Skip to main content

Illumio Core What's New and Release Notes for Release 24.2

  • Illumio Core What's New and Release Notes for Release 24.2
  • What's New in 24.2
  • What's New and Changed in Release 24.2.30-VEN

What's New and Changed in Release 24.2.30-VEN

This release provides support for the following:

Enhanced VEN resiliency

As part of Illumio's ongoing efforts to improve the operational resiliency of the VEN, beginning with this release VENs now roll back to the previous known-good policy if a policy update prevents VEN-to-PCE connectivity.

Drop pre-existing open connections not covered by Illumio policy

Warning

Installing VEN release 24.2.30 or later on AIX workloads can result in blocking traffic in your environment that you currently allow. Please read carefully.

Beginning with VEN release 24.2.30, AIX VENs are now at parity with Windows and Linux VENs with regard to how they handle pre-existing open connections not covered by Illumio policy. Consider the following example use case:

  1. An application in your tenant holds open a pre-existing connection to a database server (for example) and the connection is not covered by an Allow rule in your Illumio policy.

  2. You transition the VEN to Full Enforcement (a strict Allow-list mode).

  3. Analysis:

    • Windows and Linux VENs have always dropped such pre-existing connections when transitioned to Full Enforcement because there is no Allow rule allowing them in this scenario.

    • Prior to VEN release 24.2.30, AIX VENs left such pre-existing connections open in this scenario (despite no rule allowing it) until the application closed the connection and later tried to make a new connection. At that point, the VEN blocked the connection (because there is no rule allowing it).

    • Result: Now, with VEN release 24.2.30 and later, AIX VENs, in parity with Windows and Linux VENs, drop the existing connection if IP Filter 5.3.0.5004 or later is installed on the workload.

Illumio IPFilter Update

The release of IPFilter version 5.3.0.5004 removes a mutex present in 5.3.0.5003 that caused the CPU to become a bottleneck for IPFiltering, as many CPU cores tried to access the counter variables concurrently. In IPFilter version 5.3.0.5004, counter variables are incremented / decremented using atomic operations, such as fetch_and_add.