IDENTITY-BASED MICROSEGMENTATION DOCUMENTATION

Linux hosts

About Linux host installs

To deploy the enforcer to a Linux host not orchestrated by Kubernetes or OpenShift, use one of the following procedures.

  • Quick install: the fastest way to install an enforcer on a Linux host.

  • Advanced cloud install: the enforcer uses short-lived tokens from AWS, GCP, or Azure to authenticate to the Microsegmentation Console.

  • Advanced on-premise install: you pass a restricted token to the enforcer. The enforcer exchanges the token for an app credential. This method ensures that the app credential never travels the wire.

Quick install

  1. Ensure that you meet the following prerequisites.

    Entity Requirement
    Target host(s) Meets the system requirements
    Set up to synchronize time with authoritative sources
    curl installed
    Local host apoctl installed
    ■ SSH access to target host(s)
    Privileges namespace.administrator privileges in the Microsegmentation namespace of the target host
    ■ User account(s) on target host(s) can sudo to gain root privileges without entering a password
  2. Copy the app credential from your local host to the target host. You can accomplish this in several ways. In the following example, we use scp.

    scp -i <private-key.pem> ~/.apoctl/default.creds <linux-user-name>@<target-host>:~
    
    scp -i my-aws.pem ~/.apoctl/default.creds ubuntu@ec2-18-188-223-240.us-east-2.compute.amazonaws.com:~
    

  3. Access the target host, such as via SSH.

  4. Confirm the app credential copy was successful.

    ls 
    
  5. Install apoctl using the following command.

    sudo curl -o /usr/local/bin/apoctl \
      https://download.aporeto.com/apoctl/linux/apoctl && \
    sudo chmod 755 /usr/local/bin/apoctl
    
  6. Set a TARGET_NS environment variable containing the Microsegmentation namespace of this enforcer. It should be a great grandchild namespace.

    export TARGET_NS=/acme/team-a/dev/vm1
    
  7. Use the following command to install the enforcer.

    sudo apoctl protect linux --creds default.creds \
                              --auth-mode appcred \
                              --namespace $TARGET_NS \
                              --repo https://repo.aporeto.com  
    

    TIP

    Refer to Enforcer configuration options if you wish to modify the enforcer’s default settings. You can find more information about the protect command in the apoctl reference page.

  8. Remove your app credential and apoctl.

    rm default.creds
    sudo rm /usr/local/bin/apoctl
    
  9. Open the In the Microsegmentation section of the Prisma Cloud web interface, navigate to the enforcer’s namespace, expand Manage, and select Enforcers. You should find your enforcer listed with a status of connected. Click the enforcer and review its metadata.

  10. Select Platform in the side navigation menu. You should see your host as a processing unit, with dashed green lines to any-udp and any-tcp external networks. Your host is in discovery mode. Refer to Securing host communications to learn how to allow the desired traffic and disable discovery mode.

Advanced cloud install

  1. Make sure you meet the following prerequisites.

    Entity Requirement
    Target host(s) Meets the system requirements
    Set up to synchronize time with authoritative sources
    Local host apoctl installed
    ■ SSH access to target host(s)
    jq installed
    Privileges namespace.administrator privileges in the Microsegmentation namespace of the target host
    Cloud credentials AWS: an IAM role attached to the target host with read-only access to tags (ec2:DescribeTags)
    GCP: GCP service account attached to the target host
    Azure: target host assigned a managed identity
  2. On your local host with apoctl, construct a Microsegmentation tag that identifies your cloud account, project, tenant, or organization. The tag must begin with @auth: followed by a key-value pair. Refer to the table below for some common examples.

