UCF STIG Viewer Logo

Prisma Cloud Compute Console must use TLS 1.2 for user interface and API access. Communication TCP ports must adhere to the Ports, Protocols, and Services Management Category Assurance Levels (PSSM CAL).


Finding ID Version Rule ID IA Controls Severity
V-253522 CNTR-PC-000020 SV-253522r840404_rule High
Communication to Prisma Cloud Compute Console's User Interface (UI) and API is protected by TLS v1.2+ (HTTPS). By default, only HTTPS communication to the Console's UI and API endpoints is enabled. Prisma Cloud Compute TCP port usage is configurable. Default configuration: TCP 8081 Console user interface and API (HTTP) - disabled by default. TCP 8083 Console user interface and API TLS v1.2 (HTTPS) TCP 8084 Console-to-Defender communication via mutual TLS v1.2 WebSocket session. Satisfies: SRG-APP-000014-CTR-000040, SRG-APP-000142-CTR-000325, SRG-APP-000185-CTR-000490, SRG-APP-000645-CTR-001410
Palo Alto Networks Prisma Cloud Compute Security Technical Implementation Guide 2022-08-24


Check Text ( C-56974r840402_chk )
For Kubernetes deployment:

Query the ports used by the twistlock-console service:
$ kubectl describe svc twistlock-console -n twistlock

If the TargetPort management-port-http exists and has a port assignment, this is a finding.
Port: management-port-http 8081/TCP
TargetPort: 8081/TCP

For Docker deployment:

Determine the name of the Console container:
docker ps|grep console

For example, the Console container is: ad8b41a2fec9

Inspect the container's PortBindings:
docker inspect ad8b41a2fec9|grep PortBindings -A 20

If port 8081 is listed, this is a finding.
Fix Text (F-56925r840403_fix)
For Kubernetes deployment:

Edit the deployment.apps/twistlock-console.

Find the - name: MANAGEMENT_PORT_HTTP setting

Remove the value assignment (e.g., 8081):
value: "8081"

Save and exit the editing session. The Console will restart automatically.

For Docker deployment:

Modify the twistlock.cfg located in the extracted release tar directory.

Remove the value assignment for the MANAGEMENT_PORT_HTTP= variable.

Redeploy the Console using the twistlock.sh script located in the extracted release tar directory.

$ sudo ./twisltock.sh -sy onebox