1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Microsegmentation Administrator's Guide
    5. Configure
    6. Setting a default enforcer version

    Setting a default enforcer version

    About setting a default enforcer version on a namespace

    When determining which version of the enforcer to install or upgrade to, Microsegmentation uses the following order of precedence.
    2. Default enforcer version on the namespace
    3. Latest available enforcer version
    By default, Microsegmentation installs or upgrades to the latest available enforcer version. A default enforcer version set on the namespace overrides this. The default enforcer version of a namespace can be further overridden by passing a different enforcer version to apoctl.
    Setting a default enforcer version on a namespaces helps to ensure that all of the enforcers in the namespace are of the same version. While enforcers of different versions interoperate without issue, each update of the enforcer contains fixes at a minimum and potentially new features, as well. Keeping all of the enforcers at a specific version can help to ensure more predictability in behavior.
    For example, if you have a Kubernetes or OpenShift cluster with node autoscaling enabled, you might end up with mixed enforcer versions. New nodes added automatically as part of the autoscaling feature would be the latest enforcer version, while existing nodes could have enforcers at a previous version.

    Setting a default enforcer version on a namespace

    To complete the following procedure, you’ll need apoctl and jq.
    1. Obtain the URL of your Microsegmentation TUF repository and set it in a TUF_URL environment variable.
      TUF_URL=$(curl -sSL $MICROSEG_API/_meta/config | jq -r .tuf)
    2. Retrieve the semantic version numbers of the enforcers available in your TUF repository.
      curl -sSL $TUF_URL/targets.json | jq -r '.signed.targets | to_entries[] | select(.key|startswith("enforcerd/stable")) | .value.custom.version '
    3. After identifying the desired semantic version number of the enforcer, set it in an ENF_VER environment variable. Omit the prefatory v and just use the version number, as shown in the following example.
      export ENF_VER=1.1427.2
    4. Set a NAMESPACE environment variable containing the Microsegmentation namespace you wish to modify.
      export NAMESPACE=/803920923337065472/aws-dev-826088932159/k8s-cluster-01
    5. Retrieve the current default enforcer version set on the namespace.
       apoctl api get namespace $NAMESPACE -c defaultEnforcerVersion
      You can only modify a namespace from its parent.
    6. Set the default enforcer version on the namespace.
      apoctl api update namespace $NAMESPACE -k defaultEnforcerVersion $ENF_VER
    7. Confirm that the operation succeeded.
      apoctl api get namespace $NAMESPACE -c defaultEnforcerVersion

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2023 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo