CWP-48577 CWP-47702 CWP-61364 CWP-61596

docs/en/compute-edition/30/admin-guide/tools/twistcli.adoc

@@ -36,7 +36,7 @@ For more information, see the `/api/v1/util` endpoint.
 The requirements for running _twistcli_ are:
 
 * The host running _twistcli_ must be able to connect to the Prisma Cloud Console over the network.
-* For image scanning, Docker Engine must be installed on the executing machine.
+* For both image scanning and host scanning, Docker Engine must be installed on the executing machine.
 
 
 === Connectivity to Console

docs/en/compute-edition/31/admin-guide/tools/twistcli.adoc

@@ -36,7 +36,7 @@ For more information, see the `/api/v1/util` endpoint.
 The requirements for running _twistcli_ are:
 
 * The host running _twistcli_ must be able to connect to the Prisma Cloud Console over the network.
-* For image scanning, Docker Engine must be installed on the executing machine.
+* For both image scanning and host scanning, Docker Engine must be installed on the executing machine.
 
 
 === Connectivity to Console

docs/en/compute-edition/32/admin-guide/agentless-scanning/agentless-scanning-modes.adoc

@@ -47,6 +47,12 @@ The following diagram gives a high level view of agentless scanning in hub accou
 
 image::agentless-scanning-hub-account-mode.png[width=800]
 
+==== Proxy Configuration in Hub Accounts
+
+When using a hub account with agentless scanning, the proxy configuration is only available in the target accounts' configurations and not on the hub. 
+
+This approach accounts for the possibility that different target accounts might have varying proxy requirements, which, in turn, allows for greater flexibility and adaptability in the configuration process.
+
 [#scanning-modes-comparison]
 === Scanning Modes Comparison
 

docs/en/compute-edition/32/admin-guide/compliance/cis-benchmarks.adoc

@@ -9,7 +9,8 @@ Prisma Cloud provides checks that validate the recommendations in the following
 * https://www.cisecurity.org/benchmark/distribution_independent_linux/[Distribution Independent Linux]
 * https://www.cisecurity.org/benchmark/amazon_web_services/[Amazon Web Services Foundations]
 * https://workbench.cisecurity.org/benchmarks/11806s/[GKE Benchmark (only for worker nodes checks)]
-
+* https://workbench.cisecurity.org/benchmarks/9058/[Amazon Elastic Kubernetes Service (EKS) Benchmark v1.2.0]
+* https://workbench.cisecurity.org/benchmarks/9681/[Azure Kubernetes Service (AKS) Benchmark v1.2.0]
 
 We have graded each check using a system of four possible scores: critical, high, medium, and low.
 This scoring system lets you create compliance rules that take action depending on the severity of the violation.

docs/en/compute-edition/32/admin-guide/configure/proxy.adoc

@@ -121,3 +121,22 @@ Prisma Cloud supports setting custom proxy settings for each Defender deployment
 . Choose your preferred deployment method.
 
 . Click on *Specify a proxy for the defender (optional)* and enter your proxy details.
+
+=== Supported Proxy Workflows
+
+The following proxy configurations have been tested and are officially supported in Prisma Cloud deployments:
+
+* *Defender → Proxy → Console*: Defenders communicate with the Console through the proxy to send real-time runtime activity, policy violation alerts, detected vulnerabilities, compliance scan results, and performance or health metrics of protected workloads.
+
+* *Console → Proxy → Defender*: The Console communicates with Defenders through the proxy for operations like configuration and status checks, or sending security policies updates and authentication details (certificates and credentials).
+
+* *Console → Proxy → Intelligence*: The Console retrieves intelligence stream updates through the proxy to ensure up-to-date vulnerability information.
+
+==== Limitations
+
+The following scenarios have not been tested and are therefore not officially supported:
+
+* *Defender → Proxy → External Services*: Defenders communicating with external services (for example, S3 or ECR) using the proxy might not adhere to the configured No Proxy settings. This can lead to unexpected traffic patterns, such as S3 requests being routed through the proxy even when excluded through the No Proxy rules.
+
+* *Custom Proxy Configurations for Registry Scanning*: While Defenders can scan container registries like Amazon ECR, configurations requiring Defenders to bypass the proxy for S3 or ECR endpoints (e.g., using No Proxy rules) are not guaranteed to work.
+

docs/en/compute-edition/32/admin-guide/tools/twistcli.adoc

@@ -36,7 +36,7 @@ For more information, see the `/api/v1/util` endpoint.
 The requirements for running _twistcli_ are:
 
