Illumio Core What's New and Release Notes 22.2

Illumio Core 22.2.0 delivers policy exclusions as a new feature. In particular, the PCE supports including policy exclusions in ruleset scopes and rules.

Using policy exclusions in your Illumio Core policy can greatly simplify the rule writing process. Specifically, using a policy exclusion in a ruleset scope or in rules allows you to replace the inclusion of a large number of required labels with the exclusion of a small number of unwanted labels. Security policy written with policy exclusions can be easier to read and definitely easier to maintain.

Using a policy exclusions gives you a way to state in your security policy that you want a ruleset or rule to apply to “all except X,” where X can be both labels and label groups. To state this another way, “all except X” means ”All labeled workloads except X.”

In this release, you have the option to create basic or scoped rulesets. You can choose whether you want to include scopes when creating new rulesets. The Scope field appears in the Add Ruleset dialog box only when the PCE is configured to display scopes in rulesets. When the PCE is configure to create scopeless rulesets, you create simple rules that do not apply to specific environments, locations, or applications. These rules are scopeless rules because they do not belong to a ruleset that uses scopes.

You might want to create these basic rules when you are new to using Illumio Core and you are creating your first security policy rules. For example, you might want to create a simple rule to control SSH traffic for all your workloads. As you become more familiar with Illumio Core or you need to create more complicated rules, you can choose to create scoped rules; namely intra-scope, extra-scope, and custom iptables rules. Creating scoped rules allows you to create rulesets and rules that are defined for specific environments, locations, and applications (typically larger environments).

When the PCE is configured create scopeless rulesets, you can still add a scope to a ruleset after saving the ruleset. From the Ruleset Actions menu at the top right corner of the Ruleset page, select Add Scope.

In this release, the dialog boxes in the PCE web console are split into a simple mode and an advanced mode.

In the simple mode, you can select labels and label groups for your rules. Your most recently used labels appear in this screen, then as you type, the UI auto-completes the names to find labels in the PCE.

To access the Advanced Options for rules, select the Advanced Options checkbox:

A panel appears on the left providing the following policy objects that you can add to your rules:

In Advanced Options, you can also select Use Workload Subnets and Container Host options for Consumers and Use Workload Subnets and Virtual Servers for providers.

It's not uncommon in customer environments to find an Application label and a Role label, for example, with the same name. To provide added usability, the PCE web console in this release includes icons before the label types.

In addition, you can be more explicit in what you want to specify by prefacing what you're typing with an “a,” “e,” “l,” or “r” and a colon before you start typing in names.

The Illumination map now displays traffic blocked by Enforcement Boundaries.

In previous releases, you could detect that traffic was blocked in Illumination; however, the map did not distinguish between traffic that was blocked because of full enforcement or because an Enforcement Boundary was in place.

The Single Pane of Glass and Scale feature is a method of writing policy for endpoints so the PCE can scale its support of workloads from 5,000 (1,000 servers and 2,000 endpoints) to 25,000 workloads. In previous releases, Illumio Core supported up to 5,000 VENs for the Single Pane of Glass Feature.

You can generate, schedule, and email reports which are based off saved and recent filters from Explorer for reporting. The report can be downloaded as a CSV file.

You can change the 15-minute threshold for the time the VEN goes without a heartbeat and goes into the Warning state.

Before this release, logging scripts did not log much information which resulted in unnecessary time to debug environmental issues. In this release, the Illumio scripts log all errors and other key information into platform.log. This will reduce the amount of time it takes Illumio to debug issues.

In the Enforcement Boundaries list page and the Enforcement Boundary detail page, Enable and Disable buttons have been added. You can enable or disable one or more enforcement boundary rules by selecting them on these pages and clicking the button.