Illumio Core 24.2 Install, Configure, Upgrade

For more information about using the VEN CTL, see the "illumio-ven-ctl General Syntax" topic in the VEN Administration Guide.

Some packages, such as SecureConnect StrongSwan for enforcing IPsec, are included as part of the VEN package. For example, when the ipset kernel module is not installed, the VEN downloads and installs it on the workload.

Other packages are installed on the workload itself if they are not already present. When these required packages are not installed on the workload, the VEN downloads and installs them via package dependencies, such as RPM dependencies.

For the complete list of package dependencies by operating system, see the VEN OS Support and Package Dependencies page on the Illumio Support portal.

If the cryptographic policy is set to FUTURE on RHEL8, RHEL9, and related operating systems, the RSA key length must be 3072 bits or greater. For more information, see this Knowledge Base article.

Illumio Core uses Transport Layer Security (TLS) version 1.2 by default for VEN-to-PCE communications.

For more information about the TLS requirements for VEN-to-PCE communication, contact your Illumio Support representative. the "Negotiation of TLS Versions for Communications" topic

Before installing a VEN, the workload must meet the following requirements for VEN-to-PCE communication:

Illumio recommends that you reserve the following disk space on workloads for the VEN:

Application logs are rotated from primary to backup when their size reaches 15 MB. Application log files are preserved at reboot because application logs are stored in files on a workload.

In Illumio Core 20.2.0 and later releases, the VEN supports both IPv4 and Ipv6 address versions and the IP address version appears correctly in the PCE; for example, in the Workload section of the VEN summary page in the PCE web console.

You can configure how the PCE treats IPv6 traffic from workloads. For more information, see "Allow or Block IPv6 Traffic" in the PCE Administration Guide.

PCE-based VEN software bundle

If you are an Illumio On-premises customer (you are running the PCE in your corporate data center), download the VEN packages to your PCE by running illumio-pce-ctl from your PCE. For more information, see VEN Library Setup in the PCE.

CLI-based VEN software packages

All VEN software is available for download from the Illumio Support portal. A VEN package is downloadable from the Illumio Support portal for each version of the VEN. Illumio provides the package as a tar file that contains a version of the VEN for all supported operating systems.

To download the VEN package:

For VEN installation using the VEN CTL, after you have downloaded and unpacked the software, determine which VEN is appropriate for your operating system and hardware architecture.

See the Supported Operating Systems for Illumio VEN table - CPU Architecture Identifier in the Filename column on the Illumio Support portal.

For additional security, verify the identity of the downloaded VEN packages against the Illumio public key.

The Illumio public key is available from the Download VEN page of the Illumio Support portal (login required).

For information about using a public key to verify package signatures, see Checking a Package's Signature on the Red Hat Customer Portal.

To enable faster host firewall tampering protection (within approximately three seconds) for Linux firewalls, make sure that:

For information, see "VEN Firewall Tampering Detection" in the VEN Installation and Upgrade Guide.

In addition to meeting the requirements in this topic and being aware of the limitations for installing VENs on workloads, you can use the VEN Compatibility Check feature to verify the functionality of the VEN on a workload. The compatibility information for the VEN is available only while the VEN is in Idle mode.

For information about this feature, see VEN Compatibility Check.

For information about SecureConnect requirements for VENs, see SecureConnect in the Security Policy Guide.