    Cloud provider Value Microsegmentation tag syntax Microsegmentation tag example
    AWS AWS account ID* @auth:account=<AWS_ACCOUNT_ID> @auth:account=942613894219
    GCP GCP project ID @auth:projectid=<GCP_PROJECT_ID> @auth:projectid=acme-dev
    Azure Microsoft tenant ID @auth:tenantid=<TENANT_ID> @auth:tenantid=cd629cb5-2826-4126-82fd-3f2df5f5bc7
    GCP and Azure Name of organization @auth:organization=<ORGANIZATION> @auth:organization=acme

    * You can find your AWS account ID under My security credentials in the AWS Management Console.
    To learn how to find your tenant ID, refer to the Microsoft documentation.

  3. Set a CLOUD_ID_TAG environment variable containing the Microsegmentation tag you’ve constructed to identify authorized enforcers. If the target virtual machine is hosted on AWS, also set an AWS_IAM_ROLE environment variable containing the name of the IAM role attached to the instance prepended with @auth:rolename=. For examples, see below.

    export CLOUD_ID_TAG="@auth:account=942613894219"
    export AWS_IAM_ROLE="@auth:rolename=aporeto"
    
    export CLOUD_ID_TAG="@auth:projectid=acme-dev"
    
    export CLOUD_ID_TAG="@auth:tenantid=cd629cb5-2826-4126-82fd-3f2df5f5bc7"
    

  4. Set a TARGET_NS environment variable containing the Microsegmentation namespace that this enforcer should register in. It should be a great grandchild namespace.

    export TARGET_NS=/acme/team-a/dev/vm1
    
  5. (Optional) You can use cloud metadata to map the enforcer into the target namespace. Set an ENFORCER_ID_TAG environment variable with the Microsegmentation tag that contains the identifying cloud metadata. We provide example cloud metadata below and the command to create the namespace mapping.

    export ENFORCER_ID_TAG="@cloud:aws:type=ec2"
    cat << EOF | apoctl api import -f -
    APIVersion: 0
    label: ec2-namespace-map
    data:
     namespacemappingpolicies:
       - mappedNamespace: $TARGET_NS
         metadata: []
         name: Map $ENFORCER_ID_TAG instance to $TARGET_NS namespace
         subject:
           - - "\$identity=enforcer"
             - "$ENFORCER_ID_TAG"
    EOF
    
    export ENFORCER_ID_TAG="@cloud:gcp:zone=us-central1-a"
    cat << EOF | apoctl api import -f -
    APIVersion: 0
    label: gcp-namespace-map
    data:
     namespacemappingpolicies:
       - mappedNamespace: $TARGET_NS
         metadata: []
         name: Map $ENFORCER_ID_TAG instance to $TARGET_NS namespace
         subject:
           - - "\$identity=enforcer"
             - "$ENFORCER_ID_TAG"
    EOF
    
    export ENFORCER_ID_TAG="@cloud:azure:location=centralus"
    cat << EOF | apoctl api import -f -
    APIVersion: 0
    label: gcp-namespace-map
    data:
     namespacemappingpolicies:
       - mappedNamespace: $TARGET_NS
         metadata: []
         name: Map $ENFORCER_ID_TAG instance to $APOCTL_NAMESPACE/$CHILD_NAMESPACE namespace
         subject:
           - - "\$identity=enforcer"
             - "$ENFORCER_ID_TAG"
    EOF
    

  6. Use one of the following commands to create an API authorization that allows the enforcer to access the Microsegmentation Console. Select the tab that corresponds to the cloud provider of the target host and whether or not you are using the optional mapping.

