Identity-Based Microsegmentation Guide
LAST UPDATED: September 27, 2021

May 14, 2021

What’s new

Easier brownfield deployments

To prevent issues with middleboxes that may strip Microsegmentation identity from packets or drop packets with Microsegmentation identity, we’ve modified the enforcer’s default settings. The enforcer now adds identity to packets only within the following CIDRs by default.

CIDR Description Private network defined in RFC 1918 Loopback address Private network defined in RFC 1918 Private network defined in RFC 1918

This change affects namespaces created after this release. Enforcers in preexisting namespaces do not have the above defaults.

Host installation script option

You can now output the host installation script to a file. This allows you to examine the file before executing it. You can generate the script byt specifying script as the installation-mode for apoctl.

  • apoctl enforcer install linux --installation-mode script generates a file called
  • apoctl enforcer install windows --installation-mode script generates a file called installenforcer.ps1

You can add the flag to the command in the web interface by toggling the button under Output script.

Installation preflight checks

When using apoctl to install the enforcer, it performs the following preflight checks.

  • The host can connect to the Microsegmentation Console API and retrieve the client artifacts
  • GKE intranode visibility is not enabled

Web interface enhancements

To improve usability, we’ve made the following enhancements to the web interface.

  • The Agent > Deploy pane offers new YAML/Helm and CLI Tool Version selectors.
  • We no longer hide the Agent > Deploy pane in the top-level namespace. Instead, we provide an informative message.
  • Policy ID is now one of the default columns in the App Dependency Map > Access pane.
  • We add the required @org: prefix automatically to organizational tags if omitted.
  • We hide invalid options from RQL suggestions.
  • We generate an alarm message in the web interface for enforcers whose time has drifted more than five minutes from the Microsegmentation Console.

Resolved issues

  • CNS-906: The web interface no longer occasionally displays stale flow logs.

  • CNS-1651: The enforcer recovers after a third party removes some of its iptables rules.

  • CNS-1685: Error: 'namespace' doesn't exist in the URL. Please make sure 'useInitUrlParam' is called no longer occurs when switching between panes under Dashboard.

  • CNS-1733: Deselecting Show policed flows in the App Dependency Map pane no longer produces unexpected results.

  • CNS-1750: Users with NetSecOps permissions can navigate between namespaces.

  • CNS-1755: Fonts in the web interface no longer vanish on external monitors with a devicePixelRatio of 1.25.

  • CNS-1863: The initial attempt to install the enforcer on Red Hat Enterprise Linux (RHEL) 8.1 or 8.2 no longer fails with the message error: unable to run command 'yum install -y prisma-enforcer': signal: broken pipe.

Known issues

  • CNS-153: When using relative time values with apoctl, the values must be in relation to Pacific Standard Time (PST). For example, if you are in France and want to retrieve the last five minues of flow logs, you could use -9h5m. Another workaround for this issue is to use absolute time values.

  • CNS-1730: Traffic to the domain in an external network occasionally goes to Somewhere instead.

Deprecation notices

  • Namespace Editor role: If you have any API authorizations using this role, migrate them to the Namespace Administrator role. We will remove the Namespace Editor role in a future release.

  • Host services: If you are using host services, migrate to external networks and network rulesets. We will remove host services in a future release.