1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Microsegmentation Administrator's Guide
    5. Get started
    6. Microsegmentation Console
    7. Advanced options

    Advanced options

    When you do change any configuration, run doit again. It will analyze what needs to be updated or not given the changes made.

    Enable policy engine v2

    By default to maintain backward compatibility with old enforcers the policy engine starts as version 1 (v1). To use the new network rulesets with new enforcers you need to toggle the engine to use the v2 policy engine as follow:
    set_value global.defaultNetpolicyRendererVersion v2 override

    Proxy

    If your outbound Kubernetes connections are going through a proxy, you will need to configure the following:
    set_value global.proxy.enabled true
set_value global.proxy.http http://proxy:port
set_value global.proxy.https https://proxy:port

    Private registry

    Create a secret as per Kubernetes documentation then add its name to the configuration as follow:
    set_value 'global.imagePullSecrets[0].secret' <secret-name>

    SMTP

    Run the following commands to configure SMTP.
    set_value integrations.smtp.enabled "true"
set_value integrations.smtp.server "smtp.gmail.com:587"
set_value integrations.smtp.user "user@domain.com"
set_value integrations.smtp.pass "secret"
set_value integrations.smtp.systemEmail "aporeto@domain.com"
set_value global.integrations.smtp.receivers.invitation "registration@domain.com"
set_value global.integrations.smtp.receivers.monitor "alerts@domain.com"
set_value immediateActivation false vince override
    Once you create an account you can disable further account creation by setting set_value disableAccountCreation true vince override and running snap -u vince --force.

    Slack alerts

    You can configure alerting through Slack as follows (if you have the monitoring stack deployed):
    set_value global.integrations.slack.webhook <web_hook>
set_value global.integrations.slack.channel <channel>

    Proxy protocol

    If you are using an AWS elastic load balancer or an ingress controller and want to leverage the client IP preservation to restrict the authorization policies using subnet, you can enable proxy protocol as below:
    # From your voila environement
set_value proxyProtocol.enabled true wutai override
set_value proxyProtocol.subnet 10.0.0.0/8 wutai override
set_value proxyProtocol.mode aws wutai override

    AWS network load balancer

    If you want to use an AWS network load balancer:
    # From your voila environment
set_value 'serviceAnnotations."service.beta.kubernetes.io/aws-load-balancer-type"' "nlb" wutai override

    Restrict network access to services

    If you want to mitigate any lateral movement from code that can run from the services you can restrict what they can access to:
    # Put network restriction on services
set_value 'networkRestrictions.excludedNetworks[0]' 127.0.0.0/8 squall override
set_value 'networkRestrictions.excludedNetworks[1]' 192.168.0.0/16 squall override
set_value 'networkRestrictions.excludedNetworks[2]' 10.0.0.0/8 squall override
set_value 'networkRestrictions.excludedNetworks[3]' 169.254.0.0/16 squall override
set_value 'networkRestrictions.excludedNetworks[4]' 172.16.0.0/12 squall override
set_value 'networkRestrictions.authorizedTLDs[0]' .highwind squall override

set_value 'networkRestrictions.excludedNetworks[0]' 127.0.0.0/8 cactuar override
set_value 'networkRestrictions.excludedNetworks[1]' 192.168.0.0/16 cactuar override
set_value 'networkRestrictions.excludedNetworks[2]' 10.0.0.0/8 cactuar override
set_value 'networkRestrictions.excludedNetworks[3]' 169.254.0.0/16 cactuar override
set_value 'networkRestrictions.excludedNetworks[4]' 172.16.0.0/12 cactuar override
set_value 'networkRestrictions.authorizedTLDs[0]' .highwind cactuar override

set_value 'networkRestrictions.excludedNetworks[0]' 127.0.0.0/8 sephiroth-worker override
set_value 'networkRestrictions.excludedNetworks[1]' 192.168.0.0/16 sephiroth-worker override
set_value 'networkRestrictions.excludedNetworks[2]' 10.0.0.0/8 sephiroth-worker override
set_value 'networkRestrictions.excludedNetworks[3]' 169.254.0.0/16 sephiroth-worker override
set_value 'networkRestrictions.excludedNetworks[4]' 172.16.0.0/12 sephiroth-worker override
set_value 'networkRestrictions.authorizedTLDs[0]' .highwind sephiroth-worker override
    Please adapt subnets according to your infrastructure.

    Advanced settings

    You can leverage the cheval tool to get more details about the settings you can change ex: cheval inspect mongodb-shard.
    Please not that those are advanced settings. Be sure that you know what you are doing.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2023 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo