Segmentation Templates
Applications can be a complex set of services and processes that have different components that communicate with other applications. For example, you might find an application in your Illumination map that has many processes communicating through several ports to connect to and receive connections from Active Directory. Some of these processes, such as Netlogon, can utilize 10,000 or more dynamic ports as they communicate with Active Directory. The ports that are used at any given time can be unpredictable. Creating a security policy for these types of applications is a complex and time-consuming endeavor.
Overview of Segmentation Templates
To deliver Segmentation Templates, Illumio leveraged its knowledge of enterprise applications, such as Active Directory, Exchange, and SharePoint, because it understands the services and various processes these applications utilize.
Illumio Segmentation Templates offer prepackaged, tested security policies encompassing all the rules for common enterprise applications. They can be deployed in minutes, reducing the time it takes to protect key computing assets. They simplify defining and implementing security policies, reducing errors and preventing security gaps in widely used, business-critical applications.
Each Segmentation Template serves two purposes. Illumio customers can view an example of configuring the necessary security policies to protect a specific application. Secondly, customers can utilize the Segmentation Template to quickly secure the application within their organization.
When you install a Segmentation Template, the PCE web console automatically adds the necessary policy objects, such as services, rulesets, and labels, to enable the communication required for that application.
Catalog Retrieved from Support Portal
When you go to the Segmentation Templates page, the PCE web console automatically retrieves the latest Segmentation Templates catalog from the Illumio Support portal and displays it in the web console.
Note
You can access the Segmentation templates only directly through the Support Portal.
Access the Support portal using your Illumio Support portal username and password. (Illumio Cloud customers are automatically logged into the Illumio Support portal.)
Click TOOLS > Illumio Segmentation Templates .
To view the contents of a Segmentation Template, click its name or icon.
The Segmentation Template details page describes the template and lists all the policy objects that belong to the template. Policy objects appear as hyperlinks when another template has already installed them. (Templates can share policy objects.)
Features of Segmentation Templates
Segmentation Templates share the following key features.
Template Contents
Each Segmentation Template adds an associated group of unique, non-overlapping, predefined services, and can contain any of the following policy objects:
Labels
Label groups
IP lists
Rulesets
Some templates contain all the necessary rulesets, services, and labels to secure a specific application, while others contain only port-based service definitions.
Dynamic Processes and Ports
Using segmentation templates is especially useful in Microsoft environments, which must accommodate a range of dynamically used ports for remote procedure calls (RPC). Other Microsoft applications (such as Active Directory) require opening dynamic port ranges. Rather than opening only the ports in use, network-based solutions leave an entire range of ports open, effectively leaving the security environment vulnerable.
The Illumio PCE is service and process-aware. Because of this, installing Segmentation Templates can protect against dynamic processes (such as Netlogon) and apply the correct policy to open only the active ports at a given time.
Segmentation Templates are designed to utilize the specific processes and paths used by the server, rather than relying on dynamic ports, and apply the exact set of fine-grained rules required for protection.
Sharing Policy Objects
Multiple Segmentation Templates can use services, labels, label groups, and IP lists. However, multiple templates never use a ruleset.
Identifying Policy Objects Added by Templates
You can identify all objects added to the PCE that are part of Segmentation Templates. In the External Data Set field of the object’s details page, the PCE identifies these policy objects by labeling them using the following convention:
IST – type_of_object
(Where IST stands for Illumio Segmentation Template)
Additionally, the PCE provides full names to increase readability. For example, “IST - [AD] - Client to Domain Controller” appears as “IST - Active Directory Client to Domain Controller.”
Segmentation Template Prerequisites and Limitations
The following prerequisites and limitations bind Segmentation Templates.
Internet Connectivity
Internet connectivity is not required to use the Segmentation Templates. For example, you may connect to the PCE web console from a device lacking internet connectivity.
Illumio stores segmentation templates on the Illumio Support portal. When the device from which you are connecting to the PCE web console does not have internet connectivity, you can connect to the Illumio Support portal over the internet using another device and download the Segmentation Templates locally, then upload them to the PCE web console from that device.
When you choose Troubleshoot > Segmentation Templates from the PCE web console, you are prompted to log into the Illumio Support portal to download the templates. When you do not have internet connectivity from your device and have already downloaded the templates to another device, you can skip this step.
Upgrade Policy Object Installed by Segmentation Templates
The PCE recognizes when Segmentation Templates install policy objects from the values in the External Data Reference field. Therefore, if you installed a Segmentation Template before 17.2 or you modified the contents of this field for an object, the PCE cannot recognize that a template installed the object, and you cannot update it while updating the template.
Unique Names for Labels, Label Groups, and IP Lists
In the PCE web console, policy object names must be unique. For example, when you have an existing label, label group, or IP list that has the same name as a label, label group, or IP list in a template, the template installation will end and prompt you to change the name of the policy object in your organization.