    export CURRENT_NS=$( apoctl auth verify | jq -r '.data.organization' )
    cat << EOF | apoctl api import --creds default.creds -f -
    APIVersion: 0
    label: ec2-enforcerd-auth
    data:
     apiauthorizationpolicies:
       - authorizedIdentities:
           - '@auth:role=enforcer'
         authorizedNamespace: $CURRENT_NS
         authorizedSubnets: []
         name: Authorize EC2 enforcer to access Microsegmentation Console
         propagate: true
         subject:
           - - "@auth:realm=awssecuritytoken"
             - "$AWS_IAM_ROLE"
             - "$CLOUD_ID_TAG"
    EOF
    
    cat << EOF | apoctl api import -f -
    APIVersion: 0
    label: ec2-enforcerd-auth
    data:
     apiauthorizationpolicies:
       - authorizedIdentities:
           - '@auth:role=enforcer'
         authorizedNamespace: $TARGET_NS
         authorizedSubnets: []
         name: Authorize EC2 enforcer to access Microsegmentation Console
         propagate: true
         subject:
           - - "@auth:realm=awssecuritytoken"
             - "$AWS_IAM_ROLE"
             - "$CLOUD_ID_TAG"
    EOF
    
    export CURRENT_NS=$( apoctl auth verify | jq -r '.data.organization' )
    cat << EOF | apoctl api import --creds default.creds -f -
    APIVersion: 0
    label: gcp-enforcerd-auth
    data:
     apiauthorizationpolicies:
       - authorizedIdentities:
           - '@auth:role=enforcer'
         authorizedNamespace: $CURRENT_NS
         authorizedSubnets: []
         name: Authorize GCP enforcer to access Microsegmentation Console
         propagate: true
         subject:
           - - "@auth:realm=gcpidentitytoken"
             - "$CLOUD_ID_TAG"
    EOF
    
    cat << EOF | apoctl api import -f -
    APIVersion: 0
    label: gcp-enforcerd-auth
    data:
     apiauthorizationpolicies:
       - authorizedIdentities:
           - '@auth:role=enforcer'
         authorizedNamespace: $TARGET_NS
         authorizedSubnets: []
         name: Authorize GCP enforcer to access Microsegmentation Console
         propagate: true
         subject:
           - - "@auth:realm=gcpidentitytoken"
             - "$CLOUD_ID_TAG"
    EOF
    
    export CURRENT_NS=$( apoctl auth verify | jq -r '.data.organization' )
    cat << EOF | apoctl api import --creds default.creds -f -
    APIVersion: 0
    label: azure-enforcerd-auth
    data:
     apiauthorizationpolicies:
       - authorizedIdentities:
           - '@auth:role=enforcer'
         authorizedNamespace: $CURRENT_NS
         authorizedSubnets: []
         name: Authorize Azure enforcer to access Microsegmentation Console
         propagate: true
         subject:
           - - "@auth:realm=azureidentitytoken"
             - "$CLOUD_ID_TAG"
    EOF
    
    cat << EOF | apoctl api import -f -
    APIVersion: 0
    label: azure-enforcerd-auth
    data:
     apiauthorizationpolicies:
       - authorizedIdentities:
           - '@auth:role=enforcer'
         authorizedNamespace: $TARGET_NS
         authorizedSubnets: []
         name: Authorize Azure enforcer to access Microsegmentation Console
         propagate: true
         subject:
           - - "@auth:realm=azureidentitytoken"
             - "$CLOUD_ID_TAG"
    EOF
    

  7. Use the following command to obtain the URL of your Microsegmentation Console API.

    echo $MICROSEG_NS
    
  8. Use one of the following commands to get the enforcer’s namespace. If you are using a namespace mapping, the correct value is your current namespace. If you are not using a namespace mapping, the correct value is the TARGET_NS

    echo $TARGET_NS
    
    echo $CURRENT_NS
    

  9. SSH into your target instance.

  10. Paste the values retrieved in the prior command into MICROSEG_API and ENFORCER_NS environment variables.

    export ENFORCER_NS=<paste-value>
    export MICROSEG_API=<paste-value>
    
  11. Use the command that corresponds to the operating system of the target host to download and install the enforcer.

    curl -sSL https://download.aporeto.com/aporeto-packages.gpg | sudo apt-key add -
    echo "deb [arch=$(dpkg --print-architecture)] \
    https://repo.aporeto.com/ubuntu/$(lsb_release -cs) aporeto main" \
    | sudo tee /etc/apt/sources.list.d/aporeto.list
    sudo apt update
    sudo apt install -y enforcerd
    
