Identity-Based Microsegmentation Guide
LAST UPDATED: September 27, 2021

May 18, 2020

What’s new

Simpler syntax for excluding subnets

A new NOT (!) operator simplifies the syntax for defining subnets to ignore. Let’s imagine we wanted to exclude and We can accomplish this in the Networking pane of an enforcer profile, using any of the following fields: Managed TCP Networks, Managed UDP Networks, or Excluded Networks. Previously, we would have had to resort to the following binary expansion. { ..} { ..} { ..} { ..} { ..} { ..} { ..}

Now we can use the new NOT (!) operator for a much briefer and more readable expression. ! !

Ability to forward packets unmodified

Aporeto forwards packets as is, without making any modifications, for IP addresses:

  • In Excluded Networks
  • Excluded from the Managed TCP Networks or Managed UDP Networks

Easier enforcer deployment

apoctl offers a new protect command that makes it a lot easier to deploy the Aporeto enforcer to a Kubernetes/OpenShift cluster and Linux hosts. Learn how to use protect in the Linux and Kubernetes/OpenShift installation sections. We also recommend reviewing the protect reference documentation.

Resolved issues

  • #137: Spurious duplicate enforcer alerts no longer occasionally appear after upgrading.

Known issues

  • #146: RHEL 8 and RHEL CoreOS 8 (used by OpenShift 4) have deprecated iptables in favor of nftables. Before installing Aporeto in these environments, you must enable iptables, such as via the following commands:

    modprobe ip_tables
    modprobe iptable_nat
  • #1302: RHEL 8+ requires special configuration to work with the SSH access control feature. If you require this distribution, contact us for assistance.