What's New in the Releases
This section discusses the new features in NEN 2.4.0 as well as the earlier NEN 2.x releases.
NEN 2.4.10 New Features
Support for discovering pool groups on AVI SLBs
Beginning with this release, NENs can discover – on AVI Server Load Balancers (SLBs) – virtual servers configured with pool groups instead of server pools. Prior to this release, NENs could discover only virtual servers with server pools and ignored pool groups.
Configurable polling interval for discovering new virtual servers
Beginning in release NEN 2.4.10, you can configure how frequently the NEN polls Server Load Balancers (SLBs) to discover new virtual servers (VS). You do this by adding a field to the runtime_env.yml file. In previous releases the timeout value was fixed at 5 minutes, which was too long for some use cases. SLB discovery events are customer-configurable as follows:
Default = 5 minutes. You don't have to modify the runtime environment file if you want to keep the default setting.
Minimum = 2 minutes
Maximum = none
The NEN reads the timeout value at startup and polls SLBs accordingly. If you add this field and/or update the timeout value in the field, you must restart the NEN for the change to take effect.
Procedure
You can modify the runtime environment file on an already-running NEN or when installing a NEN. For details, see the "To modify the template runtime environment file" section.
Locate the NEN runtime environment file in the following directory:
/etc/illumio-nen/runtime_env.yml
If it's not already present, add the line
slb_discovery_timeout_minutesto the file.Add a space, a colon ( : ), and value of 2 or higher at the end of the line. For example, to configure the SLB discovery timeout to 3 minutes, you'd enter:
slb_discovery_timeout_minutes: 3
Restart the NEN for the new setting to take effect.
If you've updated the timeout value on an already-running NEN, you're done at this point. If you've configured the timeout value as part of a new NEN installation, continue to NEXT STEPS below.
NEXT STEPS
Activate the NEN with a pairing key from the PCE. See the "Obtain Pairing Key and Activate the NEN" section.
To enable the NEN to integrate with a load balancer, see the "Enable Load Balancer Support" section.
(Optional) To configure the NEN as an HA pair, perform the steps in Configure HA Support for the NEN.
NEN 2.4.0 New Features
Support for moving SLBs to a different NEN host (single and super cluster)
Support for moving a NEN from one PCE to another PCE
Support for using LTPs instead of iRules on the F5 BIG-LTM
You can use Local Traffic Policies (LTP) on the F5 BIG-IP-LTM. This support is provided in addition to existing support for using iRules.
Important
If you use this functionality, only use LTP rules. Don't use both LTP and iRules together.
From the PCE Web Console, go to Infrastructure > Server Load Balancers.
Select a NEN host. The Device Type field appears.
In Device Type, select F5 Big-IP LTM (LTP).
Support for maintaining PCE-managed virtual servers when associated SLB virtual servers are disabled
Note
This applies to IPv4 only. IPv6 is not currently supported.
Beginning with this release, the PCE continues to maintain and display PCE-managed virtual servers even when their associated Server Load Balancer (SLB) virtual servers are disabled. This ensures that the PCE doesn't drop or invalidate policy rules for a managed virtual server if the associated SLB virtual server is temporarily disabled. It also ensures virtual servers that were temporarily disabled receive policy updates when they come back online. Previously, when an SLB virtual server was disabled, the associated PCE-managed virtual server showed up as "deletion pending" even after the SLB virtual server was re-enabled.
Support for Red Hat Enterprise Linux (RHEL) 8
This release includes support for running standalone NENs on RHEL 8.
Support for IBM iSeries
Beginning with this release, it's now possible to generate IBM iSeries firewall policies for the Precisely integration using the PCE's capability to generate switch ACLs. For details, see Generate and Download ACLs.
Support for Enabling/Disabling Debug Mode Logging
You can now turn debug mode logging on or off. When enabled, debug mode logging provides detail for the network_enforcement_service. The following command allows you to show the current debug mode node status or turn debug logging mode on or off dynamically:
sudo -u ilo-nen /opt/illumio-nen/illumio-nen-ctl debug-mode status/on/off [--all-nodes]
Faster Checks for Policy Tampering for Managed F5 Virtual Servers
Beginning with this release, the NEN sends fewer API calls to the F5 Advanced Firewall Manager SLB to check for policy tampering on Virtual Servers, resulting in faster checking for policy tampering.
Faster Policy Programming for Managed F5 Virtual Servers
Beginning with this release, the NEN sends fewer API calls to the F5 AFM SLB to program policy for managed F5 Virtual Servers, resulting in faster policy programming.
NEN 2.3.10 New Features
NEN discovery of Virtual Servers with Protocol/Ports ANY/ANY
NENs can now discover Virtual Servers (VS) with protocol type ANY and ports ANY. This functionality was added to support configuring Layer 3 Forwarding VIP where the VIP acts as a gateway for servers. In order for outbound traffic from servers to work, these VIPs must be configured to handle protocol type ANY. Prior to this update, VS discovery was limited to SNAT-enabled VSs, VSs that are members of a server pool, or VSs operating on protocol TCP/UDP. To enable discovery of Virtual Servers (VS) with protocol type ANY and ports ANY, disable virtual server filtering with this command:
sudo -u ilo-nen /opt/illumio-nen/illumio-nen-ctl slb-enable --virtual-server-filtering disabled
Support for IBM iSeries Integration (AS/400)
In this release, the NEN supports PCE integration with IBM iSeries (AS/400) computers running Precisely Assure Security. Although the IBM iSeries is not a switch, you will use the PCE switch integration user interface to perform the integration. For more information, see IBM i Series Integration (AS/400).
