Identity-Based Microsegmentation Guide
LAST UPDATED: October 8, 2021

5.0.6

April 7, 2021

Breaking changes

After a period of deprecation, we no longer support or have removed the following.

  • Aporeto operator: no longer necessary or available.
  • App integrations: such as the Clair vulnerability scanner and others.
  • Custom resource definitions: we no longer create custom resource definitions (CRDs) in Kubernetes/OpenShift.
  • Enforcer as standalone container: you must install the 5.0 enforcer as a Linux/Windows service or Kubernetes/OpenShift DaemonSet.
  • Enforcer audit logging capabilities: due to a lack of adoption.
  • kubenet networking: before upgrading your enforcers, ensure that your clusters use CNI networking. Refer to the system requirements and installation guide for more information.
  • Multi-region control planes: migrate to federated control planes.
  • Namespace mapping for enforcers: we no longer support namespace mapping for enforcers. You can use namespace mapping for processing units, but not enforcers.
  • SSH controls: ignored by the 5.0 enforcer.

What’s new

Terminology changes

We have renamed the product, backend, commands, and files as follows.

Previous New
Aporeto Prisma Cloud Identity-Based Microsegmentation (Microsegmentation)
control plane Microsegmentation Console
/etc/enforcer.conf /var/lib/prisma-enforcer/prisma-enforcer.conf
apoctl protect apoctl enforcer install
enforcerd prisma-enforcer.service

VictoriaMetrics and new endpoints

The 5.0 Microsegmentation Console offers better performance at scale by moving from InfluxDB to VictoriaMetrics for time-series data. Initially, the data flows to both databases and the web interface displays data from InfluxDB. When you’re ready, you can disable InfluxDB and start using just VictoriaMetrics. Disabling InfluxDB removes the /statsquery and /statsinfo endpoints.

Before disabling InfluxDB, ensure that you have ported your automations, scripts, and applications to use the following new endpoints instead.

New endpoint apoctl documentation API documentation
/metrics metrics command visualization/metrics endpoint
/reportsquery reportsquery command visualization/reportsquery endpoint

Refer to Upgrading the Microsegmentation Console for more information about the upgrade.

Network policies v2

After upgrading your Microsegmentation Console, you will have access to the following network policy v2 features.

Do not add any network policies or external networks after upgrading. Instead, focus on migrating to the new model. The web interface continues to show the network policies. Once you have completed your migration, you can toggle the Microsegmentation Console to run exclusively in the new model. Refer to Migration for more information.

Streamlined enforcer deployment

We’ve made it easier to deploy enforcers with the following changes.

  • Namespace concepts and creation guidance added.
  • Discovery mode enabled by default.
  • Host protection enabled by default for Linux and Windows hosts.
  • Reduced types of processing units to either an entire host or a pod.

Enhanced monitoring capabilities

We’ve enhanced our existing Microsegmentation Console monitoring capabilities to include:

  • New healthcheck API endpoint that you can query to determine the state of the Microsegmentation Console
  • New capacity metrics for flow logs and enforcers
  • Revamped Grafana dashboard that now includes capacity metrics

Read more about these features in Monitoring.

Istio integration

In clusters with Istio, the enforcer monitors and enforces traffic at layer three. It ignores layer four and layer seven traffic.

Compatible with Prisma Cloud Compute Defender

The enforcer can now run alongside the Prisma Cloud Compute Defender. However, you must disable CNNF, WAAS, and remove any DNS runtime networking rules.

apoctl supports all enforcer installs

You can now use apoctl to install Windows enforcers and enforcers that use cloud authentication.

Images now available from GCR

We now push our images to gcr.io. To avoid getting rate-limited by DockerHub, we pull from gcr.io/prismacloud-cns by default.

Connectivity troubleshooting

We now offer apoctl oam ping to help you troubleshoot connectivity issues at layer 3, 4, and 7. Refer to Troubleshooting connectivity for more information.

Remote access to enforcer logs

You can now download an enforcer’s logs and other data to your local host. See Troubleshooting enforcer for details.

New roles

This release adds the following new roles.

  • Infrastructure Administrator: can edit all resources except namespaces.
  • Infrastructure Viewer: can view all resources.
  • Application Developer: can edit network policies, services, service dependencies, and token scope policies. Can view processing units and external networks.
  • Application Viewer: can view network policies, services, service dependencies, token scope policies, processing units, and external networks.

Resolved issues

  • APO-146: You no longer have to manually issue the following commands before installing the enforcer on RHEL 8 and RHEL CoreOS 8 (used by OpenShift 4) hosts:

    modprobe ip_tables
    modprobe iptable_nat
    
  • CNS-126: Decommissioning an enforcer now removes all of its iptables rules.

Known issues

  • CNS-153: When using relative time values with apoctl, the values must be in relation to Pacific Standard Time (PST). For example, if you are in France and want to retrieve the last five minues of flow logs, you could use -9h5m. Another workaround for this issue is to use absolute time values.

  • CNS-1343: The enforcer fails to program external networks that use the ! operator on Red Hat Enterprise Linux 6.

  • CNS-1356: You must use an enforcer profile to manually add the URL of the Microsegmentation Console API to as an excluded network for Red Hat Enterprise Linux 6 hosts. Failing to do so before installing the enforcer causes a complete lack of access to the host.

  • CNS-1651: The enforcer fails to recover after a third party removes some of its iptables rules.

  • CNS-1730: Traffic to the domain in an external network occasionally goes to Somewhere instead.

  • CNS-1733: Deselecting Show policed flows in the Platform pane produces unexpected results.

  • CNS-1755: Fonts in the web interface vanish on external monitors with a devicePixelRatio of 1.25.

Deprecation notices

A future release will remove support for the following. Please plan accordingly.

  • CoreOS, Oracle Enterprise Linux (OEL), and Red Hat Enterprise Linux (RHEL) 6: upgrade to CoreOS/OEL/RHEL 7 or later.
  • Host services: migrate to external networks and network rulesets.
  • Namespace Editor role: If you have any API authorizations using this role, migrate them to the Namespace Administrator role. We will remove the Namespace Editor role in a future release.