Identity-Based Microsegmentation Guide
LAST UPDATED: October 8, 2021

System requirements


Microsegmentation is incompatible with the following.


The Enforcer hosts must be able to access the Prisma Cloud domains and subdomians and be configured to allow ingress and egress traffic.


Enforcer hosts must be able to access the and domains, as well as any subdomains. To pull down our container images, the enforcer hosts must be able to access If you have firewalls blocking this traffic, add *,, *, * to their allow lists.


Before you deploy the Enforcer, you must define policies on the Prisma Cloud Microsegmentation console to allow traffic from the host. If the agent is configured for Monitoring, the default allow policies do not disrupt the flow of traffic. If you are configuring the agent for Enforcement, the default is to reject all traffic to and from the host. Therefore, you need to create a network ruleset to allow the following traffic and avoid interruptions to core network services:

  • DNS- udp 53, udp/853
  • DHCPv4- udp/67, udp/68
  • DHCPv6- udp/546, udp/547 (required if you are using IPv6)
  • Multicast DNS/Link-Local Multicast Name Resolution - udp/5353,udp/5355 (required if you are using IPv6)
  • NTP- udp/123
  • SSH/RDP/Windows Remote Management- tcp/22 ,udp/22, udp/3389, udp/5986


The Enforcer by default allows traffic from the following ICMPv6 types/codes, and you do not need to create a ruleset to allow this traffic: - routerSolicitation : icmp6 /133/0 - routerAdvertisement : icmp6/134/0 - neighborSolicitation : icmp6/135/0 - neighborAdvertisement : icmp6/136/0 - inverseNeighborSolicitation : icmp6/141/0 - inverseNeighborAdvertisement : icmp6/142/0 - multicastListenerDiscovery : icmp6/143/0

Certificate authority

The Microsegmentation Console uses a Let’s Encrypt certificate authority. Ensure that the enforcer hosts trust Let’s Encrypt certificate authorities. In most environments, it should be trusted by default.

Windows hosts

  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows 10


Feature Requirement
Orchestrator Kubernetes 1.16 or later—deployed on AKS, EKS, or GKE
OpenShift Container Platform 4.4–4.6

VMWare Tanzu v1.8
Nodes Linux (Windows hosts not supported)
Networking CNI plugin required (kubenet networking not supported)
Service mesh Istio 1.8

* To deploy the enforcer on GKE, you must have Kubernetes Engine Admin permissions.


The enforcer ignores Fargate and other serverless workloads at this time.

Linux hosts

We support the enforcer on the following distributions.

Distribution Versions
Amazon Linux 2
CentOS 7.3–7.9, 8.0–8.3
Debian 9.0–9.9, 9.11–9.12, 10.1–10.8
Oracle Enterprise Linux 7.2–7.9
Red Hat Enterprise Linux 7.1–7.9, 8.0–8.3
Ubuntu 16.04, 18.04, 20.04

Linux kernel

Kubernetes, OpenShift, and Linux host installations require the following.

Kernel capabilities

  • CAP_SYS_PTRACE: to access the /proc file system. Example: /proc/<pid>/root
  • CAP_NET_ADMIN: to program iptables.
  • CAP_NET_RAW: the enforcer uses raw sockets for the UDP datapath and in diagnostic ping implementations
  • CAP_SYS_RESOURCE: to set and override resource limits (setrlimit syscall)
  • CAP_SYS_ADMIN: to call, mount, and load extended Berkeley Packet Filter (eBPF)
  • CAP_SYS_MODULE: to ensure kernel modules are loaded like ip_tables, iptable_mangle, etc. (see list above). No proprietary kernel module is loaded.

Kernel modules

  • net/netfilter/xt_cgroup.ko: module to match the process control group.
  • net/netfilter/xt_limit.ko: rate-limit match
  • net/netfilter/xt_multiport.ko: multiple port matching for TCP, UDP, UDP-Lite, SCTP and DCCP
  • net/netfilter/xt_connmark.ko: connection mark operations
  • net/netfilter/xt_REDIRECT.ko: connection redirection to localhost
  • net/netfilter/xt_string.ko: string-based matching
  • net/netfilter/xt_HMARK.ko: packet marking using hash calculation
  • net/netfilter/xt_LOG.ko: IPv4/IPv6 packet logging
  • net/netfilter/xt_bpf.ko: BPF filter match
  • net/netfilter/xt_state.ko: ip[6]_tables connection tracking state match module
  • net/netfilter/xt_set.ko: IP set match and target module
  • net/netfilter/nf_nat_redirect.ko: used by xt_REDIRECT
  • net/netfilter/nf_log_common.ko: used by nf_log_ipv4
  • net/ipv6/netfilter/nf_conntrack_ipv6.ko: Linux connection tracking table
  • net/ipv4/netfilter/nf_log_ipv4.ko: Netfilter IPv4 packet logging
  • net/netfilter/ipset/ip_set.ko: core IP set support, used by ip_set_bitmap_port,xt_set,ip_set_hash_net,ip_set_hash_netport
  • net/netfilter/ipset/ip_set_bitmap_port.ko: Ipset: bitmap:port
  • net/netfilter/ipset/ip_set_hash_netport.ko: Ipset: hash:net,port
  • net/netfilter/ipset/ip_set_hash_net.ko: Ipset: hash:net
  • lib/ts_bm.ko: Boyer-Moore string matching algorithm
  • net/sched/cls_cgroup.ko: Control Group Classifier
  • ip_tables.ko: iptables
  • iptable_nat.ko: iptables NAT table support
  • iptable_mangle.ko: iptables mangle table support

Other dependencies

  • elfutils-libelf
  • conntrack-tools
  • ipset