Azure Policies

Azure Policy helps to enforce organizational standards and to assess compliance at-scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to the per-resource, per-policy granularity. It also helps to bring your resources to compliance through bulk remediation for existing resources and automatic remediation for new resources.

• Issues: Limited capability of Prisma Cloud DSPM in organizations due to Azure Policy.
• Symptom: In some organizations, Azure Policies may restrict the functionality of Prisma Cloud DSPM.
• Solution: Try the following solutions to solve Azure Policy issues:

1. Identification
   • Confirm the existence of an Azure Policy affecting the organization's accounts.
   • Verify if Prisma Cloud DSPM's capabilities are restricted by Azure Policies.
2. Review Azure Policy Configuration
   • Access the Azure Policy configuration settings for the organization.
   • Identify the specific Azure Policy that affects Prisma Cloud DSPM.
3. Update Azure Policy for Prisma Cloud DSPM
   • Modify the Azure Policy to allow necessary access for the Prisma Cloud DSPM role.
   • Adjust permissions within the Azure Policy to align with the operational requirements of Prisma Cloud DSPM.
4. Validation
   • Confirm the changes made to the Azure Policy for Prisma Cloud DSPM.
   • Test Prisma Cloud DSPM's operations to ensure that the desired capabilities are restored.
5. Documentation
   • Document the changes made to the Azure Policy and the resolution process.
   • Update internal documentation regarding Azure Policy configurations to reflect the adjustments for Prisma Cloud DSPM.

Additional Resources

Refer to Azure Policies for a comprehensive understanding of Azure Policies and their configuration options.

Quota Issues

VM Quota Exceeded

• Issue: Azure account has reached the limit on the concurrent number of VMs at any given time.
• Symptom: Error message is generated when the quota for the permissible number of VMs reaches the limit.
• Solution: In the Azure Console, increase the number of VMs. For more information refer to Azure VM quotas.

Asset Configuration

Asset Network Configuration

• Issue: For the purpose of asset classification, Prisma Cloud DSPM may create a private endpoint to access the asset. Although this is the recommended way to connect to Private Storage Accounts, In very rare cases, creation of private endpoints has been observed to induce connectivity issues to the scanned storage account
• Symptom: Error message is generated when the Prisma Cloud DSPM cannot classify an asset due to existing network configuration that may impact access to the asset.
• Solution:

Add Palo Alto’s VNet to the list of trusted VNets in each asset

1. Log into Azure Portal
2. Navigate to the relevant storage account
3. In the left-hand menu of the selected storage account, scroll down and click on “Networking”.
4. Under the “Firewalls and virtual networks” tab
5. If the selected option is “Enabled” from selected virtual networks and IP addresses, you will see the list of configured virtual networks.
6. Click on “Add existing virtual network”.
7. In the opened side panel:
   1. Select the orchestrator subscription.
   2. Select the virtual network “dig-security-<region>” (where <region> is the region the asset is hosted on)
   3. Select the subnet “dig-security-<region>” (where <region> is the region the asset is hosted on)
   4. Enable service endpoint on the VNet as listed in the side panel note. (Microsoft.Storage)
   5. Click “Enable”.
8. Click on the “Save” button.