Identity-Based Microsegmentation Guide
LAST UPDATED: October 8, 2021

September 15, 2020

Breaking change

After a period of deprecation, we’ve removed support for the protocols and ports attributes of external networks. Before upgrading, ensure the following:

  • You have converted any import file, script, or automation using the protocol/port attributes to use servicePorts instead.
  • You don’t have any enforcers earlier than 3.12. Enforcers prior to version 3.12 ignore external networks that use servicePorts.

What’s new

Allow ICMP traffic by message type and code

You can now allow specific ICMP message types and codes using the following syntax: icmp/<type>/<code>,<code>.

We recommend allowing ICMP types and codes used for troubleshooting. Examples follow.

Aporeto syntax ICMP type and code Description Usage
icmp/8/0 ICMP Type 8 Code 0 echo requests ping
icmp/8/0 ICMP Type 0 Code 0 echo replies ping
icmp/11/0 ICMP Type 11 Code 0 time to live expired in transit traceroute
icmp/3/4 ICMP Type 3 Code 4 fragment needed but do not fragment bit set path MTU discovery

NOT operator extended to external networks

External networks now support the NOT (!) operator.

Express network policy destination ports as ranges

Network policies now support ranges of destination ports using the following syntax: tcp/80:100

New restricted token for enforcer registration

Aporeto now offers a new, restricted token for enforcer registration. We are deprecating use of the one-time token and encourage those using one-time tokens to migrate to the restricted token. For more information on the restricted token, refer to the installation documentation.

eBPF disabled by default

We now disable eBPF by default. This feature is still in beta. We encourage you to try it out in testing and development environments but not in production.

Resolved issues

  • #249: Attempts to renew the Aporeto certificate authority’s certificate no longer fail under certain circumstances.

  • #618: The enforcer now returns the proper exit codes so that it can be monitored by tools like Puppet. Due to a known issue in upstart you may still encounter incorrect exit codes in Ubuntu 14.04. Contact us for a patch to your service script or other workarounds.

  • #707: nflog packet errors no longer appear in the enforcer logs after enabling host protection on an OpenShift master node and setting activateKubesystemPUs to true.

  • #738: When host protection is enabled, the enforcer now allows itself to query local DNS servers, such as systemd-resolved (default in Ubuntu 18.04). You no longer need to use an enforcer profile to configure the enforcer to ignore loopback traffic. You can use network policies to allow DNS traffic and the enforcer reports the flows.

Known issues

  • #146: RHEL 8 and RHEL CoreOS 8 (used by OpenShift 4) have deprecated iptables in favor of nftables. Before installing Aporeto in these environments, you must enable iptables, such as via the following commands:

    modprobe ip_tables
    modprobe iptable_nat
  • #597: When using relative time values with apoctl, the values must be in relation to Pacific Standard Time (PST). For example, if you are in France and want to retrieve the last five minues of flow logs, you could use -9h5m. Another workaround for this issue is to use absolute time values.

  • #801: After decommissioning an enforcer, you may find some of its iptables rules still in place.

  • #815: When multiple clients attempt to connect to the same HTTP service on a Windows host, some may experience timeouts.