 * The host running _twistcli_ must be able to connect to the Prisma Cloud Console over the network.
-* For image scanning, Docker Engine must be installed on the executing machine.
+* For both image scanning and host scanning, Docker Engine must be installed on the executing machine.
 
 
 === Connectivity to Console

docs/en/compute-edition/33/admin-guide/agentless-scanning/agentless-scanning-modes.adoc

@@ -47,6 +47,13 @@ The following diagram gives a high level view of agentless scanning in hub accou
 
 image::agentless-scanning-hub-account-mode.png[width=800]
 
+==== Proxy Configuration in Hub Accounts
+
+When using a hub account with agentless scanning, the proxy configuration is only available in the target accounts' configurations and not on the hub. 
+
+This approach accounts for the possibility that different target accounts might have varying proxy requirements, which, in turn, allows for greater flexibility and adaptability in the configuration process.
+
+
 [#scanning-modes-comparison]
 === Scanning Modes Comparison
 

docs/en/compute-edition/33/admin-guide/compliance/cis-benchmarks.adoc

@@ -9,6 +9,8 @@ Prisma Cloud provides checks that validate the recommendations in the following
 * https://www.cisecurity.org/benchmark/distribution_independent_linux/[Distribution Independent Linux]
 * https://www.cisecurity.org/benchmark/amazon_web_services/[Amazon Web Services Foundations]
 * https://workbench.cisecurity.org/benchmarks/11806s/[GKE Benchmark (only for worker nodes checks)]
+* https://workbench.cisecurity.org/benchmarks/9058/[Amazon Elastic Kubernetes Service (EKS) Benchmark v1.2.0]
+* https://workbench.cisecurity.org/benchmarks/9681/[Azure Kubernetes Service (AKS) Benchmark v1.2.0]
 
 
 We have graded each check using a system of four possible scores: critical, high, medium, and low.

docs/en/compute-edition/33/admin-guide/configure/proxy.adoc

@@ -121,3 +121,22 @@ Prisma Cloud supports setting custom proxy settings for each Defender deployment
 . Choose your preferred deployment method.
 
 . Click on *Specify a proxy for the defender (optional)* and enter your proxy details.
+
+=== Supported Proxy Workflows
+
+The following proxy configurations have been tested and are officially supported in Prisma Cloud deployments:
+
+* *Defender → Proxy → Console*: Defenders communicate with the Console through the proxy to send real-time runtime activity, policy violation alerts, detected vulnerabilities, compliance scan results, and performance or health metrics of protected workloads.
+
+* *Console → Proxy → Defender*: The Console communicates with Defenders through the proxy for operations like configuration and status checks, or sending security policies updates and authentication details (certificates and credentials).
+
+* *Console → Proxy → Intelligence*: The Console retrieves intelligence stream updates through the proxy to ensure up-to-date vulnerability information.
+
+==== Limitations
+
+The following scenarios have not been tested and are therefore not officially supported:
+
+* *Defender → Proxy → External Services*: Defenders communicating with external services (for example, S3 or ECR) using the proxy might not adhere to the configured No Proxy settings. This can lead to unexpected traffic patterns, such as S3 requests being routed through the proxy even when excluded through the No Proxy rules.
+
+* *Custom Proxy Configurations for Registry Scanning*: While Defenders can scan container registries like Amazon ECR, configurations requiring Defenders to bypass the proxy for S3 or ECR endpoints (e.g., using No Proxy rules) are not guaranteed to work.
+

docs/en/compute-edition/33/admin-guide/tools/twistcli.adoc

@@ -36,7 +36,7 @@ For more information, see the `/api/v1/util` endpoint.
 The requirements for running _twistcli_ are:
 
 * The host running _twistcli_ must be able to connect to the Prisma Cloud Console over the network.
-* For image scanning, Docker Engine must be installed on the executing machine.
+* For both image scanning and host scanning, Docker Engine must be installed on the executing machine.
 
