What's New and Changed in Release 21.5
Illumio Core 21.5.0 introduces the following new features and enhancements.
New Features in This Release
The following new features were added in Illumio Core 21.5.
Core Services Detector
Core services (such as DNS, Domain Controller, NTP, and LDAP) are essential to your computing environment and run on one or multiple workloads. The Core Service Detector feature helps you identify these core services and suggests an appropriate label for them. The Illumio PCE can detect 51 core services. Identifying and labeling these workloads is important because they are centrally connected, and other applications depend on them.
Application owners sometimes don’t know enough about the core services or how to identify them. In addition, different teams could be managing core services, and application owners must coordinate with these teams to secure their applications. When you use the Core Services Detector to label and write policies for core services, you can save time on application policies and progress to policy enforcement faster.
Core Services Identification, Review, and Labeling
Core Services Detector uses a three-step process to identify core services:
Detect : Run Detection Tool in the backend to recommend potential Core Services (workloads running core services). Follow the steps described in Detect Core Services.
Review : Review recommendations provided by Detection Tool and accept or reject them following the steps described in Review the Detected Core Services.
Label : Label accepted recommendations as described in Label the Detected Core Services.
Detection Methods
There are three ways to detect a core service of which the first two are used only for Active Directory.
Port Matching: Rule-based model based on connections to specific ports
Port-based ML: Machine learning model based on connections to specific ports
Process-based ML: Machine learning model based on processes running on the server
These methods are NOT configurable, and all three algorithms run all the time.
PCE Support Report Bundles
In previous releases, PCE support reports could be generated using a CLI command. In 21.5, the PCE web console has a new Support Bundles page where you can generate PCE support reports.
Choose Troubleshooting > PCE Support Bundles from the main dropdown menu.
Click Generate.
The support bundle generation dialog box appears.
(Optional) Click Log Collection and specify the time range.
Click Generate again in the dialog box.
The dialog disappears. The PCE Support Bundles tab displays the report generation status for each node. When the reports for all nodes are complete, an aggregate support bundle is made available for download.
Click Download.
Up to five previously generated PCE support bundles remain available for download in a list on the PCE Support Bundles tab.
Node Hardware Requirements Alert
In the PCE Health page of the PCE web console, a message is now displayed to tell whether the hardware provisioned for each node meets the requirements.
If a node is found to have sufficient resources to meet specifications, the message "Node Specs Meet requirements" appears with a green check mark. If the node does not have sufficient resources to meet the required specifications, the alert "Node Specs Do not meet requirements" appears with a yellow triangle.
The hardware requirements vary depending on the type of PCE cluster (single-node, 2x2 multi-node, 4x2 multi-node). The hardware requirements check needs to know the cluster type so it can use the right set of hardware requirements.
Warning
Because the hardware requirements check needs to know the cluster type, it is now required that you set the cluster_type runtime parameter for every node. This parameter was previously optional.
Surface All Hidden Rules (Essential Rule Services)
The PCE web console main menu includes a new tab in the Security section for hidden rules. The menu choice open a page displaying a list of essential services used by the PCE.
PCE Platform Changes
New Cluster Type
A new value for the runtime parameter cluster_type has been added: 4node_v0_small. Use this cluster type for a 2x2 cluster that has smaller hardware requirements the previously available 2x2 cluster type, 4node_v0.
Choose to Include Hostname or FQDN in Syslog
In syslog messages, the hostname is included by default. You can choose to use the FQDN instead of the hostname if this would help your organization to more easily distinguish messages from different hosts. To do so, set the following new flag in runtime_env.yml:
internal_syslog_fqdn_enabled: true
NTP Check
After you finish installing the PCE, you can use the following command to check that the PCE environment is set up correctly. This command now also verifies that the NTP client is installed, running, and synchronized to a time source.
# sudo -u ilo-pce illumio-pce-env check
Enhanced F5 Key Security
All F5 load balancer passwords stored in the PCE database are now encrypted at rest. These passwords are used by the NEN when it needs to program a load balancer.
Customizable NEN Encryption Key
The Network Enforcement Node uses an encryption key to encode and store certain customer secrets, such as switch passwords. This key is now customizable. In previous releases, a default encryption key was automatically generated. If your organization has more stringent cryptographic requirements, you can elect to provide your own 256-bit encryption key, or randomly generate one, for all the nodes in the cluster. This key must match on all nodes.
Application Metrics
The PCE now records additional application metrics data about the PCE. These enhanced application metrics increase our ability to troubleshoot PCE issues and resolve them faster. Illumio Support will guide you on how to obtain and send the application metrics when needed.
Two processes run on the PCE to collect application metrics:
telegraf, an open-source metrics collection agent,runs on all core and data nodes.
InfluxDB, an open-source time series database, runs on all data nodes.
Supercluster 8-Region Support
A Supercluster can now have a maximum of 8 PCEs.
Enhancements in Core 21.5.0
Postgres 13.x
The version of Postgres used by the PCE is now Postgres 13.x. As a result, it is very important to take a backup of your PCE before upgrading to 21.5.0. Because of the Postgres 13.x upgrade, it is even more important not to skip this backup step when upgrading.
Improved Parallel Coordinates Format in Explorer
In Explorer, search results using the Parallel Coordinates format are improved as follows:
A new axis called Consumer Process was added.
For clarity, the Process axis was renamed Provider Process.
Feature Name Update
In previous releases, this feature was referred to as “Segmentation Rulesets.”
VEN Robustness and Reliability
In this release, Illumio has enhanced the VEN functionality so that is more reliable and recovers from errors more effectively. These enhancements are internal to the VEN functionality.
Support for Windows Run As as a Different User with AUS
When using the Adaptive User Segmentation (AUS) feature, the VEN now recognizes when a user is running as a different user. When a user logs in, the VEN check whether the user belongs to the group represented by the group ID, and if it does, it updates policy.
VEN Support for Debian 11
In this release, you can install the VEN on workloads running Debian 11.
Documentation Changes
Updated Supercluster Migration Steps
The documented steps to migrate a Supercluster have been updated with additional useful information.
Pre-configuring the IP addresses is required only on the PCE that is to be migrated.
The need to update the
runtime_env.ymlfile on data nodes has been added, where previously only core nodes were listed.When updating
runtime_env.ymlwith additional IP addresses, if more than one PCE is being migrated, the steps should be followed for one PCE at a time. In addition, the restart operation should be run first on the PCE that was migrated. After that PCE is up and all services are running, restart the other PCEs.