Skip to main content

Security Policy Guide 23.2

Workloads and VENs

The Workloads navigation menu includes Workloads, Container Workloads, and VENs. You can see all your workloads, container workloads, and VENs on separate tabs. You can view their configuration, do workload or VEN-specific actions, and find the related VENs and workloads.

An idle workload does not program a firewall, therefore the Rules page of an idle workload does not show its rules.

The VENs are listed in a new page separate from workloads. The VEN-related actions are not available under the Workloads tab.

Manage Workloads and VENs

Note

Users with the Workload Manager role can manage workloads and VENs.

You can select VENs to unpair, refresh, and generate support reports. Container workloads (if any) are displayed under the Container Workloads tab.

Click the Unpair button to unpair a VEN.

On the Unpair VEN page, select the appropriate radio button to define the Final Firewall Status:

Firewall Status

Description

Remove Illumio Policy

This is the default option.

Linux: Removes Illumio policy and retains the coexistent firewall rules

AIX/Solaris: Removes Illumio policy and reverts firewall rules to the pre-pairing state

Windows: Removes firewall WFP filters and activates Windows firewall

Open all ports

All OS system: leaves all ports open

Close all ports except remote management

Linux/AIX/Solaris: temporarily allows only SSH/22 until the system is rebooted

Windows: allows only RDP/3389 and WinRM/5985, 5986

Proceed with unpairing as follows:

Pairing Method

Policy Mode

Unpair Action

Pairing Key

Visibility only/Enforced

  • Uninstalls the selected VEN(s).

  • Removes policy for the associated workloads.

  • Policies are configured in to the host firewall based on options selected in "Select final firewall status".

Pairing Key

Idle

  • Uninstalls the selected VEN(s).

  • Removes policy for the associated workloads.

  • No changes to the host firewall.

PKI Certificate or Kerberos

Visibility only/Enforced

  • Uninstalls the selected VEN(s).

  • Associated workloads become unmanaged but retain labels and IP addresses.

  • Policies are configured in to the host firewall based on options selected in "Select final firewall status".

PKI Certificate or Kerberos

Idle

  • Uninstalls the selected VEN(s).

  • Associated workloads become unmanaged but retain labels and IP addresses.

  • No changes to the host firewall.

Delete a workload from the PCE

You cannot directly delete workloads from the PCE, as the workload represents an entity that the PCE does not control. You can unpair the VEN on that workload from the VENs tab on the Servers & Endpoints/Workloads menu, which will remove the workload from the workloads table.

Enhanced Data Collection

The Enhanced Data Collection optional feature on the PCE is now fully available starting in the 22.5.10 release, after being a preview feature available with the 20.2.0 release. When enabled, the PCE reports the amount of data transferred in to and out of workloads and applications in a data center. The number of bytes sent by and received by the provider of an application are provided separately. You can see these values in traffic flow summaries streamed out of the PCE. You can enable this capability on a per-workload basis in the Workload page. You can also enable it in the pairing profile so that workloads are directly paired into this mode.

To enable Enhanced Data Collection you need a License file. For information about obtaining the license, please contact Illumio Customer Support.

Once licensed, enable Enhanced Data Collection for a workload with the Visibility button.

  • On the Workloads an VENs -Workloads page, select Visibility > Enhanced Data Collection.

    You can also enable Enhanced Data Collection as a Visibility option in the Pairing Profile page by selecting the radio button "Enhanced Data Collection".

After the VEN's visibility level is set to Enhanced Data Collection, it starts reporting the number of bytes transferred over the connections. The PCE collects this data, adds relevant information, such as labels, and sends the traffic flow summaries out of the PCE.

The direction reported in flow summary is from the viewpoint of the provider of the flow.

  • Destination Total Bytes Out (dst_tbo): Number of bytes transferred out of provider (Connection Responder)

  • Destination Total Bytes In (dst_tbi): Number of bytes transferred in to provider (Connection Responder)

The number of bytes includes:

  • L3 and L4 header sizes of each packet (IP Header and TCP Header)

  • Sizes of multiple headers that may be included in communication (when SecureConnect is enabled)

  • Retransmitted packets.

    The bytes transferred in the packets of a connection are included in measurement. This is similar to various networking products such as firewalls, span-port measurement tools, and other network traffic measurement tools that measure network traffic.

Term

Description

dst_tbi

Destination Total Bytes In

In Total bytes received till now by the destination over the flows included in this flow-summary in the latest sampled interval. This is the same as bytes sent by the source. Present in 'A', 'C', and 'T' flow-summaries. source = client = connection initiator, destination = server = connection responder.

dst_tbo

Destination Total Bytes Out

Out Total bytes sent till now by the destination over the flows included in this flow-summary in the latest sampled interval. This is the same as bytes received by the source. Present in 'A', 'C', and 'T' flow-summaries. source = client = connection initiator, destination = server = connection responder.

dst_dbi

Destination Delta Bytes In

In Number of bytes received by the destination in the latest sampled interval, over the flows included in this flow-summary. This is the same as bytes sent by the source. Present in 'A', 'C', and 'T' flow-summaries. source = client = connection initiator, destination = server = connection responder.

dst_dbo

Destination Delta Bytes Out

Out Number of bytes sent by the destination in the latest sampled interval, over the flows included in this flow-summary. This is the same as bytes received by the source. Present in 'A', 'C', and 'T' flow-summaries. source = client = connection initiator, destination = server = connection responder.

interval_sec T

Time Interval in Seconds

Duration of latest sampled interval over which the above metrics are valid.

Connection State

Description

A

Active: The connection is still active at the time the record was posted. Typically observed with long-lived flows on source and destination side of communication.

T

Timed Out: Flow does not exist any more. It has timed out. Typically observed on destination side of communication.

C

Closed: Flow does not exist any more. It has been closed. Typically observed on source side of communication.

S

Snapshot: Connection was active at the time VEN sampled the flow. Typically observed when the VEN is in Idle state.

Container Workloads

The Container Workloads page lists the containers that exist on the PCE.

The page contains this information:

Column

Description

Summary

General Information about the container's Name, namespace/project, policy state, and so on.

Labels Information such as Role, Application, Environment, Location

Attributes Information about Interfaces and Workloads

Containers

Information about a specific container.

Rules

Information about rules.