1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Microsegmentation Administrator's Guide
    5. Configure
    6. Configure an Enforcer Profile

    Configure an Enforcer Profile

    Before you configure an Enforcer profile, review the Enforcer concepts to learn how the Enforcer works.
    Enforcer profiles are a set of configurations that help you control the settings of your Enforcers.
    When you create a new namespace, a profile is automatically created on that namespace. If your environment requires a custom Enforcer profile that must be shared across all applications, define it at your cloud-account namespace level, remove the default Enforcer profile from the children namespace and enable inheritance as a method to ensure that all applications share the same profile.

    Review your Enforcer Profiles

    1. Go to your namespace in the the Prisma Cloud Console and select
      Agent/Enforcer Profiles
      .
    2. Click the arrow to the right, to expand the Enforcer profile configuration.

    Edit an Enforcer Profile

    1. Go to your namespace in the the Prisma Cloud Console and select
      Agent/Enforcer Profiles
      .
    2. Edit the Enforcer Profile configuration.
      Use the pencil icon on the right to edit, and see the Enforcer Profile Settings for details on the options available.

    Create an Enforcer Profile

    1. Go to your namespace in the the Prisma Cloud Console and select
      Agent/Enforcer Profiles
      .
    2. Click the + icon to start configuring the Enforcer profile.
    3. Follow the steps onscreen to add a new Enforcer profile.

    Enforcer Profile Settings

    You can control the following settings of your Enforcers using a profile.
    • Ignored Processing Units (PUs)
       A group of enforcers can exclude a specific PUs from being monitored and enforced by a group of Enforcers. Use specific tags in this setting to exclude the PUs. For example you can use the $name= or $image= tags.
    • Networking
       These settings help Enforcers determine where an identity is expected to be sent or received. You can also these settings to exclude networks and interfaces from microsegmentation.
      • Managed TCP Networks
         This setting defines the CIDRs that your enforcers police for TCP related traffic and where the identity packets are expected. By default, the following networks are automatically created.
      • Managed UDP Networks
         This setting defines the CIDRs that your enforcers police for UDP related traffic and where the identity packets are expected. By default, enforcers don’t add identity to UDP packets.
      • Excluded Networks
         This setting defines the CIDRs that your enforcers ignored completely. Your enforcers don’t generate any flow reporting, expect no identity, and apply no rulesets to these CIDRs. By default, no network is excluded from an Enforcer profile.
      • Excluded Interfaces
         This setting defines the interfaces you want your enforcers to exclude from a host with multiple interfaces. Use this setting to apply microsegmentation to one or specific groups of interfaces by excluding the non-wanted interfaces. By default, all interfaces are monitored.
    • Syslog
       This setting enables or disables the syslog forwarding feature for your enforcers. You can change the configuration of syslog forwarding.
    • Flow Reporting Interval:
       This setting defines how often flow updates are updated. Your enforcers report every new flow immediately. By default, flow updates like hit counters are updated every 30 minutes.
    This setting should not be changed, unless explicitly instructed by Prisma Cloud support.
    • Tags:
       This setting assigns tags to an Enforcer profile for easy identification. This optional setting is useful when you may have multiple enforcer profiles.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2023 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo