Identity-Based Microsegmentation Guide
LAST UPDATED: November 8, 2021

Linux hosts

About Linux host installs

To deploy the enforcer to a Linux host not orchestrated by Kubernetes or OpenShift, use one of the following procedures.

Procedure Installation method Install authentication Registration and connection authentication Discussion
Cloud apoctl Short-lived token from AWS, GCP, or Azure Short-lived token from AWS, GCP, or Azure Requires no credentials saved on the host. You can run the procedure once, make an image of the host with the enforcer installed, and distribute the image.
On-premise apoctl Microsegmentation token Least-privilege app credential The short-lived Microsegmentation token can include various restrictions to make it more comfortable to pass around.
Advanced on-premise Manual Microsegmentation token Least-privilege app credential Does not require apoctl to be installed on the target host. Suitable for air-gapped environments.

Cloud install

  1. Make sure you meet the following prerequisites.

    Entity Requirement
    Target host(s) Meets the system requirements
    ■ Set up to synchronize time with authoritative sources: AWS, GCP, Azure
    ■ Can connect to any subdomain of aporeto.com
    Local host apoctl installed
    ■ SSH access to target host(s)
    Privileges namespace.administrator privileges in the Microsegmentation namespace of the target host
    Cloud credentials AWS: an IAM role attached to the target host with read-only access to tags (ec2:DescribeTags)
    GCP: GCP service account attached to the target host
    Azure: target host assigned a managed identity
  2. Construct a Microsegmentation tag that identifies your cloud account, project, tenant, or organization. The tag must begin with @auth: followed by a key-value pair. Refer to the table below for some common examples.

    Cloud provider Value Microsegmentation tag syntax Microsegmentation tag example
    AWS AWS account ID* @auth:account=<AWS_ACCOUNT_ID> @auth:account=942613894219
    GCP GCP project ID @auth:projectid=<GCP_PROJECT_ID> @auth:projectid=acme-dev
    Azure Microsoft tenant ID @auth:tenantid=<TENANT_ID> @auth:tenantid=cd629cb5-2826-4126-82fd-3f2df5f5bc7
    GCP and Azure Name of organization @auth:organization=<ORGANIZATION> @auth:organization=acme

    * You can find your AWS account ID under My security credentials in the AWS Management Console.
    To learn how to find your tenant ID, refer to the Microsoft documentation.

  3. On your local host, set a CLOUD_ID_TAG environment variable containing the Microsegmentation tag you’ve constructed to identify authorized enforcers. If the target virtual machine is hosted on AWS, also set an AWS_IAM_ROLE environment variable containing the name of the IAM role attached to the instance prepended with @auth:rolename=. For examples, see below.

    export CLOUD_ID_TAG="@auth:account=942613894219"
    export AWS_IAM_ROLE="@auth:rolename=aporeto"
    
    export CLOUD_ID_TAG="@auth:projectid=acme-dev"
    
    export CLOUD_ID_TAG="@auth:tenantid=cd629cb5-2826-4126-82fd-3f2df5f5bc7"
    

  4. Set a TARGET_NS environment variable containing the Microsegmentation namespace that this enforcer should register in. It should be a grandchild namespace.

    export TARGET_NS=/acme/aws-dev/vm1
    
  5. Use one of the following commands to create an API authorization that allows the enforcer to access the Microsegmentation Console. Select the tab that corresponds to the cloud provider of the target host.

    cat << EOF | apoctl api import -f -
    APIVersion: 0
    label: ec2-enforcerd-auth
    data:
     apiauthorizationpolicies:
       - authorizedIdentities:
           - '@auth:role=enforcer'
         authorizedNamespace: $TARGET_NS
         authorizedSubnets: []
         name: Authorize EC2 enforcer to access Microsegmentation Console
         propagate: true
         subject:
           - - "@auth:realm=awssecuritytoken"
             - "$AWS_IAM_ROLE"
             - "$CLOUD_ID_TAG"
    EOF
    
    cat << EOF | apoctl api import -f -
    APIVersion: 0
    label: gcp-enforcerd-auth
    data:
     apiauthorizationpolicies:
       - authorizedIdentities:
           - '@auth:role=enforcer'
         authorizedNamespace: $TARGET_NS
         authorizedSubnets: []
         name: Authorize GCP enforcer to access Microsegmentation Console
         propagate: true
         subject:
           - - "@auth:realm=gcpidentitytoken"
             - "$CLOUD_ID_TAG"
    EOF
    
    cat << EOF | apoctl api import -f -
    APIVersion: 0
    label: azure-enforcerd-auth
    data:
     apiauthorizationpolicies:
       - authorizedIdentities:
           - '@auth:role=enforcer'
         authorizedNamespace: $TARGET_NS
         authorizedSubnets: []
         name: Authorize Azure enforcer to access Microsegmentation Console
         propagate: true
         subject:
           - - "@auth:realm=azureidentitytoken"
             - "$CLOUD_ID_TAG"
    EOF
    