Note
In Segmentation Templates, policy objects are named using the following convention: IST – type_of_object
Delete Labels Associated with Segmentation Templates
When you have provisioned a ruleset or label group associated with a template, the labels associated with the template cannot be removed until the rulesets and label groups are removed and the removal is provisioned.
About Editing Segmentation Templates
Installing a Segmentation Template adds a predefined set of services and enables the addition of labels, label groups, IP lists, and rule sets.
Editing a policy object associated with a Segmentation Template is no different from editing any other policy object in the PCE web console. Also, the display and designation of a Segmentation Template do not change in the PCE web console after you edit the policy objects associated with it.
However, before editing the policy objects installed by a Segmentation Template, be aware of the following caveats.
Edit the Names or IDs of Policy Objects
The PCE assigns each policy object associated with a template an ID number, which the PCE web console displays in the Description and External Data Reference fields of the object details or Summary pages.
The PCE tracks all objects associated with Segmentation Templates by their names. In Segmentation Templates, these policy objects are named using the following convention:
IST – type_of_object
Changing the policy object name does not affect the PCE validation that it is installed; however, using the Illumio API to edit the External Data Reference field does.
Note
Illumio strongly recommends you do not change the IDs in the External Data Reference fields.
Delete Policy Objects or Edit Their Attributes
Deleting policy objects associated with templates or editing their attributes is subject to the following caveats:
When you remove a policy object associated with a template after the template is installed, the PCE will re-add the object when the template is updated.
For example, you remove the common LDAP service, which is associated with a Segmentation Template. When Illumio releases an update for the template, installing that update will re-add the common LDAP ports to the PCE.
When you edit the attributes of policy objects associated with a template (for example, the ports or protocols of a service or the scope or rules of a ruleset), the PCE web console prompts you to specify whether to preserve or overwrite your changes when you update the template to the next version.
Install a Segmentation Template
Retrieve the Segmentation Template Catalog.
When a template has not been installed, an Install button appears on the page.
Click Install.
The End User License Agreement (EULA) appears.
Accept the EULA and click Continue.
Before the PCE installs the template, it checks that the policy objects required by the template don’t conflict with any existing policy objects in your organization. The time it takes to process the check depends on the number of policy objects in your organization. When the PCE detects any conflicts during the check, it cancels the installation and does not install any policy objects. You are prompted to rename the conflicting objects.
When the check is successful, the PCE adds the included policy objects to Draft mode, allowing you to review and edit them before provisioning.
As the policy objects are added, links to the objects appear in the template details page.
Note
Global policy objects—such as All Services and Any (0.0.0.0/0 and ::/0)—don’t include links in the Segmentation Template details page to the objects.
Upload a Segmentation Template
When you download a Segmentation Template from the Illumio Support portal, you save the template locally as a JSON file.
Log in to the Illumio Support portal with your Illumio Support username and password.
Click Tools > Illumio Segmentation Templates.
On the "Illumio Segmentation Templates" page, click the DOWNLOAD button.
Accept the EULA license agreement and click Continue.
Name the template and define where to download it on your system.
Click Save.
Update a Segmentation Template
Updating a Segmentation Template to a later version allows you to edit or add services, rule sets, labels, label groups, or IP lists. However, updating a template does not remove policy objects added by a previous version.
Note
Later versions of templates are fully backwards-compatible with previous versions.
Retrieve the Segmentation Template Catalog.
When a new version of a Segmentation Template is available for a template that you have installed, the template displays an "Update " button.
Click Update.
If you edit the Segmentation Template after installing it, a dialog box appears prompting you to specify how to install the new version. For example, you added a new port and protocol to a service that the template created. You can revert the template to the Illumio list of ports and protocols for that service or keep your changes.
If necessary, choose how to handle template changes:
Overwrite: The PCE replaces the policy objects that you edited with the version in the new template and removes the word “edited” after the ID number in the External Data Reference field.
Preserve Changes: Your changes to the policy objects added by the template are kept.
Note
If you have edited multiple policy objects associated with a template, you must choose whether to overwrite or preserve all your changes. You cannot overwrite some and preserve some.
The PCE updates the version numbers of all policy objects associated with the template, even when the new template changes only a subset of the objects.
Note
Segmentation Templates can share policy objects; therefore, a policy object can have a later version than its associated template, because another template updated the object. For example, you can have version 1 of a template installed, and it includes version 2 of some policy objects.
Uninstall a Segmentation Template
Retrieve the Segmentation Template Catalog.
After you install a Segmentation template, an Uninstall button appears on the page.
Click Uninstall.
When you uninstall a Segmentation Template, the PCE removes all the policy objects that are associated with that template, except when an object is in use. Policy objects that are shared with other installed templates are not removed. Policy objects that are added to other policy objects are not removed. For example, you added a service associated with a template to a ruleset.