System requirements

Your system must meet specific requirements for the Enforcer.
  • Connectivity:
    Your Enforcer hosts need access to the Prisma Cloud domains and subdomains. Configure your hosts to allow ingress and egress traffic.
  • Domain access:
    Your Enforcer hosts need access to the following domains and their subdomains:
    If you have firewalls blocking this traffic, add the following values to their allow lists:
  • Certificate authority:
    Ensure that your Enforcer hosts trust the Digicert certificate authority.

Policies

Before you deploy the Enforcer, you must allow traffic from the host to reach the Prisma Cloud Microsegmentation console. By default, the Enforcer allows traffic from the following ICMPv6 types and codes.
Type
Code
If you configure the Enforcer to monitor traffic, the default allow policies do not disrupt the flow of traffic. If you configure the Enforcer to enforce traffic rules, it rejects all traffic to and from the host by default. Create a network ruleset that allows the following traffic to avoid interruptions to core network services:

Supported Linux Distributions

You can deploy the Enforcer on the following supported distributions.
Distribution
Versions
Amazon Linux
2
CentOS
7.3—​7.9
8.0—​8.3
Debian
9.0—​9.9
9.11—​9.12
10.1—​10.8
Oracle Enterprise Linux
7.3—​7.9
Red Hat Enterprise Linux
7.1—​7.9
8.0—​8.3
Ubuntu
16.04
18.04
20.04
SUSE
12.3
12.5
15.2
15.3

Linux kernel requirements

When you Deploy the Enforcer on Kubernetes, OpenShift, and Linux hosts, the Linux kernel must meet the following requirements.
Enable the following kernel capabilities.
Install the following kernel modules.
Your Linux distribution should have the following required packages.
On Debian 10, the gnupg package is required.

Supported Windows Hosts

You can deploy the Enforcer on hosts running the following supported Windows versions.
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows 10

Cluster requirements

To deploy the Enforcer, your cluster must meet the following requirements. Cluster nodes: The Enforcer requires that your nodes run a supported Linux distribution.
  • Networking:
    The Enforcer requires the CNI plugin required. The Enforcer doesn’t support kubenet networking.
  • Service mesh:
    The Enforcer requires Istio 1.8 and above.
To deploy the Enforcer on GKE, you must have Kubernetes Engine Admin permissions. The Enforcer ignores Fargate and other serverless workloads in your cluster.

Supported Orchestrators

The Enforcer supports the following orchestrators.

Google Kubernetes Engine (GKE)

Amazon Elastic Kubernetes Service (EKS)

Azure Kubernetes Service (AKS)

OpenShift Container Platform (OCP)

Tanzu (TKGI)

  • Supported release: 1.8
  • Kubernetes 1.16 or later
  • Customer-managed: on-prem or cloud
  • Provider-managed platform: AKS, EKS, and GKE

Compatibility

Microsegmentation doesn’t support the following features.
The following networking features overlap with the Enforcer capabilities. Do not use them together with the Enforcer.
Palo Alto Networks Cortex XDR agent The XDR agent hasn’t been tested with the Enforcer. Remove the Cortex XDR agent prior to installing the Enforcer.

Recommended For You