Prisma Cloud CNNS initiatives, deployment scripts and materials.
The version 1.0 of the script is for a greenfield scenario. It is possible to append new firewall rules to the existing entries. It is a subject for the next release.
The procedure to generate CNNF/CNNS microsegmentation rules based on Prisma Cloud observations is as follows.
Do the backup at Compute > Defend > CNNF/CNNS > Export icon
The configuration can be reverted back at any time. The imported policy overwrites the existing one.
DO NOT SHARE publicly your exported csv file as it contains the token!
Upload the file: cnns-initial-policy.json at Compute > Defend > CNNF/CNNS > Import icon OR configure the monitoring rule manually.
Check over time if the counters are going up at Compute > Monitor > Events > CNNF/CNNS for containers
Get the CSV file from Compute > Monitor > Events > CNNF/CNNS for containers > CSV icon
You can run a rule generator as a Jupyter notebook or a Python script. Both require the Pandas Python library which is included for the future data science and ML purposes.
4.1 Use a Jupyter notebook cnns-events2rules-v1.0.ipynb to generate rules.
By default produced rules are in Alert mode, it can be changed to Allow.
Set your file names
file_in = "INSERT_FILE_NAME.csv"
file_result = "INSERT_FILE_NAME.json"
Choose the rule effect
Available rule effects: "allow" OR "alert" OR "prevent"
Default rule_effect = "alert"
Run the notebook.
4.2 Use a Python script cnns-gen.py derived from the Jupyter notebook with parametrization.
Default script arguments are: RULE_EFFECT = "alert", INPUT = "in.csv", OUTPUT = "out.json"
Run the script with default settings or use your own argument values.
python cnns-gen.py -h
usage: cnns-gen.py [-h] [-e RULE_EFFECT] [-i INPUT] [-o OUTPUT]
CNNF/CNNS firewall rules generator v1.0
optional arguments:
-h, --help show this help message and exit
-e RULE_EFFECT, --rule_effect RULE_EFFECT
rule effect (default: alert)
-i INPUT, --input INPUT
image input (default: in.csv)
-o OUTPUT, --output OUTPUT
image output (default: out.json)
Example script usage:
python cnns-gen.py -e allow -i twistlock_firewall_network_container_audit_11_11_22_11_26_05.csv -o fw-rules-to-be-imported.json
Import the output file at Compute > Defend > CNNF/CNNS > Import icon
It can take roughly 10 seconds per each 150 rules for the Console to finish and confirm the task.
The screenshot attached below depicts importing rules in CNNF in the self-hosted Console. The same applies to CNNS in the SaaS Console.