 
 === Connectivity to Console

docs/en/enterprise-edition/content-collections/runtime-security/agentless-scanning/agentless-scanning-modes.adoc

@@ -43,6 +43,13 @@ The following diagram gives a high level view of agentless scanning in hub accou
 
 image::runtime-security/agentless-scanning-hub-account-mode.png[]
 
+==== Proxy Configuration in Hub Accounts
+
+When using a hub account with agentless scanning, the proxy configuration is only available in the target accounts' configurations and not on the hub. 
+
+This approach accounts for the possibility that different target accounts might have varying proxy requirements, which, in turn, allows for greater flexibility and adaptability in the configuration process.
+
+
 [#scanning-modes-comparison]
 === Scanning Modes Comparison
 

docs/en/enterprise-edition/content-collections/runtime-security/compliance/visibility/cis-benchmarks.adoc

@@ -10,6 +10,9 @@ Prisma Cloud provides checks that validate the recommendations in the following
 * https://www.cisecurity.org/benchmark/distribution_independent_linux/[Distribution Independent Linux]
 * https://www.cisecurity.org/benchmark/amazon_web_services/[Amazon Web Services Foundations]
 * https://workbench.cisecurity.org/benchmarks/11806s/[GKE Benchmark (only for worker nodes checks)]
+* https://workbench.cisecurity.org/benchmarks/9058/[Amazon Elastic Kubernetes Service (EKS) Benchmark v1.2.0]
+* https://workbench.cisecurity.org/benchmarks/9681/[Azure Kubernetes Service (AKS) Benchmark v1.2.0]
+
 
 
 We have graded each check using a system of four possible scores: critical, high, medium, and low.

docs/en/enterprise-edition/content-collections/runtime-security/configure/proxy.adoc

@@ -122,3 +122,22 @@ Prisma Cloud supports setting custom proxy settings for each Defender deployment
 . Choose your preferred deployment method.
 
 . Click on *Specify a proxy for the defender (optional)* and enter your proxy details.
+
+=== Supported Proxy Workflows
+
+The following proxy configurations have been tested and are officially supported in Prisma Cloud deployments:
+
+* *Defender → Proxy → Console*: Defenders communicate with the Console through the proxy to send real-time runtime activity, policy violation alerts, detected vulnerabilities, compliance scan results, and performance or health metrics of protected workloads.
+
+* *Console → Proxy → Defender*: The Console communicates with Defenders through the proxy for operations like configuration and status checks, or sending security policies updates and authentication details (certificates and credentials).
+
+* *Console → Proxy → Intelligence*: The Console retrieves intelligence stream updates through the proxy to ensure up-to-date vulnerability information.
+
+==== Limitations
+
+The following scenarios have not been tested and are therefore not officially supported:
+
+* *Defender → Proxy → External Services*: Defenders communicating with external services (for example, S3 or ECR) using the proxy might not adhere to the configured No Proxy settings. This can lead to unexpected traffic patterns, such as S3 requests being routed through the proxy even when excluded through the No Proxy rules.
+
+* *Custom Proxy Configurations for Registry Scanning*: While Defenders can scan container registries like Amazon ECR, configurations requiring Defenders to bypass the proxy for S3 or ECR endpoints (e.g., using No Proxy rules) are not guaranteed to work.
+

docs/en/enterprise-edition/content-collections/runtime-security/tools/twistcli.adoc

@@ -27,7 +27,7 @@ For more information, see the `/api/v1/util` endpoint.
 The requirements for running _twistcli_ are:
 
 * The host running _twistcli_ must be able to connect to the Prisma Cloud Console over the network.
-* For image scanning, Docker Engine must be installed on the executing machine.
+* For both image scanning and host scanning, Docker Engine must be installed on the executing machine.
 
 
 === Connectivity to Console