Tags and identity


Each object in Microsegmentation has a set of key-value pairs that describe its attributes. We call these tags. Tags allow you to identify users and workloads to determine whether they should be allowed to access resources and communicate.
Microsegmentation populates the values of tags from various sources, such as hosts, cloud providers, and the Microsegmentation Console. You can also add tags manually using the
Network Security
section of the Prisma Cloud web interface, from the command line with apoctl, or a Microsegmentation Console API call.

Tag syntax

The following diagram shows an example Microsegmentation tag.
Each Microsegmentation tag has at a minimum a key and a value, separated by an equals sign. The key portion of the tag may also include the following symbols.
  • It may begin with either a @ or a $ character. The @symbol identifies the tag as consisting of metadata, populated by the Microsegmentation Console at the time that the object is created. The $ symbol identifies a tag based on attributes of the object. Tags without these symbols are generated manually by users like yourself.
  • For more complex keys, consisting of several parts, a colon is used as a delimiter.

Tag expressions

You can link tags together with AND or OR operators to form tag expressions.
For example, you can create an expression like:
(size=big and color=blue) or (size=small and color=red) or (type=admin)
Microsegmentation represents this information in a two-dimensional array, where:
  • The first dimension is OR s
  • The second dimension is AND s
The above expression is then represented by:
[ ["size=big", "color=blue"], ["size=small", "color=red"], ["type=admin"], ]
The web interface provides graphical controls to help you build these expressions easily.

Best practices

We recommend resisting the temptation to add a large number of tags. Too many tags can cause confusion.
For example, if you deploy a three-tier application, you may only need:
In turn, you can create a network ruleset that will allow:

Tag Prefixes

Tags with a given key will only be sent on the wire if they are listed as tag prefixes at the namespace level. A namespace will inherit from its parent so by default several tags will be sent. If you requred adding more tags you will need to add the tag key name preceded by a "=" at the namespace level. We recommend doing so at your top namespace.

Recommended For You