  6. Retrieve the URL of your Microsegmentation Console API.

    echo $MICROSEG_API
    
  7. Access the target host, such as via SSH.

  8. Set a MICROSEG_API environment variable on the target host containing the URL of the Microsegmentation Console API you just echoed on your local host.

    export MICROSEG_API=https://api.microsegmentation.acme.com
    
  9. Confirm that the host can connect to the Microsegmentation Console API and trusts its certificate.

    curl -fsL $MICROSEG_API
    
  10. Set a TARGET_NS environment variable containing the Microsegmentation namespace that this enforcer should register in. It should be a grandchild namespace.

    export TARGET_NS=/acme/aws-dev/vm1
    
  11. Install apoctl using the following command.

    sudo curl -o /usr/local/bin/apoctl \
      https://download.aporeto.com/releases/release-5.0.8/apoctl/linux/apoctl && \
    sudo chmod 755 /usr/local/bin/apoctl
    
  12. Select the tab that corresponds to the init system of the host and run the provided commands to ensure that any local firewalls are disabled and stopped, as required.

    sudo systemctl disable ufw
    sudo systemctl stop ufw
    sudo systemctl disable iptables
    sudo systemctl stop iptables
    sudo systemctl disable firewalld
    sudo systemctl stop firewalld
    
    sudo disable ufw
    sudo stop ufw
    sudo disable iptables
    sudo stop iptables
    sudo disable firewalld
    sudo stop firewalld
    
    sudo /etc/init.d/ufw disable 
    sudo /etc/init.d/ufw stop
    sudo /etc/init.d/iptables disable
    sudo /etc/init.d/iptables stop
    sudo /etc/init.d/firewalld disable 
    sudo /etc/init.d/firewalld stop
    

  13. Use the following command to install the enforcer.

    sudo apoctl enforcer install linux --auth-mode cloud \
                                       --namespace $TARGET_NS \
                                       --api $MICROSEG_API \
                                       --repo https://repo.aporeto.com/releases/release-5.0.8  
    

    TIP

    Refer to Enforcer configuration options if you wish to modify the enforcer’s default settings. You can also run apoctl enforcer install linux -h to review its flags. You can find more information about the enforcer install linux command in the apoctl reference page.

  14. Open the Microsegmentation Console web interface, select Enforcers under Manage, and navigate to the enforcer’s namespace. You should find your enforcer listed with a status of connected. Click the enforcer and review its metadata.

  15. Select Platform in the side navigation menu. You should see your host as a processing unit, with a dashed green line to a Somewhere external network. Your host is in discovery mode.

  16. Return to your terminal on the target host.

  17. Remove apoctl.

    sudo rm /usr/local/bin/apoctl
    
  18. Refer to Securing host communications to learn how to allow the desired traffic and disable discovery mode.

On-premise install

  1. Ensure that you meet the following prerequisites.

    Entity Requirement
    Target host(s) Meets the system requirements
    Set up to synchronize time with authoritative sources
    curl installed
    ■ Can connect to the Microsegmentation Console API without TLS interception
    ■ Can connect to any subdomain of aporeto.com
    Local host apoctl installed
    ■ SSH access to target host(s)
    Privileges namespace.administrator privileges in the Microsegmentation namespace of the target host
    ■ User account on target host can sudo to gain root privileges without entering a password
  2. From your local host, generate a short-lived Microsegmentation token that the enforcer can exchange for an app credential. You can set a variety of restrictions on this token. If you’re in a hurry, just copy and paste the minimally restricted example below. The other tabs illustrate optional additional restrictions, such as requiring the enforcer to register in a specified namespace or make its request from a specific subnet.

