From 71018b6e6ddaf2a88fd1738cad88d3dd8f1d9196 Mon Sep 17 00:00:00 2001 From: "arane@paloaltonetworks.com" Date: Mon, 21 Oct 2024 10:25:50 -0700 Subject: [PATCH] PM updates --- .../container-network-exposure-overview.adoc | 2 ++ .../satellite-prerequisites.adoc | 8 ++++++++ .../investigate-network-exposure-on-prisma-cloud.adoc | 10 ++++++++++ 3 files changed, 20 insertions(+) diff --git a/docs/en/enterprise-edition/content-collections/administration/network-security/container-network-exposure/container-network-exposure-overview.adoc b/docs/en/enterprise-edition/content-collections/administration/network-security/container-network-exposure/container-network-exposure-overview.adoc index e7e314253..546fc81c2 100644 --- a/docs/en/enterprise-edition/content-collections/administration/network-security/container-network-exposure/container-network-exposure-overview.adoc +++ b/docs/en/enterprise-edition/content-collections/administration/network-security/container-network-exposure/container-network-exposure-overview.adoc @@ -28,6 +28,8 @@ CNA supports only inbound calculation. The data refresh or ingestion occurs once Prisma Cloud does not support the following for Container Exposure: +* AWS Classic Load Balancers + * Red Hat Openshift clusters * Non-Kubernetes based orchestration platforms (AWS ECS, Azure WebApp/Container Instances, GCP Cloud Run) diff --git a/docs/en/enterprise-edition/content-collections/administration/network-security/container-network-exposure/satellite-prerequisites.adoc b/docs/en/enterprise-edition/content-collections/administration/network-security/container-network-exposure/satellite-prerequisites.adoc index f00913815..14a090926 100644 --- a/docs/en/enterprise-edition/content-collections/administration/network-security/container-network-exposure/satellite-prerequisites.adoc +++ b/docs/en/enterprise-edition/content-collections/administration/network-security/container-network-exposure/satellite-prerequisites.adoc @@ -37,6 +37,14 @@ Satellite ingests the following objects: * DaemonSet * NetworkPolicy * Core DNS Logs +* Replication Controller +* Ingress +* Cilium Network Policy +* Service Account +* Role +* RoleBinding +* ClusterRole +* ClusterRoleBinding === Supported Platforms diff --git a/docs/en/enterprise-edition/content-collections/administration/network-security/investigate-network-exposure-on-prisma-cloud.adoc b/docs/en/enterprise-edition/content-collections/administration/network-security/investigate-network-exposure-on-prisma-cloud.adoc index 41bcb25d5..8f60e7fef 100644 --- a/docs/en/enterprise-edition/content-collections/administration/network-security/investigate-network-exposure-on-prisma-cloud.adoc +++ b/docs/en/enterprise-edition/content-collections/administration/network-security/investigate-network-exposure-on-prisma-cloud.adoc @@ -41,5 +41,15 @@ config from network where source.network = '0.0.0.0/0' and address.match.criteri + image::administration/cna-4.png[] +//CWP-61079 related to PCSUP-23569 > CNA permissions for cloning policies +//CNA policies have a different behavior than config policies, regarding cloning. + +//Aside from Policy-CRUD permission, cloning CNA policies also requires Investigate-Network_View permission. +//In contrast, cloning Config policies does not require Investigate-Config_View. This is because the CNA suggest API (called during cloning) requires Investigate-Network_View, while Config suggest only requires Policy_Read. + +//The issue does not happen with IAM or Config policies. +//Custom role user with permission to create, delete policies is unable to clone any “Network” Policies. +//Error below is seen. +//The Service Account Key Uploaded is not valid. Please update to continue Learn how to xref:../../governance/create-a-network-policy.adoc[create a network exposure policy].