Microsegmentation is incompatible with the following.
The Enforcer hosts must be able to access the Prisma Cloud domains and subdomians and be configured to allow ingress and egress traffic.
Enforcer hosts must be able to access the aporeto.com and prismacloud.io domains, as well as any subdomains. To pull down our container images, the enforcer hosts must be able to access gcr.io. If you have firewalls blocking this traffic, add *.aporeto.com, gcr.io, *.prismacloud.io, *.network.prismacloud.io to their allow lists.
Before you deploy the Enforcer, you must define policies on the Prisma Cloud Microsegmentation console to allow traffic from the host. If the agent is configured for Monitoring, the default allow policies do not disrupt the flow of traffic. If you are configuring the agent for Enforcement, the default is to reject all traffic to and from the host. Therefore, you need to create a network ruleset to allow the following traffic and avoid interruptions to core network services:
- DNS- udp 53, udp/853
- DHCPv4- udp/67, udp/68
- DHCPv6- udp/546, udp/547 (required if you are using IPv6)
- Multicast DNS/Link-Local Multicast Name Resolution - udp/5353,udp/5355 (required if you are using IPv6)
- NTP- udp/123
- SSH/RDP/Windows Remote Management- tcp/22 ,udp/22, udp/3389, udp/5986
The Enforcer by default allows traffic from the following ICMPv6 types/codes, and you do not need to create a ruleset to allow this traffic:
- routerSolicitation : icmp6 /133/0
- routerAdvertisement : icmp6/134/0
- neighborSolicitation : icmp6/135/0
- neighborAdvertisement : icmp6/136/0
- inverseNeighborSolicitation : icmp6/141/0
- inverseNeighborAdvertisement : icmp6/142/0
- multicastListenerDiscovery : icmp6/143/0
The Microsegmentation Console uses a Digicert certificate authority. Ensure that the enforcer hosts trust the Digicert CA. In most environments, it should be trusted by default.
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012 R2
- Windows 10
The enforcer ignores Fargate and other serverless workloads at this time.
We support the enforcer on the following distributions.
9.0—9.9, 9.11—9.12, 10.1—10.8
Oracle Enterprise Linux
Red Hat Enterprise Linux
16.04, 18.04, 20.04
Kubernetes, OpenShift, and Linux host installations require the following.
Recommended For You
Recommended videos not found.