Identity-Based Microsegmentation Guide
LAST UPDATED: September 27, 2021

May 28, 2021

What’s new

Complete installation preflight checks

We’ve rolled all the preflight checks together to ensure that the target enforcer meets the necessary requirements before installing.

  • Connectivity
  • Time synchronization with Microsegmentation Console
  • Supported operating system

Reporting of IP address resolution

The enforcer now reports the IP address that a fully qualified domain names resolved to. You can find this data in Network Security > Logs > DNS Lookup Logs. You may need to manually add the field ResolvedIPs as a column.

Automatic creation of cloud API authorization

After onboarding a cloud account to Prisma Cloud, we automatically create an API authorization that enforcers can use to authenticate to the Microsegmentation Console. You can view the automatically created API authorizations in the Network Security > Namespaces > Authorizations pane of the web interface. They have the name Authorization for auto-registration of enforcer and are disabled by default. For AWS instances, we recommend specifying an IAM role attached to the target host with read-only access to tags (ec2:DescribeTags) before enabling the authorization.

Easier retrieval of enforcer logs

You can now put an enforcer into debug mode from the web interface and use the provided command to collect its logs.

Resolved issues

  • CNS-906: Occasional failures to automatically refresh the flow logs no longer occur.

Known issues

  • CNS-153: When using relative time values with apoctl, the values must be in relation to Pacific Standard Time (PST). For example, if you are in France and want to retrieve the last five minues of flow logs, you could use -9h5m. Another workaround for this issue is to use absolute time values.

  • CNS-1730: Traffic to the domain in an external network occasionally goes to Somewhere instead.

Deprecation notices

  • Namespace Editor role: If you have any API authorizations using this role, migrate them to the Namespace Administrator role. We will remove the Namespace Editor role in a future release.

  • Host services: If you are using host services, migrate to external networks and network rulesets. We will remove host services in a future release.