Skip to main content

Illumio Core 22.2 Administration Guide

Useful VEN and OS Commands

This topic provides is a short description of the VEN command-line tools that you commonly use for various operations, and some useful native OS commands. Syntax for the VEN-provided commands is detailed throughout this guide, and in the help of the commands themselves.

Additionally, this topic lists the availability of the VEN commands across operating systems.

Verify VEN Version Number

You can verify the version of the VEN software in several different ways:

  • View the VEN version in the PCE web console.

  • Run the following command on the workload:

    # /opt/illumio_ven/illumio-ven-ctl version
  • Run the following command on a Windows workload:

    PS C:\Users\Administrator> & 'C:\Program Files\Illumio\illumio-ven-ctl.ps1'
  • Examine the columns in Add or remove programs or Task Manager.

  • Examine the Properties > Details tab of venAgentMgr.exe or venPlatformHandler.exe.

  • Use the Illumio Core REST API. With the REST API, the agent-version key and value are returned in the payload of every response.

Commonly Used VEN Commands

Note

The VEN's runtime_env.yml file is a private configuration file. Illumio advises that you not modify this file directly. To customize the VEN, use environment variables on Linux/Unix hosts or MSI variables on Windows hosts. For more information, see the topics "Linux: Install and Upgrade with CLI and VEN CTL" or "Windows: Install and Upgrade with CLI and VEN CTL" in the VEN Installation and Upgrade Guide.

Platform

Command

Description

Linux & macOS

/opt/illumio_ven/illumio-ven-ctl

VEN Linux shell control script to control VEN settings and functions

/opt/illumio_ven/illumio-ven-ctl status

Returns VEN status.

Checking Runtime Environment..........
Status for illumio-control:
- Environment Illumio VEN Environment is setup
 - venAgentMgr venAgentMgr is running
 - IPSec IPSec feature not enabled
 - venPlatformHandler venPlatformHandler is running
 - venVtapServer venVtapServer is running
 - venAgentMonitor venAgentMonitor is running
Agent state: idle
#

ps

Native OS command to list all system processes

chkconfig

Native OS command to update and query runlevel information for system services

Windows

C:\Program Files\Illumio\illumio-ven-ctl.exe

VEN CLI to control VEN settings and functions

VEN releases 23.5 and earlier:

C:\Program Files\Illumio\illumio-ven-ctl.ps1 status

VEN releases 24.2.10 and later:

C:\Program Files\Illumio\illumio-ven-ctl.exe status

Returns VEN and server status.

Service venAgentMonitorSvc:    Running
Service venAgentMgrSvc:        Running
Service venPlatformHandlerSvc: Running
Service venVtapServerSvc:      Running
Service venAgentMonitorSvc:    Enabled
Service venAgentMgrSvc:        Enabled
Service venPlatformHandlerSvc: Enabled
Service venVtapServerSvc:      Enabled

Agent State: enforced
Agent Type: server

Get-Service

Native OS PowerShell command to display system services

tasklist /svc

Native OS command to display system services

wf.msc

Native OS command to manage the Windows firewall

AIX/Solaris

/opt/illumio_ven/illumio-ven-ctl

VEN AIX/Solaris shell control script to control VEN settings and functions

/opt/illumio_ven/illumio-ven-ctl status

Returns VEN status.

Checking Runtime Environment..........
Status for illumio-control:
- Environment Illumio VEN Environment is setup
 - venAgentMgr venAgentMgr is running
 - IPSec IPSec feature not enabled
 - venPlatformHandler venPlatformHandler is running
 - venVtapServer venVtapServer is running
 - venAgentMonitor venAgentMonitor is running
Agent state: idle
#

ps

Native OS command to list all system processes

AIX

lssrc

Native OS command to list OS subsystem status

Solaris

svcs

Native OS command to list OS service status

illumio-ven-ctl Command Options by OS

Note

Options and subcommands are not yet provided for every command listed below. However, this table may be updated periodically.

The following tables detail the illumio-ven-ctl usage constraints and command support by operating system.

Table 1. Usage

/opt/illumio_ven/illumio-ven-ctl <command> [command-options] <command-args>

/opt/illumio_ven/illumio-ven-ctl <command> [command-options] <subcommand> [subcommand-options]

Warning

illumio-ven-ctl is the only supported way to manage the VEN.

Do not attempt to use any of the following directly:

  • Linux systemd systemctl commands

  • Solaris SMF svcs and svcadm commands

  • Legacy init.d start/stop scripts

  • Windows Service Control Manager

While the above usage will not break the VEN, it is only designed to work when invoked automatically by the OS at boot or shutdown time.