    sudo apt install -y apt-transport-https
    curl -sSL https://download.aporeto.com/aporeto-packages.gpg | sudo apt-key add -
    echo "deb [arch=$(dpkg --print-architecture)] \
    https://repo.aporeto.com/debian/$(lsb_release -cs) aporeto main" \
    | sudo tee /etc/apt/sources.list.d/aporeto.list
    sudo apt update
    sudo apt install -y enforcerd
    
    cat << EOF | sudo tee /etc/yum.repos.d/Aporeto.repo
    [Aporeto]
    name=aporeto
    baseurl=https://repo.aporeto.com/centos/\$releasever/
    gpgkey=https://download.aporeto.com/aporeto-packages.gpg
    gpgcheck=1
    repo_gpgcheck=1
    enabled=1
    EOF
    sudo yum install -y enforcerd
    
    cat << EOF | sudo tee /etc/yum.repos.d/Aporeto.repo
    [Aporeto]
    name=aporeto
    baseurl=https://repo.aporeto.com/redhat/\$releasever/
    gpgkey=https://download.aporeto.com/aporeto-packages.gpg
    gpgcheck=1
    repo_gpgcheck=1
    enabled=1
    EOF
    sudo yum install -y enforcerd
    
    cat << EOF | sudo tee /etc/yum.repos.d/Aporeto.repo
    [Aporeto]
    name=aporeto
    baseurl=https://repo.aporeto.com/nodist/yum/
    gpgkey=https://download.aporeto.com/aporeto-packages.gpg
    gpgcheck=1
    repo_gpgcheck=1
    enabled=1
    EOF
    sudo yum install -y enforcerd
    
    cat << EOF | sudo tee /etc/yum.repos.d/Aporeto.repo
    [Aporeto]
    name=aporeto
    baseurl=https://repo.aporeto.com/ol/\$releasever/
    gpgkey=https://download.aporeto.com/aporeto-packages.gpg
    gpgcheck=1
    repo_gpgcheck=1
    enabled=1
    EOF
    sudo yum install -y enforcerd
    

  12. Issue the command that corresponds to your desired configuration and the init system of the target host.

    echo "ENFORCERD_API=$MICROSEG_API" | sudo tee -a /etc/enforcerd.conf
    echo "ENFORCERD_NAMESPACE=$ENFORCER_NS" | sudo tee -a /etc/enforcerd.conf
    sudo systemctl enable --now enforcerd
    sudo systemctl status enforcerd
    
    echo "ENFORCERD_API=$MICROSEG_API" | sudo tee -a /etc/enforcerd.conf
    echo "ENFORCERD_NAMESPACE=$ENFORCER_NS" | sudo tee -a /etc/enforcerd.conf
    sudo start enforcerd
    sudo status enforcerd
    
    echo "ENFORCERD_API=$MICROSEG_API" | sudo tee -a /etc/enforcerd.conf
    echo "ENFORCERD_NAMESPACE=$ENFORCER_NS" | sudo tee -a /etc/enforcerd.conf
    sudo /etc/init.d/enforcerd start
    sudo /etc/init.d/enforcerd status
    

    TIP

    • For versions of systemctl prior to 220, you may need to start and enable the service in two commands.
    • Refer to Enforcer configuration options if you wish to modify the enforcer’s default settings.

  13. Open the In the Microsegmentation section of the Prisma Cloud web interface, navigate to the enforcer’s namespace, expand Manage, and select Enforcers. You should find your enforcer listed with a status of connected. Click the enforcer and review its metadata.

  14. Select Platform in the side navigation menu. You should see your host as a processing unit, with dashed green lines to any-udp and any-tcp external networks. Your host is in discovery mode. Refer to Securing host communications to learn how to allow the desired traffic and disable discovery mode.