    apoctl auth appcred --path ~/.apoctl/default.creds \
                        --restrict-role @auth:role=enforcer \
                        --restrict-role @auth:role=enforcer-installer \
                        --validity 60m
    
    apoctl auth appcred --path ~/.apoctl/default.creds \
                        --restrict-role @auth:role=enforcer \
                        --restrict-role @auth:role=enforcer-installer \
                        --validity 60m \
                        --restrict-namespace /acme/aws-dev/vm1 \
                        --restrict-network 10.0.0.0/8 
    
    apoctl auth appcred --path <app-credential-file> \
                        --restrict-role @auth:role=enforcer \
                                        @auth:role=enforcer-installer \
                        --validity <golang-duration> \
                        [--restrict-namespace <namespace>] \
                        [--restrict-network <cidr>]
    

  3. Retrieve the URL of your Microsegmentation Console API.

    echo $MICROSEG_API
    
  4. Access the target host, such as via SSH.

  5. Set a TOKEN environment variable containing the token you just generated. We’ve truncated the example token value below for readability.

    export TOKEN=eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJyZWFsbSI6IkNlcnRpZmljYXRlIiwiZGF0YSI6eyJjb21tb25O....
    
  6. Set a MICROSEG_API environment variable containing the URL of the Microsegmentation Console API you just retrieved.

    export MICROSEG_API=https://api.microsegmentation.acme.com
    
  7. Confirm that the host can connect to the Microsegmentation Console API and trusts its certificate.

    curl -fsL $MICROSEG_API
    
  8. Set a TARGET_NS environment variable containing the Microsegmentation namespace of this enforcer. It should be a grandchild namespace.

    export TARGET_NS=/acme/aws-dev/vm1
    
  9. Install apoctl using the following command.

    sudo curl -o /usr/local/bin/apoctl \
      https://download.aporeto.com/releases/release-5.0.8/apoctl/linux/apoctl && \
    sudo chmod 755 /usr/local/bin/apoctl
    
  10. Select the tab that corresponds to the init system of the host and run the provided commands to ensure that any local firewalls are disabled and stopped, as required.

    sudo systemctl disable ufw
    sudo systemctl stop ufw
    sudo systemctl disable iptables
    sudo systemctl stop iptables
    sudo systemctl disable firewalld
    sudo systemctl stop firewalld
    
    sudo disable ufw
    sudo stop ufw
    sudo disable iptables
    sudo stop iptables
    sudo disable firewalld
    sudo stop firewalld
    
    sudo /etc/init.d/ufw disable 
    sudo /etc/init.d/ufw stop
    sudo /etc/init.d/iptables disable
    sudo /etc/init.d/iptables stop
    sudo /etc/init.d/firewalld disable 
    sudo /etc/init.d/firewalld stop
    

  11. Use the following command to install the enforcer.

    sudo apoctl enforcer install linux --token $TOKEN \
                                       --auth-mode appcred \
                                       --namespace $TARGET_NS \
                                       --api $MICROSEG_API \
                                       --repo https://repo.aporeto.com/releases/release-5.0.8  
    

    TIP

    Refer to Enforcer configuration options if you wish to modify the enforcer’s default settings. You can also run apoctl enforcer install linux -h to review its flags. You can find more information about the enforcer install linux command in the apoctl reference page.

  12. Open the Microsegmentation Console web interface, select Enforcers under Manage, and navigate to the enforcer’s namespace. You should find your enforcer listed with a status of connected. Click the enforcer and review its metadata.

  13. Select Platform in the side navigation menu. You should see your host as a processing unit, with a dashed green line to a Somewhere external network. Your host is in discovery mode.

  14. Return to your terminal on the target host.

  15. Remove apoctl and clear TOKEN.

    sudo rm /usr/local/bin/apoctl
    export TOKEN=""
    
  16. Refer to Securing host communications to learn how to allow the desired traffic and disable discovery mode.

Advanced on-premise install

  1. Ensure that you meet the following prerequisites.

    Entity Requirement
    Target host(s) Meets the system requirements
    Set up to synchronize time with authoritative sources
    curl installed
    ■ Can connect to the Microsegmentation Console API without TLS interception
    ■ Can connect to any subdomain of aporeto.com
    Local host apoctl installed
    ■ SSH access to target host(s)
    Privileges namespace.administrator privileges in the Microsegmentation namespace of the target host
    ■ User account on target host can sudo to gain root privileges without entering a password
  2. From your local host, generate a short-lived Microsegmentation token that the enforcer can exchange for an app credential. You can set a variety of restrictions on this token. If you’re in a hurry, just copy and paste the minimally restricted example below. The other tabs illustrate optional additional restrictions, such as requiring the enforcer to register in a specified namespace or make its request from a specific subnet.

