System requirements

Compatibility

Microsegmentation is incompatible with the following.

Connectivity

The Enforcer hosts must be able to access the Prisma Cloud domains and subdomians and be configured to allow ingress and egress traffic.

Domains

Enforcer hosts must be able to access the aporeto.com and prismacloud.io domains, as well as any subdomains. To pull down our container images, the enforcer hosts must be able to access gcr.io. If you have firewalls blocking this traffic, add *.aporeto.com, gcr.io, *.prismacloud.io, *.network.prismacloud.io to their allow lists.

Policies

Before you deploy the Enforcer, you must define policies on the Prisma Cloud Microsegmentation console to allow traffic from the host. If the agent is configured for Monitoring, the default allow policies do not disrupt the flow of traffic. If you are configuring the agent for Enforcement, the default is to reject all traffic to and from the host. Therefore, you need to create a network ruleset to allow the following traffic and avoid interruptions to core network services:
  • DNS- udp 53, udp/853
  • DHCPv4- udp/67, udp/68
  • DHCPv6- udp/546, udp/547 (required if you are using IPv6)
  • Multicast DNS/Link-Local Multicast Name Resolution - udp/5353,udp/5355 (required if you are using IPv6)
  • NTP- udp/123
  • SSH/RDP/Windows Remote Management- tcp/22 ,udp/22, udp/3389, udp/5986
The Enforcer by default allows traffic from the following ICMPv6 types/codes, and you do not need to create a ruleset to allow this traffic:
  • routerSolicitation : icmp6 /133/0
  • routerAdvertisement : icmp6/134/0
  • neighborSolicitation : icmp6/135/0
  • neighborAdvertisement : icmp6/136/0
  • inverseNeighborSolicitation : icmp6/141/0
  • inverseNeighborAdvertisement : icmp6/142/0
  • multicastListenerDiscovery : icmp6/143/0

Certificate authority

The Microsegmentation Console uses a Digicert certificate authority. Ensure that the enforcer hosts trust the Digicert CA. In most environments, it should be trusted by default.

Windows hosts

  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows 10

Clusters

Feature
Requirement
Orchestrator
  • Kubernetes 1.16 or later—​deployed on AKS, EKS, or GKE
  • OpenShift Container Platform 4.4-4.6
  • VMWare Tanzu v1.8
Nodes
Linux (Windows hosts not supported)
Networking
CNI plugin required (kubenet networking not supported)
Service mesh
Istio 1.8
The enforcer ignores Fargate and other serverless workloads at this time.

Linux hosts

We support the enforcer on the following distributions.
Distribution
Versions
Amazon Linux
2
CentOS
7.3—​7.9, 8.0—​8.3
Debian
9.0—​9.9, 9.11—​9.12, 10.1—​10.8
Oracle Enterprise Linux
7.2—​7.9
Red Hat Enterprise Linux
7.1—​7.9, 8.0—​8.3
Ubuntu
16.04, 18.04, 20.04

Linux kernel

Kubernetes, OpenShift, and Linux host installations require the following.

Kernel capabilities

Kernel modules

Recommended For You