Advanced on-premise install

  1. Ensure that you meet the following prequisites.

    Entity Requirement
    Target host(s) Meet the system requirements
    Set up to synchronize time with authoritative sources
    Local host apoctl installed
    Privileges namespace.administrator privileges in the target Microsegmentation namespace
  2. From your local host, create an app credential with the enforcer role.

    apoctl appcred create enforcerd --role @auth:role=enforcer > enforcerd.creds
    
  3. Use the app credential you just generated to obtain a base64-encoded token with the desired restrictions. At a minimum, we recommend restricting the length of its validity and role. You can also require the enforcer to register in a specified namespace or make its request from a specific subnet.

    apoctl auth appcred --path enforcerd.creds \
                        --restrict-role @auth:role=enforcer \
                        --validity <golang-duration> \
                        [--restrict-namespace <namespace>] \
                        [--restrict-network <cidr>]
    
    apoctl auth appcred --path enforcerd.creds \
                        --restrict-namespace /acme/team-a/dev/vm1 \
                        --restrict-role @auth:role=enforcer \
                        --restrict-network 10.0.0.0/8 \
                        --validity 20m
    
    apoctl auth appcred --path enforcerd.creds \
                        --restrict-role @auth:role=enforcer \
                        --validity 20m
    

    IMPORTANT

    Assigning the enforcer role ensures that the enforcer has least privilege access to the Microsegmentation Console, but prevents it from re-registering itself if it goes down for more than twenty-four hours. We recommend setting up an alert for enforcers that go down for more than twenty-four hours. You can then intervene manually to get the enforcers registered again.

  4. Issue the following command to retrieve the URL of your Microsegmentation Console API.

    apoctl auth verify | jq -r '.iss'
    
  5. Access the target host, such as via SSH. Copy the token returned previously and paste it as the value of a TOKEN environment variable.

    export TOKEN=<paste-token-value>
    
  6. Copy the URL of your Microsegmentation Console API returned previously and paste it as the value of a MICROSEG_API environment variable.

    export MICROSEG_API=https://35.230.80.37:4443
    
  7. Set a TARGET_NS environment variable containing the Microsegmentation namespace that this enforcer should register in. It should be a great grandchild namespace.

    export TARGET_NS=/acme/team-a/dev/vm1
    
  8. Use the command that corresponds to the operating system of the target host to download and install the enforcer.

    curl -sSL https://download.aporeto.com/aporeto-packages.gpg | sudo apt-key add -
    echo "deb [arch=$(dpkg --print-architecture)] \
    https://repo.aporeto.com/ubuntu/$(lsb_release -cs) aporeto main" \
    | sudo tee /etc/apt/sources.list.d/aporeto.list
    sudo apt update
    sudo apt install -y enforcerd
    
    sudo apt install -y apt-transport-https
    curl -sSL https://download.aporeto.com/aporeto-packages.gpg | sudo apt-key add -
    echo "deb [arch=$(dpkg --print-architecture)] \
    https://repo.aporeto.com/debian/$(lsb_release -cs) aporeto main" \
    | sudo tee /etc/apt/sources.list.d/aporeto.list
    sudo apt update
    sudo apt install -y enforcerd
    
    cat << EOF | sudo tee /etc/yum.repos.d/Aporeto.repo
    [Aporeto]
    name=aporeto
    baseurl=https://repo.aporeto.com/centos/\$releasever/
    gpgkey=https://download.aporeto.com/aporeto-packages.gpg
    gpgcheck=1
    repo_gpgcheck=1
    enabled=1
    EOF
    sudo yum install -y enforcerd
    
    cat << EOF | sudo tee /etc/yum.repos.d/Aporeto.repo
    [Aporeto]
    name=aporeto
    baseurl=https://repo.aporeto.com/redhat/\$releasever/
    gpgkey=https://download.aporeto.com/aporeto-packages.gpg
    gpgcheck=1
    repo_gpgcheck=1
    enabled=1
    EOF
    sudo yum install -y enforcerd
    