Table 2. Commands by Operating System

Command

Description

Windows

AIX

CentOS

Debian

RHEL & macOS

Solaris

SUSE

Ubuntu

activate

Activate VEN

Y

Y

Y

Y

Y

Y

Y

Y

check-env

Check VEN runtime_env.yml settings

Y

Y

Y

Y

Y

Y

Y

Y

conncheck

Query VEN policy

Y

Y

Y

Y

Y

Y

Y

Y

connectivity-test [-v] [-j] [--test-all-ips]

Test connectivity with PCE

Y

Y

Y

Y

Y

Y

Y

Y

deactivate [--maintenance-token <token>] [--notify-pce <true | false>]

Deactivate VEN without uninstalling

Y

Y

Y

Y

Y

Y

Y

Y

gen-supportreport [-y] [-f <file>] [-b]

Note: This command does not upload VEN Support Reports to the PCE. Be sure to move VEN Support Reports off the workload as needed.

Generate VEN support reports

Y

Y

Y

Y

Y

Y

Y

Y

prepare

Prepare VEN image

Y

Y

Y

Y

Y

Y

Y

Y

restart [--maintenance-token <token>]

Restart VEN services

Y

Y

Y

Y

Y

Y

Y

Y

set-proxy <server:port>

reset-proxy

show-proxy

Note: For the set-proxy command, server:port must be specified using one of the following:

  • IP address of the proxy (for example, 10.10.10.10:8080)

  • FQDN of the proxy (for example, proxy.example.com:8080)

  • HTTP or HTTPS schema (for example, https://proxy.example.com:8080

Manage VEN proxy settings

Y

Y

Y

Y

Y for RHEL

No for macoS

Y

Y

Y

start

Start VEN services

Y

Y

Y

Y

Y

Y

Y

Y

status [-v] [-x | --stdexit]

status connectivity

status health

status policy

Report VEN status

Y

Y

Y

Y

Y

Y

Y

Y

stop [--maintenance-token <token>]

Stop VEN services

Y

Y

Y

Y

Y

Y

Y

Y

suspend [--maintenance-token <token>] [-y]

Important: The suspend command stops the VEN and removes all Illumio rules from the OS firewall, thereby exposing the workload. This is a step further than merely marking the VEN as suspended on the PCE console.

Suspend VEN (enter emergency state)

Y

Y

Y

Y

Y

Y

Y

Y

unpair [--maintenance-token <token>] <saved | open | recommended> [noreport]

Subcommands:

<saved | open | recommended>

Subcommand arguments:

[noreport]

Unpair VEN

Y

Y

Y

Y

Y

Y

Y

Y

unsuspend [--maintenance-token <token>] [-y]

Unsuspend VEN (exit emergency state)

Y

Y

Y

Y

Y

Y

Y

Y

version

Display VEN version

Y

Y

Y

Y

Y

Y

Y

Y



Notes:
--maintenance-token <token>

Specify the maintenance <token> that will authorize the subcommand. This option is not needed if a maintenance token was not generated by the PCE.

--notify-pce

Specify whether (true) or not (false) to notify the PCE that the VEN has been deactivated. By default the PCE is always notified.

-b

Block and do not exit until this command completes. By default this command exits after work is queued in background.

-f <file>

The original support report is always saved as /opt/illumio_ven_data/reports/illumio-agent-report.tgz. Save another copy as the specified <file> (can include an absolute path).

-j

Enable JSON output.

--stdexit

Use the following exit codes: 0 = all VEN process running; 1 = error or partialy running; 3 = no VEN process running.

--test-all-ips

Instead of using default OS name resolution to test a single PCE IP address, explicitly resolve and test all IP addresses returned for the PCE FQDN.

-v

Enable verbose output.

-x

Synonym for --stdexit

-y

Assume yes for all yes/no prompts, don't prompt for confirmation. By default, this command prompts for confirmation.

saved

Subcommand used with unpair. Corresponds to PCE UI "Remove Illumio policy." Restore firewall as it was when VEN was installed. Dangerous if the VEN was installed long ago since old firewall is probably stale and incorrect.

open

Subcommand used with unpair. Corresponds to PCE UI "Open all ports." Do not block any traffic after uninstalling. User is expected to create a new firewall (current firewall won't survive reboot).

recommended

Subcommand used with unpair. Corresponds to PCE UI "Close all ports except remote management." User is expected to create a new firewall (current firewall won't survive reboot). Remote management includes SSH, RDP, and WinRM.

noreport

Subcommand argument used with unpair. Do not generate a support report before uninstalling.