Identity-Based Microsegmentation Guide
LAST UPDATED: October 8, 2021

Enforcer

The Enforcer is the microsegmentation agent that monitors and controls traffic to and from processing units. You deploy it as a service on a virtual machine and as a DaemonSet on a cluster. It connects to the Microsegmentation Console API to retrieve network rulesets and to send flow and DNS resolution logs.

host enforcerservice enforcerDaemonSet pod pod pod networkrulesets flow &DNS logs MicrosegmentationConsole flow &DNS logs networkrulesets

For virtual machines on AWS, GCP, or Azure, we recommend configuring the enforcer to use short-lived tokens from the cloud provider to authenticate to the Microsegmentation Console. Otherwise, you can configure the enforcer to use an app credential.

The Enforcer can control traffic between processing units at different layers of the network stack. For TCP, it automatically adds the processing unit’s cryptographically-signed identity during the SYN/SYN->ACK portion of TCP session establishment. At layer 4, it exchanges identities after a TCP connection is established, but before any data traffic is allowed to flow. In this case, it utilizes TCP Fast Open to minimize the round-trip times needed to complete a robust authorization.

For UDP, Microsegmentation has a custom UDP handshake implementation that uses UDP options and requires both client and server to exchange identities before the flow is authorized.

NOTE

: Support for identity in UDP is not supported on GCP.

The Enforcers will buffer packets until the authentication and authorization is done.

The addition of these cryptographically-signed tokens allows Microsegmentation to exchange and verify the identity of both processing units and validate if there is a network ruleset which allows or denies traffic between the two endpoints. Once the authentication and authorization is complete, the enforcer allows both processing units to communicate directly.

Enforcement

At layer 7, the Enforcer operates as a full API proxy and injects authorization information on every API call. In this case, it can perform per API endpoint authorization between processing units as well as between users and processing units.<-->

NOTE

The content of traffic is never visible to the Microsegmentation Console or the Enforcer. The Enforcer’s role is to allow or drop the connection depending on the network rulesets that you have configured on the Microsegmentation Console. For the identity exchange to be successful, both client and server require an Enforcer installed and the proper rulesets in place. If the client or server does not have or cannot have an Enforcer, the authorization component will still be in place, but not the authentication component. In such scenarios, you will need to create an “External Network” object for workloads that cannot have an Enforcer.

Enforcer Profiles

An Enforcer Profile defines what characteristics such as tags or CIDRs to match on and manages specific settings that control the Enforcer behavior such as:

  • Ignored Processing Units Defines the tags to ignore. If a processing unit is created with tags matching the specified expression, it will be completely ignored by the Enforcer. This can be useful in cases where you do not want to microsegment traffic from specific workloads.

  • Managed TCP Networks Sends identity to the Enforcer on the client side on TCP traffic from the listed CIDRs (defaults are provided). If the destination IP address of a new connection is within the managed TCP network, the Enforcer adds identity to the SYN. If the SYN_ACK comes back without identity, the authorization falls back to ACLs (External Networks). If you have installed Enforcers on networks not included in the default list you must add the CIDRs blocks to the list.

  • Managed UDP Networks Instructs the Enforcer to expect identity on UDP traffic from the listed CIDRs (no defaults are provided). If you have installed Enforcers on networks and you want the Enforcer to send an identity token for UDP traffic also, you must add the CIDRs blocks to the list.

  • Excluded Networks Excludes Enforcers from managing and monitoring the specified CIDR blocks. You can use this to declare smaller portions of a Managed Network or to add a specific CIDR block to the allow list. This is particularly useful in some use cases, such as, you want to access the Kubernetes API from within a pod and you do want to enforce rulesets for this traffic.

  • Tags The label that identifies a specific Enforcer Profile.

  • Enforcer Profile Mappings An enforcer profile mapping controls what Enforcer profile a specific group of Enforcers will use, based on the tags definition.

  • Enforcer Matching The metadata that matches a specific group of Enforcers. By default, all Enforcers in the namespace will use the default Enforcer Profile and Enforcer Profile Matching.

  • Enforcer Profile Matching The label that identifies a specific Enforcer Profile Matching.

NOTE

: Ensure that the tag expression on your Enforcer Profile Matching matches one Enforcer Profile only. If there is more than one Enforcer Profile that matches, the Enforcers will not start.

Enforcer Profile

One or more Enforcers must match an Enforcer Profile Matching and this Enforcer Profile Matching must be tied to a unique Enforcer Profile. By default the Enforcers on a given namespace will match the default namespace Enforcer Profile Matching, and Enforcer Profile and you shouldn’t need to modify this unless explicitly instructed by Palo Alto Networks support.