 03:00:30 -0700 Subject: [PATCH 1/3] [Cloud Security] PCSUP-22206 --- .../network-queries/network-config-query-attributes.adoc | 8 ++++++++ .../features-introduced-in-may-2024.adoc | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/docs/en/enterprise-edition/content-collections/search-and-investigate/network-queries/network-config-query-attributes.adoc b/docs/en/enterprise-edition/content-collections/search-and-investigate/network-queries/network-config-query-attributes.adoc index a1959aa8e6..bb810d3e78 100644 --- a/docs/en/enterprise-edition/content-collections/search-and-investigate/network-queries/network-config-query-attributes.adoc +++ b/docs/en/enterprise-edition/content-collections/search-and-investigate/network-queries/network-config-query-attributes.adoc @@ -9,6 +9,14 @@ The Cloud Network Analyzer (CNA) engine of Prisma Cloud calculates the external Each attribute allows you to narrow your search criteria. As you use these attributes, the auto-suggestion capability shows the available expressions and xref:../rql-operators.adoc[operators] that are applicable for each attribute. In order for the network configuration query to be valid, you need to specify at least one `source` , one `dest` (destination), and one `cloud.type` attribute. You can only use the `and` operator in the RQL query. Use `=` to specify a single value and `in` to specify comma separated values (csv). +Prisma Cloud includes improved handling of internet exposure caused by assets deployed in VPCs that use public CIDR blocks. It now generates new alerts in the following cases: + +* Inbound OOB policy to AWS EC2 instances are shown as directly exposed even if the ENI has no public IP. + +* Inbound OOB policy to an interface (with private IP that is a public IP) is shown as exposed even if the interface is not behind a load balancer as long as security considerations allow the packet. + +Alerts are resolved for outbound OOB policy which has a path: *Instance (with private IP that is a public IP in this case) > NatGW > IGW > Internet* because NATGW drops traffic for the packet which has the source IP as a public IP in the outbound path. + [NOTE] ==== Any IP addresses or CIDR that you have not defined as xref:../../administration/trusted-ip-addresses-on-prisma-cloud.adoc[Trusted IP Addresses on Prisma Cloud] and are not part of your cloud environment are considered as UNTRUST_INTERNET. diff --git a/docs/en/enterprise-edition/rn/prisma-cloud-release-info/features-introduced-in-2024/features-introduced-in-may-2024.adoc b/docs/en/enterprise-edition/rn/prisma-cloud-release-info/features-introduced-in-2024/features-introduced-in-may-2024.adoc index 8c3223e5da..ffb8da5545 100644 --- a/docs/en/enterprise-edition/rn/prisma-cloud-release-info/features-introduced-in-2024/features-introduced-in-may-2024.adoc +++ b/docs/en/enterprise-edition/rn/prisma-cloud-release-info/features-introduced-in-2024/features-introduced-in-may-2024.adoc @@ -117,7 +117,7 @@ tt:[Secure the Infrastructure] |The Cloud Network Analyzer (CNA) includes the following enhancements: -* Improved handling of internet exposure caused by assets deployed in VPCs that use public CIDR blocks. +* Improved handling of internet exposure caused by assets deployed in VPCs that use public https://docs.prismacloud.io/en/enterprise-edition/content-collections/search-and-investigate/network-queries/network-config-query-attributes[CIDR] blocks. * _AWS EC2 instance with unrestricted outbound access to internet_ policy now generates alerts when a device is configured as a NAT. * Support for Azure Service tags IP ranges in path exposure calculation. * Azure OOTB policy that detects inbound exposure now supports DestinationAddressPrefix analysis in Azure NSG. From 1d32b08f88b28204af97615fe47f0ec5d74c5033 Mon Sep 17 00:00:00 2001 From: "arane@paloaltonetworks.com" Date: Mon, 22 Jul 2024 03:08:32 -0700 Subject: [PATCH 2/3] text updates --- .../network-queries/network-config-query-attributes.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/en/enterprise-edition/content-collections/search-and-investigate/network-queries/network-config-query-attributes.adoc b/docs/en/enterprise-edition/content-collections/search-and-investigate/network-queries/network-config-query-attributes.adoc index bb810d3e78..11dead9654 100644 --- a/docs/en/enterprise-edition/content-collections/search-and-investigate/network-queries/network-config-query-attributes.adoc +++ b/docs/en/enterprise-edition/content-collections/search-and-investigate/network-queries/network-config-query-attributes.adoc @@ -15,7 +15,7 @@ Prisma Cloud includes improved handling of internet exposure caused by assets de * Inbound OOB policy to an interface (with private IP that is a public IP) is shown as exposed even if the interface is not behind a load balancer as long as security considerations allow the packet. -Alerts are resolved for outbound OOB policy which has a path: *Instance (with private IP that is a public IP in this case) > NatGW > IGW > Internet* because NATGW drops traffic for the packet which has the source IP as a public IP in the outbound path. +Alerts are resolved for outbound OOB policy which has a path: *Instance (with private IP that is a public IP in this case) > NAT Gateway > Internet Gateway > Internet* because NAT Gateway drops traffic for the packet which has the source IP as a public IP in the outbound path. [NOTE] ==== From b87161c13b25dcb416b6d9832dade8670c3a459b Mon Sep 17 00:00:00 2001 From: "arane@paloaltonetworks.com" Date: Mon, 22 Jul 2024 03:21:43 -0700 Subject: [PATCH 3/3] text updates --- .../network-queries/network-config-query-attributes.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/en/enterprise-edition/content-collections/search-and-investigate/network-queries/network-config-query-attributes.adoc b/docs/en/enterprise-edition/content-collections/search-and-investigate/network-queries/network-config-query-attributes.adoc index 11dead9654..f9c8238350 100644 --- a/docs/en/enterprise-edition/content-collections/search-and-investigate/network-queries/network-config-query-attributes.adoc +++ b/docs/en/enterprise-edition/content-collections/search-and-investigate/network-queries/network-config-query-attributes.adoc @@ -15,7 +15,7 @@ Prisma Cloud includes improved handling of internet exposure caused by assets de * Inbound OOB policy to an interface (with private IP that is a public IP) is shown as exposed even if the interface is not behind a load balancer as long as security considerations allow the packet. -Alerts are resolved for outbound OOB policy which has a path: *Instance (with private IP that is a public IP in this case) > NAT Gateway > Internet Gateway > Internet* because NAT Gateway drops traffic for the packet which has the source IP as a public IP in the outbound path. +Prisma Cloud resolves alerts for outbound OOB policy which has a *Instance (with private IP that is a public IP in this case) > NAT Gateway > Internet Gateway > Internet* path because NAT Gateway drops traffic for the packet which has the source IP as a public IP in the outbound path. [NOTE] ====