Firewall Coexistence
To provide additional security, you can supplement Illumio's firewall with your organization's firewalls using Firewall Coexistence. The Illumio firewall can be set to either Exclusive mode or Coexistence mode via the PCE web console or the Illumio REST API. In both modes, the Illumio firewall is always separate from other firewalls.
Important
The Firewall Coexistence feature deprecates the following features:
Windows FAS VEN coexistence
Linux VEN NAT ignore
Linux VEN container mode
Firewall Tampering Protection
When coexistence is turned on in primary or secondary mode
The VEN only monitors its own firewall rules against tampering. When the VEN detects tampering of Illumio firewall rules, an alert is raised, and the VEN reconfigures its firewall rules to its pre-tampered state in order to protect the workload. You can program non-Illlumio rules in any table without generating any tampering alerts.
When coexistence is turned on in primary mode
The VEN also monitors that the Illumio rule in the main tables “stay on the top” when you choose Illumio to be the primary firewall. When the VEN detects that the Illumio rule is not on the top, an alert is raised, and the VEN moves the Illumio rule back to the top.
Firewall Coexistence Modes
Exclusive Mode
The default mode is Exclusive, in which Illumio is the only firewall. In this mode, any non-Illumio firewall is not traversed. This behavior applies to all tables in iptables, such as filter, NAT, Raw, or Mangle.
Coexistence Mode
With a set of labels and policy states, you can enable Firewall Coexistence for a set of workloads. You can configure coexistence in two ways:
A configuration in which Illumio is the primary firewall.
A configuration in which Illumio is not the primary firewall.
Note
The Coexistence mode applies to all tables of the Linux firewall. Therefore, when you have your own NAT rules and use the “ignore nat” option on the VEN with the Coexistence mode, you do not see any change in behavior.
Prerequisites and Recommendations
This release of the Firewall Coexistence feature requires that you upgrade the VEN to 18.3.1 or later. The older versions of Illumio Firewall Coexistence are deprecated.
Windows VEN version 18.3.x ignores the older limited_wfas_coexistence and full_wfas_coexistence VEN settings for coexistence located in the VEN runtime_env.yml file. Linux VEN version 18.3.x ignores settings in /etc/default/illumio-agent for NAT table coexistence (container mode).
The following upgrade sequence is required. You must upgrade the VEN last and only after configuring firewall coexistence in the PCE:
Recommended Firewall Setting
For better security, Illumio strongly recommends setting the Illumio firewall as the primary firewall.
When you select Illumio to be the primary firewall, the VEN ensures that the Illumio rule in the main tables “stay on the top” only when you choose Illumio to be the primary firewall. The VEN does not enforce the Illumio rules to be on the top when Illumio is not the primary firewall. This behavior applies to all tables in iptables, such as filter, NAT, Raw, or Mangle.
When the Illumio firewall is set as primary, non-Illumio firewalls are traversed only when the Illumio firewall rules allow the traversal, in which case, packets are passed to non-Illumio firewalls.
Important
When the Illumio firewall is not set as primary, packets passed by non-Illumio firewalls are seen by the Illumio firewall; however, packets accepted by the non-Illumio firewall are not seen by the Illumio firewall.
Example
When the Illumio firewall is not set as primary, and the non-Illumio firewall logs and accepts all traffic on port 22, the Illumio firewall does not see the traffic on port 22.
When packets are allowed by the Illumio firewall, they are passed to other firewalls. Illumio's firewall does not monitor packets dropped by other firewalls. Packets dropped by the Illumio firewall are not passed to non-Illumio firewalls.
Set Firewall Coexistence
You can set firewall coexistence using either interface:
PCE web console
Illumio REST API
To view firewall coexistence settings in the PCE web console:
From the PCE web console menu, choose Settings > Security > Firewall Coexistence. The PCE web console displays the following settings:
Firewall Coexistence Mode: Exclusive
System Default: Exclusive applies to all roles, applications, environments, and labels
To change firewall coexistence settings via the PCE web console:
From the PCE web console menu, choose Settings > Security > Firewall Coexistence.
The web console displays the default settings.
Click Edit.
The editing page appears, which displays important guidance at the top of the page. For example, it displays a typical set of labels that conform to the guidance.
Change the Role, Application, Environment, or Location labels according to the guidance at the top of the page.
Set the policy state.
In this example, the policy state is All.
From the Illumio Core is Primary Firewall list, select Yes.
Click OK.
The PCE applies the firewall coexistence settings to all provisioned workloads that match the policy labels you have specified. The PCE web console displays the firewall coexistence setting in the Workloads page.