Identity-Based Microsegmentation Guide
LAST UPDATED: October 8, 2021

October 30, 2020

What’s new

Integration with Prisma Cloud

In this private beta release, we offer a preview of Aporeto’s integration into Prisma Cloud. We do not support any upgrades to this release, only fresh installs.

We continue to host the Aporeto control plane for customers who do not wish to upgrade.


If you are still using the Aporeto-hosted control plane, do not upgrade your enforcers or apoctl clients. You must migrate to the Prisma-hosted platform to obtain further updates.

We have removed content for the Aporeto-hosted control plane from This section now contains content for the Prisma-hosted offering.

Terminology changes

We have renamed the product and control plane as follows.

Previous term New term
Aporeto Prisma Cloud Identity-Based Microsegmentation (Microsegmentation)
control plane Microsegmentation Console

Automated Windows install

We have extended apoctl protect to support Windows. Refer to the installation documentation for more details.

Streamlined enforcer deployment

We’ve made it easier to deploy enforcers with the following changes.

  • Namespace concepts and creation guidance added.
  • Discovery mode enabled by default.
  • Host protection enabled by default for Linux and Windows hosts.
  • Reduced types of processing units to either an entire host or a pod.

Connectivity troubleshooting

We now offer apoctl oam ping to help you troubleshoot connectivity issues at layer 3, 4, and 7. Refer to Troubleshooting connectivity for more information.

Remote access to enforcer logs

You can now download an enforcer’s logs and other data to your local host. See Troubleshooting enforcer for details.

New roles

This release adds the following new roles.

  • Infrastructure Administrator: can edit all resources except namespaces.
  • Infrastructure Viewer: can view all resources.
  • Application Developer: can edit network policies, services, service dependencies, and token scope policies. Can view processing units and external networks.
  • Application Viewer: can view network policies, services, service dependencies, token scope policies, processing units, and external networks.

Operator now optional

We no longer require the operator on Kubernetes or OpenShift clusters. By default, we don’t deploy it.

Removal of unused features

Due to a lack of adoption, we have removed:

  • Enforcer’s audit logging capabilities
  • Namespace auditor role
  • App integrations such as the Clair vulnerability scanner and others

Deprecation notices

  • Namespace Editor role: If you have any API authorizations using this role, migrate them to the Namespace Administrator role. We will remove the Namespace Editor role in a future release.

  • Host services: If you are using host services, migrate to external networks and network policies. We will remove host services in a future release.

  • Support for kubenet: If your Kubernetes clusters use kubenet, migrate them to CNI plugins. GKE clusters use kubenet by default. Pass the --enable-network-policy flag to modify them to use CNI plugins instead.

Resolved issues

  • APO-146: You no longer have to manually issue the following commands before installing the enforcer on RHEL 8 and RHEL CoreOS 8 (used by OpenShift 4) hosts:

    modprobe ip_tables
    modprobe iptable_nat

Known issues

  • CNS-121: When multiple clients attempt to connect to the same HTTP service on a Windows host, some may experience timeouts.

  • CNS-126: After decommissioning an enforcer, you may find some of its iptables rules still in place.

  • CNS-153: When using relative time values with apoctl, the values must be in relation to Pacific Standard Time (PST). For example, if you are in France and want to retrieve the last five minues of flow logs, you could use -9h5m. Another workaround for this issue is to use absolute time values.

  • CNS-280: If you manually create an app credential and name it enforcerd, apoctl protect k8s may delete it. To avoid this potential issue, do not name your app credentials enforcerd.

  • CNS-361: Network address translation (NAT) between pods on the same host may cause packets to be dropped if traffic does not occur for twenty-four seconds or longer.