System requirements


Microsegmentation is incompatible with the following.


The Enforcer hosts must be able to access the Prisma Cloud domains and subdomians and be configured to allow ingress and egress traffic.


Enforcer hosts must be able to access the and domains, as well as any subdomains. To pull down our container images, the enforcer hosts must be able to access If you have firewalls blocking this traffic, add *,, *, * to their allow lists.


Before you deploy the Enforcer, you must define policies on the Prisma Cloud Microsegmentation console to allow traffic from the host. If the agent is configured for Monitoring, the default allow policies do not disrupt the flow of traffic. If you are configuring the agent for Enforcement, the default is to reject all traffic to and from the host. Therefore, you need to create a network ruleset to allow the following traffic and avoid interruptions to core network services:
  • DNS- udp 53, udp/853
  • DHCPv4- udp/67, udp/68
  • DHCPv6- udp/546, udp/547 (required if you are using IPv6)
  • Multicast DNS/Link-Local Multicast Name Resolution - udp/5353,udp/5355 (required if you are using IPv6)
  • NTP- udp/123
  • SSH/RDP/Windows Remote Management- tcp/22 ,udp/22, udp/3389, udp/5986
The Enforcer by default allows traffic from the following ICMPv6 types/codes, and you do not need to create a ruleset to allow this traffic:
  • routerSolicitation : icmp6 /133/0
  • routerAdvertisement : icmp6/134/0
  • neighborSolicitation : icmp6/135/0
  • neighborAdvertisement : icmp6/136/0
  • inverseNeighborSolicitation : icmp6/141/0
  • inverseNeighborAdvertisement : icmp6/142/0
  • multicastListenerDiscovery : icmp6/143/0

Certificate authority

The Microsegmentation Console uses a Digicert certificate authority. Ensure that the enforcer hosts trust the Digicert CA. In most environments, it should be trusted by default.

Windows hosts

  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows 10


  • Kubernetes 1.16 or later—​deployed on AKS, EKS, or GKE
  • OpenShift Container Platform 4.4-4.6
  • VMWare Tanzu v1.8
Linux (Windows hosts not supported)
CNI plugin required (kubenet networking not supported)
Service mesh
Istio 1.8
The enforcer ignores Fargate and other serverless workloads at this time.

Linux hosts

We support the enforcer on the following distributions.
Amazon Linux
7.3—​7.9, 8.0—​8.3
9.0—​9.9, 9.11—​9.12, 10.1—​10.8
Oracle Enterprise Linux
Red Hat Enterprise Linux
7.1—​7.9, 8.0—​8.3
16.04, 18.04, 20.04

Linux kernel

Kubernetes, OpenShift, and Linux host installations require the following.

Kernel capabilities

Kernel modules

Recommended For You