Identity-Based Microsegmentation Guide
LAST UPDATED: September 27, 2021

April 2, 2021

What’s new

Images now available from GCR

We now push our images to To avoid getting rate-limited by DockerHub, we pull from by default.

Resolved issues

  • CNS-1411: The web interface command to deploy a Kubernetes/OpenShift enforcer DaemonSet no longer includes sudo.

  • CNS-1412: The enforcer no longer blocks Prisma Cloud Compute Defenders from connecting to the Compute Console.

  • CNS-1544: Installation of the enforcer no longer fails if the key of a tag contains a space. The enforcer now ignores tags with keys that contain spaces.

  • CNS-1547: Installation of the enforcer no longer fails if the target host has both YUM and APT package managers.

Known issues

  • CNS-153: When using relative time values with apoctl, the values must be in relation to Pacific Standard Time (PST). For example, if you are in France and want to retrieve the last five minues of flow logs, you could use -9h5m. Another workaround for this issue is to use absolute time values.

  • CNS-1651: The enforcer fails to recover after a third party removes some of its iptables rules.

  • CNS-1685: Error: 'namespace' doesn't exist in the URL. Please make sure 'useInitUrlParam' is called sometimes occurs when switching between panes under Dashboard.

  • CNS-1730: Traffic to the domain in an external network occasionally goes to Somewhere instead.

  • CNS-1733: Deselecting Show policed flows in the App Dependency Map pane produces unexpected results.

  • CNS-1750: Users with NetSecOps permissions have difficulty navigating between namespaces.

  • CNS-1755: Fonts in the web interface vanish on external monitors with a devicePixelRatio of 1.25.

Deprecation notices

  • Namespace Editor role: If you have any API authorizations using this role, migrate them to the Namespace Administrator role. We will remove the Namespace Editor role in a future release.

  • Host services: If you are using host services, migrate to external networks and network rulesets. We will remove host services in a future release.