    cat << EOF | sudo tee /etc/yum.repos.d/Aporeto.repo
    [Aporeto]
    name=aporeto
    baseurl=https://repo.aporeto.com/nodist/yum/
    gpgkey=https://download.aporeto.com/aporeto-packages.gpg
    gpgcheck=1
    repo_gpgcheck=1
    enabled=1
    EOF
    sudo yum install -y enforcerd
    
    cat << EOF | sudo tee /etc/yum.repos.d/Aporeto.repo
    [Aporeto]
    name=aporeto
    baseurl=https://repo.aporeto.com/ol/\$releasever/
    gpgkey=https://download.aporeto.com/aporeto-packages.gpg
    gpgcheck=1
    repo_gpgcheck=1
    enabled=1
    EOF
    sudo yum install -y enforcerd
    

  9. You can configure the enforcer to store its app credential only in memory and not on disk. While more secure, this option requires someone to manually reprovision enforcer with a token following a reboot of the host. You can also configure the enforcer to store its app credential on disk, ensuring that it can reconnect to the Microsegmentation Console after a reboot without manual intervention. Issue the command that corresponds to your desired configuration and the init system of the target host.

    • Store app credential on disk

      echo "ENFORCERD_TOKEN=$TOKEN" | sudo tee -a /etc/enforcerd.conf
      echo "ENFORCERD_PERSIST_CREDENTIALS=true" | sudo tee -a /etc/enforcerd.conf
      echo "ENFORCERD_API=$MICROSEG_API" | sudo tee -a /etc/enforcerd.conf
      echo "ENFORCERD_NAMESPACE=$TARGET_NS" | sudo tee -a /etc/enforcerd.conf
      sudo systemctl enable --now enforcerd
      sudo systemctl status enforcerd
      
      echo "ENFORCERD_TOKEN=$TOKEN" | sudo tee -a /etc/enforcerd.conf
      echo "ENFORCERD_PERSIST_CREDENTIALS=true" | sudo tee -a /etc/enforcerd.conf
      echo "ENFORCERD_API=$MICROSEG_API" | sudo tee -a /etc/enforcerd.conf
      echo "ENFORCERD_NAMESPACE=$TARGET_NS" | sudo tee -a /etc/enforcerd.conf
      sudo start enforcerd
      sudo status enforcerd
      
      echo "ENFORCERD_TOKEN=$TOKEN" | sudo tee -a /etc/enforcerd.conf
      echo "ENFORCERD_PERSIST_CREDENTIALS=true" | sudo tee -a /etc/enforcerd.conf
      echo "ENFORCERD_API=$MICROSEG_API" | sudo tee -a /etc/enforcerd.conf
      echo "ENFORCERD_NAMESPACE=$TARGET_NS" | sudo tee -a /etc/enforcerd.conf
      sudo /etc/init.d/enforcerd start
      sudo /etc/init.d/enforcerd status
      

    • Store app credential only in memory

      echo "ENFORCERD_TOKEN=$TOKEN" | sudo tee -a /etc/enforcerd.conf
      echo "ENFORCERD_API=$MICROSEG_API" | sudo tee -a /etc/enforcerd.conf
      echo "ENFORCERD_NAMESPACE=$TARGET_NS" | sudo tee -a /etc/enforcerd.conf
      sudo systemctl enable --now enforcerd
      sudo systemctl status enforcerd
      
      echo "ENFORCERD_TOKEN=$TOKEN" | sudo tee -a /etc/enforcerd.conf
      echo "ENFORCERD_API=$MICROSEG_API" | sudo tee -a /etc/enforcerd.conf
      echo "ENFORCERD_NAMESPACE=$TARGET_NS" | sudo tee -a /etc/enforcerd.conf
      sudo start enforcerd
      sudo status enforcerd
      
      echo "ENFORCERD_TOKEN=$TOKEN" | sudo tee -a /etc/enforcerd.conf
      echo "ENFORCERD_API=$MICROSEG_API" | sudo tee -a /etc/enforcerd.conf
      echo "ENFORCERD_NAMESPACE=$TARGET_NS" | sudo tee -a /etc/enforcerd.conf
      sudo /etc/init.d/enforcerd start
      sudo /etc/init.d/enforcerd status
      

