Policy and Workloads
Clone re-activation triggers an error in the policy sync (E-86005)
For endpoints in Core, clone re-activation could result in an error in the policy sync.
This issue is now resolved. Cloned VENs already in an error state should be unpaired and reaired.
NEN IP sets are de-duplicated (E-84837) Previously, the NEN might have received IP sets in the policy from the PCE containing duplicate IPs.
This has been optimized at the PCE. In all cases, the NEN will program the correct policy on the managed device.
Can't edit an unmanaged Kerberos workload after it's been activated and deactivated (E-84570)
If the VEN reported multiple of the same process running (e.g. svchost.exe), the workload could not be edited after it was deactivated. This issue is resolved.
AUS rules could fail to allow outbound traffic to virtual services (E-83508)
When an AUS rule included a virtual service in the provider field or a label in the provider field applied to the virtual service, the rule could fail to allow outbound traffic to that virtual service when it should be allowed. This issue is resolved. In this release, rules with virtual services in the provider field correctly allow traffic for AUS users.
Mislabeled link appeared in error on Enforcement Boundaries page (E-83149) If you logged in to Illumio Core as a Supercluster member, navigated to Rules and Rulesets > Enforcement Boundaries and there were no enforcement boundary rules to display, the Add an new Pairing Profile link appeared in error. There were two problems with this:
The link was mislabeled. The label should have specified creating an enforcement boundary.
Users logged in as Supercluster members should not have seen a link in this case.
PCE Listen Only mode did not yet apply to NENs (E-80376)
Listen Only mode allows you to temporarily stop the PCE from sending policy updates to your VENs. Policy updates resume only after you disable "Listen Only" mode. This behavior wasn't available for NEN/F5 policy updates, which meant that there's a chance that an F5 SLB could receive a stale policy when the PCE was in Listen Only mode. This issue is resolved.
Rule search incorrectly calculated label groups in Scopes (E-72318)
When a rule had label groups in the scope, multiple scopes were created and traffic wasn't allowed between scopes unless specified with extra-scope rules. For example, Workload 1 and Workload 2 couldn't talk to each other based on the policy because they were in different scopes. However, rule search for Workload 1 to Workload 2 allowed access by this rule. This issue is resolved.
The
updated_attimestamp was not changed when a workload label was edited (E-68720)When workload labels are updated through the API or the PCE web console, the
updated_attimestamp in the workload API response was not updated.This issue is resolved and the
updated_atfield is now updated with the correct timestamp information.