Identity-Based Microsegmentation Guide
LAST UPDATED: October 8, 2021

March 5, 2021

Breaking changes

Network rulesets

This release introduces network rulesets. You must convert your network policies to network rulesets. Network policies no longer have any effect. To learn more about network rulesets, refer to our conceptual overview, how to instructions, and the API reference.

Ports and protocols removed from external networks

External networks no longer include ports or protocols. You must define the ports and protocols in the network ruleset.

CNI plugin required

Following a period of deprecation, we have removed support for Kubernetes/OpenShift clusters that use kubenet networking. Before upgrading your enforcers, ensure that your clusters use CNI networking. Refer to the system requirements and installation guide for more information.

No enforcer upgrades

You must uninstall your enforcers and then install the latest enforcer.

Namespace mapping for enforcers not supported

We no longer support namespace mapping for enforcers. You can use namespace mapping for processing units, but not enforcers.

What’s new

Istio integration

In clusters with Istio, the enforcer monitors and enforces traffic at layer three. It ignores layer four and layer seven traffic.

Compatible with Twistlock Defender

The enforcer can now run alongside the Twistlock Defender. However, you must disable CNNF and WAAS. Also refer to known issue CNS-1412.

Discovery mode available from API

You can now enable and disable discovery mode from the API. The following namespace properties enable discovery mode:

defaultPUIncomingTrafficAction: Allow
defaultPUOutgoingTrafficAction: Allow

To disable discovery mode, modify the properties to Reject. You must have privileges in the parent namespace to modify the setting.

All enforcer installs use apoctl

You can now use apoctl to install Windows enforcers and enforcers that use cloud authentication.

Automatic namespace creation

When you enable Microsegmentation, we automatically create the following namespaces:

  • Parent namespace corresponding to your Prisma ID
  • One child namespace for each of the cloud accounts you’ve onboarded to Prisma Cloud
  • A default grandchild namespace for each cloud account

Tag prefixes

The new tagPrefixes namespace property specifies the Microsegmentation tags you can use to identify processing units in network rulesets. If the beginning of a tag matches one of the tag prefixes, you can use it in a network ruleset. Mircrosegmentation includes a number of default tag prefixes and you can also specify your own. Refer to tag prefixes for more information.


Ensure that your network rulesets do not use tags without matching tag prefixes. Refer to Deprecation notices.

Microsegmentation logs available via RQL

Prisma Cloud users that prefer to query the Microsegmentation logs via RQL can now do so. You can use the Prisma Cloud API or the Investigate pane to construct queries. Refer to core/rql in the API reference for more information.

NetSecOps permission group

We’ve added a NetSecOps permission group that gives a user access to cloud account namespaces in Microsegmentation. You can optionally limit a NetSecOps user to read-only access.


The following features and components have been renamed.

Description Previous New
Command to install the enforcer apoctl protect apoctl enforcer install
Name of enforcer service enforcerd prisma-enforcer
Side navigation in the web interface Platform App Dependency Map
Manage > Enforcers Agent
Dashboard Dashboard > NetSecOps
Authentication Sources Credentials

Deprecation notices

  • Tags must have matching tag prefixes: as of the next update, enforcement of rulesets that use tags without matching tag prefixes will cease. This could result in traffic getting rejected or allowed unexpectedly. Ensure that your network rulesets use only tags with matching tag prefixes. You may need to add the desired tag prefixes to your namespaces. Refer to Tag prefixes for more information.

  • Namespace Editor role: If you have any API authorizations using this role, migrate them to the Namespace Administrator role. We will remove the Namespace Editor role in a future release.

  • Host services: If you are using host services, migrate to external networks and network rulesets. We will remove host services in a future release.

Resolved issues

  • CNS-361: Network address translation (NAT) between pods on the same host no longer occasionally causes packets to be dropped if traffic does not occur for twenty-four seconds or more.

  • CNS-280: apoctl protect k8s no longer deletes manually created app credential named enforcerd.

  • CNS-126: The enforcer fully cleans its iptables rules on uninstallation.

Known issues

  • CNS-121: When multiple clients attempt to connect to the same HTTP service on a Windows host, some may experience timeouts.

  • CNS-153: When using relative time values with apoctl, the values must be in relation to Pacific Standard Time (PST). For example, if you are in France and want to retrieve the last five minues of flow logs, you could use -9h5m. Another workaround for this issue is to use absolute time values.

  • CNS-1412: The enforcer may block Twistlock Defenders from connecting to the Compute Console. To work around this issue, complete the following steps.

    1. Create an enforcer profile that excludes the Twistlock Defender pods. After setting a NS environment variable that specifies the target Microsegmentation namespace and installing apoctl, you can copy and paste the following command to create the necessary enforcer profile.

      cat <<EOF | apoctl api create enforcerprofile -n $NS -f -
      name: ignore-twistlock-defender
      - - '@app:k8s:serviceaccountname=twistlock-service'
      - enforcerprofile=ignore.twistlock
      propagate: true
    2. Map the profile to your enforcers.

      cat <<EOF | apoctl api create enforcerprofilemappingpolicies -n $NS -f -
      name: ignore-twistlock-defender-mapping
      - - enforcerprofile=ignore.twistlock
      - - \$identity=enforcer
      propagate: true