      TIP

      • For versions of systemctl prior to 220, you may need to start and enable the service in two commands.
      • Refer to Enforcer configuration options if you wish to modify the enforcer’s default settings.

  10. Open the In the Microsegmentation section of the Prisma Cloud web interface, navigate to the enforcer’s namespace, expand Manage, and select Enforcers. You should find your enforcer listed with a status of connected. Click the enforcer and review its metadata.

  11. Select Platform in the side navigation menu. You should see your host as a processing unit, with dashed green lines to any-udp and any-tcp external networks. Your host is in discovery mode. Refer to Securing host communications to learn how to allow the desired traffic and disable discovery mode.

Enforcer configuration options

The enforcer exposes the following configuration options at startup. To modify the configuration of a running enforcer, you must restart it.

You can modify the default configuration in two ways:

  • If you’re using apoctl protect, pass one or more of the enforcer flags below as the value of --raw-flags. Example: apoctl protect linux --raw-flags "--log-level=debug --log-format=human --log-to-console=true"

  • If you’re not using apoctl protect, you can set the values in the /etc/enforcerd.conf file.

enforcer flag enforcerd.conf option Description
--activate-control-plane-pus Pass this flag if you wish to recognize the Microsegmentation Console as a processing unit, allowing its communications to be monitored and controlled. By default, the enforcer ignores them.
--api ENFORCERD_API The URL of the Microsegmentation Console API.
--api-cacert Path to CA certificate.
--api-skip-verify Disables check on certificate signature as trusted.
--appcreds ENFORCERD_APPCREDS Path to application credentials.
--application-proxy-port Start of the port range for ports used by the enforcer application proxy. Defaults to 20992. You may adjust this if you experience conflicts.
--cloud-probe-timeout The enforcer can determine if it is running in a cloud environment, such as AWS, GCP, or Azure. This is the maximum amount of time to wait for these internal probes to complete. Defaults to two seconds: 2s
--disable-dns-proxy Pass this flag to disable the enforcer DNS proxy, which allows policies to be written based on FQDN, in cases where an exact IP address may be unpredictable.
--dns-server-address DNS server address or CIDR that is observed by the enforcer DNS proxy. Defaults to 0.0.0.0/0.
--enable-ebpf (Beta) Pass this flag to gain performance improvements by using extended Berkeley Packet Filter (eBPF) on systems that support it.
--enable-ipv6 ENFORCERD_ENABLE_IPV6=1 (Beta) The enforcer ignores IPv6 communications by default. If you have IPv6 enabled and wish to monitor and control these connections, pass this flag.
--log-level ENFORCERD_LOG_LEVEL=<value> Quantity of logs that the enforcer should generate. Defaults to info. Alternatively, you can set it to debug, trace, or warn.
--log-to-console Controls whether the enforcer’s logs are written to stdout. Boolean that defaults to false.
--namespace ENFORCERD_NAMESPACE The Microsegmentation namespace the enforcer should register in.
--persist-credentials ENFORCERD_PERSIST_CREDENTIALS=true Pass this flag or set the environment variable to true if you are using the Advanced on-premise install and wish to persist the enforcer’s app credential on disk. Defaults to false.
--tag Microsegmentation tag for this enforcer
--token ENFORCERD_TOKEN Microsegmentation token for the enforcer to use to register to the Microsegmentation Console.
--working-dir A persistent working directory with write, read, and execute permissions. Files such as logs are stored here. Defaults to /var/lib/enforcerd