March 5, 2021
This release introduces network rulesets. You must convert your network policies to network rulesets. Network policies no longer have any effect. To learn more about network rulesets, refer to our conceptual overview, how to instructions, and the API reference.
Ports and protocols removed from external networks
External networks no longer include ports or protocols. You must define the ports and protocols in the network ruleset.
CNI plugin required
Following a period of deprecation, we have removed support for Kubernetes/OpenShift clusters that use
Before upgrading your enforcers, ensure that your clusters use CNI networking.
Refer to the system requirements and installation guide for more information.
No enforcer upgrades
You must uninstall your enforcers and then install the latest enforcer.
Namespace mapping for enforcers not supported
We no longer support namespace mapping for enforcers. You can use namespace mapping for processing units, but not enforcers.
In clusters with Istio, the enforcer monitors and enforces traffic at layer three. It ignores layer four and layer seven traffic.
Compatible with Twistlock Defender
Discovery mode available from API
You can now enable and disable discovery mode from the API. The following namespace properties enable discovery mode:
defaultPUIncomingTrafficAction: Allow defaultPUOutgoingTrafficAction: Allow
To disable discovery mode, modify the properties to
You must have privileges in the parent namespace to modify the setting.
All enforcer installs use apoctl
You can now use
apoctl to install Windows enforcers and enforcers that use cloud authentication.
Automatic namespace creation
When you enable Microsegmentation, we automatically create the following namespaces:
- Parent namespace corresponding to your Prisma ID
- One child namespace for each of the cloud accounts you’ve onboarded to Prisma Cloud
defaultgrandchild namespace for each cloud account
tagPrefixes namespace property specifies the Microsegmentation tags you can use to identify processing units in network rulesets.
If the beginning of a tag matches one of the tag prefixes, you can use it in a network ruleset.
Mircrosegmentation includes a number of default tag prefixes and you can also specify your own.
Refer to tag prefixes for more information.
Ensure that your network rulesets do not use tags without matching tag prefixes. Refer to Deprecation notices.
Microsegmentation logs available via RQL
Prisma Cloud users that prefer to query the Microsegmentation logs via RQL can now do so.
You can use the Prisma Cloud API or the Investigate pane to construct queries.
core/rql in the API reference for more information.
NetSecOps permission group
We’ve added a NetSecOps permission group that gives a user access to cloud account namespaces in Microsegmentation. You can optionally limit a NetSecOps user to read-only access.
The following features and components have been renamed.
|Command to install the enforcer||
|Name of enforcer service||
|Side navigation in the web interface||Platform||App Dependency Map|
|Manage > Enforcers||Agent|
|Dashboard||Dashboard > NetSecOps|
Tags must have matching tag prefixes: as of the next update, enforcement of rulesets that use tags without matching tag prefixes will cease. This could result in traffic getting rejected or allowed unexpectedly. Ensure that your network rulesets use only tags with matching tag prefixes. You may need to add the desired tag prefixes to your namespaces. Refer to Tag prefixes for more information.
Namespace Editor role: If you have any API authorizations using this role, migrate them to the Namespace Administrator role. We will remove the Namespace Editor role in a future release.
Host services: If you are using host services, migrate to external networks and network rulesets. We will remove host services in a future release.
CNS-361: Network address translation (NAT) between pods on the same host no longer occasionally causes packets to be dropped if traffic does not occur for twenty-four seconds or more.
apoctl protect k8sno longer deletes manually created app credential named
CNS-126: The enforcer fully cleans its iptables rules on uninstallation.
CNS-121: When multiple clients attempt to connect to the same HTTP service on a Windows host, some may experience timeouts.
CNS-153: When using relative time values with
apoctl, the values must be in relation to Pacific Standard Time (PST). For example, if you are in France and want to retrieve the last five minues of flow logs, you could use
-9h5m. Another workaround for this issue is to use absolute time values.
CNS-1412: The enforcer may block Twistlock Defenders from connecting to the Compute Console. To work around this issue, complete the following steps.
Create an enforcer profile that excludes the Twistlock Defender pods. After setting a
NSenvironment variable that specifies the target Microsegmentation namespace and installing
apoctl, you can copy and paste the following command to create the necessary enforcer profile.
cat <<EOF | apoctl api create enforcerprofile -n $NS -f - name: ignore-twistlock-defender ignoreExpression: - - '@app:k8s:serviceaccountname=twistlock-service' associatedTags: - enforcerprofile=ignore.twistlock propagate: true EOF
Map the profile to your enforcers.
cat <<EOF | apoctl api create enforcerprofilemappingpolicies -n $NS -f - name: ignore-twistlock-defender-mapping object: - - enforcerprofile=ignore.twistlock subject: - - \$identity=enforcer propagate: true EOF