    apoctl auth appcred --path ~/.apoctl/default.creds \
                        --restrict-role @auth:role=enforcer \
                        --validity 60m
    
    apoctl auth appcred --path ~/.apoctl/default.creds \
                        --restrict-role @auth:role=enforcer \
                        --validity 60m \
                        --restrict-namespace /acme/aws-dev/vm1 \
                        --restrict-network 10.0.0.0/8 
    
    apoctl auth appcred --path <app-credential-file> \
                        --restrict-role @auth:role=enforcer \
                        --validity <golang-duration> \
                        [--restrict-namespace <namespace>] \
                        [--restrict-network <cidr>]
    

  3. Retrieve the URL of your Microsegmentation Console API.

    echo $MICROSEG_API
    
  4. Access the target host, such as via SSH.

  5. Set a TOKEN environment variable containing the token you just generated. We’ve truncated the example token value below for readability.

    export TOKEN=eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJyZWFsbSI6IkNlcnRpZmljYXRlIiwiZGF0YSI6eyJjb21tb25O....
    
  6. Set a MICROSEG_API environment variable containing the URL of the Microsegmentation Console API you just retrieved.

    export MICROSEG_API=https://api.microsegmentation.acme.com
    
  7. Confirm that the host can connect to the Microsegmentation Console API and trusts its certificate.

    curl -fsL $MICROSEG_API
    
  8. We will pull the images from your Microsegmentation Console. You can review the metadata at $MICROSEG_API/_meta/config. Use the following commands to set environment variables containing the paths to your TUF repository, the RPM/DEB repository, and the GPG key used to sign the packages.

    TUF_REPO="$(curl -sfSL $MICROSEG_API/_meta/config | sed -n 's/"//g;s/,//;s/.*tuf: //p;')"
    RPM_DEB_REPO="$(curl -sfSL $MICROSEG_API/_meta/config | sed -n 's/"//g;s/,//;s/.*repo: //p;')"
    GPG_KEY="$(curl -sfSL $MICROSEG_API/_meta/config | sed -n 's/"//g;s/,//;s/.*repo-signing-key: //p;')"
    
  9. Set a TARGET_NS environment variable containing the Microsegmentation namespace of this enforcer. It should be a grandchild namespace.

    export TARGET_NS=/acme/aws-dev/vm1
    
  10. Select the tab that corresponds to the init system of the host and run the provided commands to ensure that any local firewalls are disabled and stopped, as required.

    sudo systemctl disable ufw
    sudo systemctl stop ufw
    sudo systemctl disable iptables
    sudo systemctl stop iptables
    sudo systemctl disable firewalld
    sudo systemctl stop firewalld
    
    sudo disable ufw
    sudo stop ufw
    sudo disable iptables
    sudo stop iptables
    sudo disable firewalld
    sudo stop firewalld
    
    sudo /etc/init.d/ufw disable 
    sudo /etc/init.d/ufw stop
    sudo /etc/init.d/iptables disable
    sudo /etc/init.d/iptables stop
    sudo /etc/init.d/firewalld disable 
    sudo /etc/init.d/firewalld stop
    

  11. Use the command that corresponds to the operating system of the target host to download and install the enforcer.

    ```console
    curl -fsL $GPG_KEY | sudo apt-key add -
    echo "deb [arch=$(dpkg --print-architecture)] \
    $RPM_DEB_REPO/ubuntu/$(lsb_release -cs) aporeto main" \
    | sudo tee /etc/apt/sources.list.d/aporeto.list
    sudo apt update
    sudo apt install -y prisma-enforcer
    ```
    
    ```console
    sudo apt install -y apt-transport-https
    curl -fsL $GPG_KEY | sudo apt-key add -
    echo "deb [arch=$(dpkg --print-architecture)] \
    $RPM_DEB_REPO/debian/$(lsb_release -cs) aporeto main" \
    | sudo tee /etc/apt/sources.list.d/aporeto.list
    sudo apt update
    sudo apt install -y prisma-enforcer
    ```
    
