IDENTITY-BASED MICROSEGMENTATION DOCUMENTATION

January 24, 2020

New production features

Increased visibility

  • This release of Aporeto features logging of DNS lookup requests. You can locate the DNS lookup logs report under Logs in the Aporeto web interface.

  • To assist in identifying and removing stale objects, you can now view the number of times a network policy or external network has been hit from the web interface.

  • Aporeto now provides dropped packet metrics for debugging purposes. Use apoctl stats query packets to retrieve dropped packets that didn’t hit any Aporeto rules. Use apoctl stats query counters to obtain a count of dropped packets. Refer to the apoctl reference documentation for more information.

More flexible external network definitions

  • You can use fully qualified domain names to define external networks. Aporeto also supports wildcards on the leftmost part of the domain. For example, you can define an external network as *.google.com. However, you cannot define an external network as *google.com or google*.com.

  • You can now define protocol-independent external networks via the Control Plane API, using any as a servicePorts value.

Namespace in token derived from app credential

Aporeto now uses the namespace of the app credential as the value of audience in Aporeto tokens retrieved via apoctl auth appcred. You can use the --audience flag to override this behavior and set the audience to a different value.

Support for booleans and arrays from identity providers

Aporeto no longer ignores boolean and array claim values returned by OpenID Connect (OIDC) identity providers.

New beta features

Integrates with Istio 1.2 and later

This release of Aporeto integrates with Istio 1.2 and later.

Enhancements to SSH

  • You can now use Aporeto’s SSH access control features with enforcers deployed as standalone containers.

  • The enforcer offers a new sshdconfig subcommand that makes it easier to set up SSH access controls.

  • The logs of the SSH commands issued by users include the arguments.

  • The SSH authorization resource offers a new requireSystemAccountMatching option. Enable it to require users to specify the name of a Linux user account on the remote host when requesting an SSH certificate. Refer to SSH authorization for more information.

New GCP monitoring app

The new GCP instance monitoring app allows you to ensure that your GCP instances have running enforcers. If the app locates an instance without an operational enforcer, it triggers an alarm in the Aporeto web interface. If you have instances that you wish to exclude from monitoring, you can identify these using tags. To check out this app, visit Integrations > Apps in the Aporeto web interface.

PCI compliance reports

Aporeto offers a new apoctl report compliance command to help you achieve and retain PCI compliance. Refer to the apoctl reference documentation for more information.

Identity federation for applications

Aporeto can now serve as an identity broker, providing applications with credentials to access third-party services such as AWS, Vault, and others. Refer to the Enforcer API section to learn more.

Known issue

Red Hat Enterprise Linux 8+ requires special configuration to work with the SSH access control feature. If you require this distribution, contact us for assistance.