Support for Enabling/Disabling Debug Mode Logging
You can now turn debug mode logging on or off. When enabled, debug mode logging provides detail for the network_enforcement_service. The following command allows you to show the current debug mode node status or turn debug logging mode on or off dynamically:
sudo -u ilo-nen /opt/illumio-nen/illumio-nen-ctl debug-mode status/on/off [--all-nodes]
Full support for NEN on Supercluster
NEN 2.3.10 supports environments with large numbers of widely distributed SLBs and Virtual Servers. Whereas NEN 2.1.0 supported installing the NEN only on the 2 database nodes of the Supercluster leader (but not on a standalone system or on non-Supercluster leader nodes), NEN 2.3.10 allows deployment of multiple NENs per Supercluster region. Policy is written centrally, similar to VEN deployments.
Scale
200 SLBs across all regions
32k VIPs, 32k Virtual Servers across all regions
6k VIPs, 6k Virtual Servers per NEN cluster, for 2 HA pairs per Supercluster region
Restrictions
Support only for the standalone NEN (not installed on PCE data nodes).
No support for moving NENs from one region to another.
No support for moving SLBs from one NEN to another.
NEN 2.3.0 New Features
Important
NEN 2.3.0 was a Limited Availability (LA) release. However, these features are also available in NEN 2.3.10.
The NEN 2.3.0 release includes the following features and enhancements.
Reduced Load on F5 Authentication
To reduce the load on the F5 login authentication mechanism, beginning with this release NENs now use F5 token authentication for F5 API calls. Prior to this change, the NEN used basic authentication, which requires the F5 to use the login authentication mechanism to validate every API call. In contrast, token authentication creates a 20 minute window during which the NEN can reuse the token repeatedly for API calls until the token expires. When the token expires, the NEN requests a new token.
Faster Checks for Policy Tampering for Managed F5 Virtual Servers
Beginning with this release, the NEN sends fewer API calls to the F5 Advanced Firewall Manager SLB to check for policy tampering on Virtual Servers, resulting in faster checking for policy tampering.
Faster Policy Programming for Managed F5 Virtual Servers
Beginning with this release, the NEN sends fewer API calls to the F5 AFM SLB to program policy for managed F5 Virtual Servers, resulting in faster policy programming.
NEN 2.2.0 New Features
Important
NEN 2.2.0 was a Limited Availability (LA) release. However, these features are also available in NEN 2.3.10.
The NEN 2.2.0 release includes the following features and enhancements.
Standalone NEN configuration with HA support
The NEN 2.2.0 standalone NEN configuration provides a High Availability (HA) architecture with separate standalone Primary and Secondary nodes sharing the work queue. Either node, if it has capacity, can tackle work in the queue. Both nodes can program any SLB as long as the NEN is up and communicating with the SLB.
Unique duties of each role include:
Primary node: Communicates with the PCE; receives configuration information from the PCE and reconciles it with information in its database; determines the work that is placed in the shared work queue.
Secondary node: If the Primary node can't communicate with the PCE for whatever reason, the Secondary node temporarily assumes the role of Primary until communication between the PCE and the original Primary node is re-established.
NEN critical events automatically reported to the PCE console
The NEN automatically reports status about the following events through the PCE console (Troubleshooting > Events).
High CPU usage
High memory usage
Critical disk space utilization
The PCE logs an event if it hasn't received a heartbeat from the NEN in the preceding 15 minutes
NEN health status reporting available through NEN CLI
You can generate a NEN health status report through a CLI. A NEN health report displays onscreen only.
illumio-nen-ctl health
NEN support report available through the NEN CLI
To help Illumio Support troubleshoot your implementation, you can generate a NEN support report. A NEN support report is a unique file that includes a health report as well as NEN logs.
illumio-nen-ctl support-report
NEN host selector available when adding an SLB
When adding or editing an SLB from the PCE console (Infrastructure > Load Balancers) the new NEN hostname option allows you to select which NEN you want to manage policy programming for this particular SLB.
Support for UDP virtual servers
NEN 2.2.0 supports managing policy programming on Virtual Servers that utilize the UDP transport protocol.
NEN 2.1.0 New Features
The NEN 2.1.0 release includes the following features and enhancements.
Policy on Both Members of SLB cluster
The policy can be applied to both the configured members of an SLB cluster:
You can create and update rules on both members of an AFM/LTM cluster, with up to two load balancers.
Both members must be in sync before informing the PCE that the policy has been applied.
If only one SLB is available, the operation will fail. You can retry to apply the policy only after both are in sync.
If one member fails to program the rules, you should not retry.
Remove Filtering of F5 VIPs
You can view all types of Virtual Services configured on F5 load balancers, by running a specific command during the NEN installation. To disable (enabled, by default) the built-in filter running on the NEN on the leader PCE cluster, run the following command:
illumio-nen-ctl slb-enable --virtual-server-filtering disabled
Manage NEN on Supercluster Leader
For Supercluster deployment, you can install the NEN only on the 2 database nodes of the Supercluster leader. You cannot install on a standalone system or on non-Supercluster leader nodes.
Scale
The NEN 2.1.0 release supports up to 500 VIPs and up to 15 SLBs.
NEN 2.0.0 New Feature
The NEN 2.0.0 release includes support for AVI Vantage load balancers.