    ```console
    cat << EOF | sudo tee /etc/yum.repos.d/Aporeto.repo
    [Aporeto]
    name=aporeto
    baseurl=$RPM_DEB_REPO/centos/\$releasever/
    gpgkey=$GPG_KEY
    gpgcheck=1
    repo_gpgcheck=1
    enabled=1
    EOF
    sudo yum install -y prisma-enforcer
    ```
    
    ```console
    cat << EOF | sudo tee /etc/yum.repos.d/Aporeto.repo
    [Aporeto]
    name=aporeto
    baseurl=$RPM_DEB_REPO/rhel/\$releasever/
    gpgkey=$GPG_KEY 
    gpgcheck=1
    repo_gpgcheck=1
    enabled=1
    EOF
    sudo yum install -y prisma-enforcer
    ```
    
    ```console
    cat << EOF | sudo tee /etc/yum.repos.d/Aporeto.repo
    [Aporeto]
    name=aporeto
    baseurl=$RPM_DEB_REPO/nodist/yum/
    gpgkey=$GPG_KEY 
    gpgcheck=1
    repo_gpgcheck=1
    enabled=1
    EOF
    sudo yum install -y prisma-enforcer
    ```
    

  12. Issue the command that corresponds to your desired configuration and the init system of the target host.

    echo "CNS_AGENT_TOKEN=$TOKEN" | sudo tee -a /var/lib/prisma-enforcer/prisma-enforcer.conf
    echo "CNS_AGENT_ENFORCER_FIRST_INSTALL_VERSION=" | sudo tee -a /var/lib/prisma-enforcer/prisma-enforcer.conf
    echo "ENFORCERD_TOKEN=$TOKEN" | sudo tee -a /var/lib/prisma-enforcer/prisma-enforcer.conf
    echo "ENFORCERD_PERSIST_CREDENTIALS=true" | sudo tee -a /var/lib/prisma-enforcer/prisma-enforcer.conf
    echo "ENFORCERD_API=$MICROSEG_API" | sudo tee -a /var/lib/prisma-enforcer/prisma-enforcer.conf
    echo "ENFORCERD_ENABLE_HOST_MODE=true" | sudo tee -a /var/lib/prisma-enforcer/prisma-enforcer.conf
    echo "ENFORCERD_NAMESPACE=$TARGET_NS" | sudo tee -a /var/lib/prisma-enforcer/prisma-enforcer.conf
    echo "CNS_AGENT_TUF_REPO=$TUF_REPO" | sudo tee -a /var/lib/prisma-enforcer/prisma-enforcer.conf
    sudo systemctl enable --now prisma-enforcer
    sudo systemctl status prisma-enforcer
    
    echo "CNS_AGENT_TOKEN=$TOKEN" | sudo tee -a /var/lib/prisma-enforcer/prisma-enforcer.conf
    echo "CNS_AGENT_ENFORCER_FIRST_INSTALL_VERSION=" | sudo tee -a /var/lib/prisma-enforcer/prisma-enforcer.conf
    echo "ENFORCERD_TOKEN=$TOKEN" | sudo tee -a /var/lib/prisma-enforcer/prisma-enforcer.conf
    echo "ENFORCERD_PERSIST_CREDENTIALS=true" | sudo tee -a /var/lib/prisma-enforcer/prisma-enforcer.conf
    echo "ENFORCERD_API=$MICROSEG_API" | sudo tee -a /var/lib/prisma-enforcer/prisma-enforcer.conf
    echo "ENFORCERD_ENABLE_HOST_MODE=true" | sudo tee -a /var/lib/prisma-enforcer/prisma-enforcer.conf
    echo "ENFORCERD_NAMESPACE=$TARGET_NS" | sudo tee -a /var/lib/prisma-enforcer/prisma-enforcer.conf
    echo "CNS_AGENT_TUF_REPO=$TUF_REPO" | sudo tee -a /var/lib/prisma-enforcer/prisma-enforcer.conf
    sudo start prisma-enforcer
    sudo status prisma-enforcer
    
