Identity-Based Microsegmentation Guide
LAST UPDATED: September 27, 2021

April 16, 2021

What’s new

VictoriaMetrics and new endpoints

The Microsegmentation Console offers better performance at scale by moving from InfluxDB to VictoriaMetrics for time-series data. The /statsquery and /statsinfo endpoints are now deprecated and will be removed very soon. Ensure that your automations, scripts, and applications use the following new endpoints instead.

New endpoint apoctl documentation API documentation
/metrics metrics command visualization/metrics endpoint
/reportsquery reportsquery command visualization/reportsquery endpoint

Cloud accounts synchronized immediately

The cloud accounts you’ve onboarded to Prisma Cloud now sync with Microsegmentation immediately.

Web interface enhancements

  • A new Namespace > Settings tab allows you to modify settings of the namespace, such as its tag prefixes.

  • We now show the Agent > Deploy pane in all namespaces.

  • The namespace selector displays ~ for the parent namespace instead of the Prisma ID for better readability. Clicking the Copy button copies the actual Prisma ID.

  • We now disable the To parent namespace button in the namespace selector if the user does not have permissions to access the parent.

Better logging and troubleshooting for enforcer installs

  • The enforcer now writes installation-related messages to the following LOG files for easier troubleshooting: cni.log and install.log.

  • A new apoctl enforcer collect techsupport command allows you to execute all of the collect subcommands and download the results in a single compressed file. Refer to the reference documentation for more details.

Resolved issues

  • CNS-172: Modifications to the ignoreExpression in an enforcer profile no longer require an enforcer restart to take effect.

  • CNS-1411: The web interface no longer includes sudo in the command to install a DaemonSet enforcer.

  • CNS-1687: The documentation and web interface commands for cloud enforcer installs no longer include an unnecessary Microsegmentation token.

Known issues

  • CNS-153: When using relative time values with apoctl, the values must be in relation to Pacific Standard Time (PST). For example, if you are in France and want to retrieve the last five minues of flow logs, you could use -9h5m. Another workaround for this issue is to use absolute time values.

  • CNS-1651: The enforcer fails to recover after a third party removes some of its iptables rules.

  • CNS-1685: Error: 'namespace' doesn't exist in the URL. Please make sure 'useInitUrlParam' is called sometimes occurs when switching between panes under Dashboard.

  • CNS-1730: Traffic to the domain in an external network occasionally goes to Somewhere instead.

  • CNS-1733: Deselecting Show policed flows in the App Dependency Map pane produces unexpected results.

  • CNS-1750: Users with NetSecOps permissions have difficulty navigating between namespaces.

  • CNS-1755: Fonts in the web interface vanish on external monitors with a devicePixelRatio of 1.25.

  • CNS-1863: The initial attempt to install the enforcer on Red Hat Enterprise Linux (RHEL) 8.1 or 8.2 fails with the message error: unable to run command 'yum install -y prisma-enforcer': signal: broken pipe. To work around this issue, rerun the command.

Deprecation notices

  • Namespace Editor role: If you have any API authorizations using this role, migrate them to the Namespace Administrator role. We will remove the Namespace Editor role in a future release.

  • Host services: If you are using host services, migrate to external networks and network rulesets. We will remove host services in a future release.