    echo "CNS_AGENT_TOKEN=$TOKEN" | sudo tee -a /var/lib/prisma-enforcer/prisma-enforcer.conf
    echo "CNS_AGENT_ENFORCER_FIRST_INSTALL_VERSION=" | sudo tee -a /var/lib/prisma-enforcer/prisma-enforcer.conf
    echo "ENFORCERD_TOKEN=$TOKEN" | sudo tee -a /var/lib/prisma-enforcer/prisma-enforcer.conf
    echo "ENFORCERD_PERSIST_CREDENTIALS=true" | sudo tee -a /var/lib/prisma-enforcer/prisma-enforcer.conf
    echo "ENFORCERD_API=$MICROSEG_API" | sudo tee -a /var/lib/prisma-enforcer/prisma-enforcer.conf
    echo "ENFORCERD_ENABLE_HOST_MODE=true" | sudo tee -a /var/lib/prisma-enforcer/prisma-enforcer.conf
    echo "ENFORCERD_NAMESPACE=$TARGET_NS" | sudo tee -a /var/lib/prisma-enforcer/prisma-enforcer.conf
    echo "CNS_AGENT_TUF_REPO=$TUF_REPO" | sudo tee -a /var/lib/prisma-enforcer/prisma-enforcer.conf
    sudo /etc/init.d/prisma-enforcer start
    sudo /etc/init.d/prisma-enforcer status
    

    TIP

    • For versions of systemctl prior to 220, you may need to start and enable the service in two commands.
    • Refer to Enforcer configuration options for other environment variables you can set to modify the enforcer’s default settings.

  13. Open the Microsegmentation Console web interface, select Enforcers under Manage, and navigate to the enforcer’s namespace. You should find your enforcer listed with a status of connected. Click the enforcer and review its metadata.

  14. Select Platform in the side navigation menu. You should see your host as a processing unit, with a dashed green line to a Somewhere external network. Your host is in discovery mode.

  15. Return to your terminal on the target host.

  16. Clear TOKEN.

    export TOKEN=""
    
  17. Refer to Securing host communications to learn how to allow the desired traffic and disable discovery mode.

Enforcer configuration options

The enforcer exposes the following configuration options at startup. To modify the configuration of a running enforcer, you must restart it. To modify the enforcer’s tags, using the --tag flag, you have to also delete the enforcer object from the Microsegmentation Console.

You can modify the default configuration by passing one or more of the enforcer flags below as the value of --raw-flags. Example: apoctl enforcer install linux --raw-flags "--log-level=debug --log-format=human --log-to-console=true"

enforcer flag enforcerd.conf option Description
--activate-control-plane-pus Pass this flag if you wish to recognize the Microsegmentation Console as a processing unit, allowing its communications to be monitored and controlled. By default, the enforcer ignores them.
--api ENFORCERD_API The URL of the Microsegmentation Console API.
--api-cacert Path to CA certificate.
--api-skip-verify Disables check on certificate signature as trusted.
--appcreds ENFORCERD_APPCREDS Path to application credentials.
--application-proxy-port Start of the port range for ports used by the enforcer application proxy. Defaults to 20992. You may adjust this if you experience conflicts.
--cloud-probe-timeout The enforcer can determine if it is running in a cloud environment, such as AWS, GCP, or Azure. This is the maximum amount of time to wait for these internal probes to complete. Defaults to two seconds: 2s
--disable-dns-proxy Pass this flag to disable the enforcer DNS proxy, which allows policies to be written based on FQDN, in cases where an exact IP address may be unpredictable.
--dns-server-address DNS server address or CIDR that is observed by the enforcer DNS proxy. Defaults to 0.0.0.0/0.
--enable-ebpf (Beta) Pass this flag to gain performance improvements by using extended Berkeley Packet Filter (eBPF) on systems that support it.
--enable-ipv6 ENFORCERD_ENABLE_IPV6=1 The enforcer ignores IPv6 communications by default. If you have IPv6 enabled and wish to monitor and control these connections, pass this flag.
--log-level ENFORCERD_LOG_LEVEL=<value> Quantity of logs that the enforcer should generate. Defaults to info. Alternatively, you can set it to debug, trace, or warn.
--log-to-console Controls whether the enforcer’s logs are written to stdout. Boolean that defaults to false.
--namespace ENFORCERD_NAMESPACE The Microsegmentation namespace the enforcer should register in.
--tag Microsegmentation tag for this enforcer
--token ENFORCERD_TOKEN Microsegmentation token for the enforcer to use to register to the Microsegmentation Console.
--working-dir A persistent working directory with write, read, and execute permissions. Files such as logs are stored here. Defaults to /var/lib/enforcerd