Firewall Coexistence

To provide additional security, you can supplement Illumio's firewall with your organization's firewalls using Firewall Coexistence. You can set the Illumio firewall to either Exclusive mode or Coexistence mode via the PCE web console or the Illumio REST API. In both modes, the Illumio firewall is always separate from other firewalls.

Note

Using Firewall Coexistence requires careful consideration

Illumio cannot prevent any non-Illumio processes from programming the firewall, so interference from non-Illumio processes is always possible. The server VEN is able to detect many cases of such interference and will report them as firewall tampering. Although Illumio expects to have exclusive control over the firewall by default, it is possible to coexist with non-Illumio processes depending on exactly how the non-Illumio processes are programming the firewall.

Because the VEN has no way to know about the actions of non-Illumio processes, coexistence necessarily results in the loss of some visibility and clarity in traffic reporting. For example, server VENs are usually able to coexist with:

Many versions of stand-alone Docker and other simple containers
Manually programmed rules, depending on the precise details
Windows GPO, depending on precise details
Many anti-virus solutions

Server VENs aren't able to coexist with complex containers such as Kubernetes. For such cases, consider using the C-VEN.

Firewall Coexistence and Endpoint VENs

Endpoint VENs are in Firewall Coexistence by default. This cannot be changed.

Important

The Firewall Coexistence feature deprecates these features:

Windows FAS VEN coexistence
Linux VEN NAT ignore
Linux VEN container mode

Coexistence Mode by Operating System

Coexistence Mode is a key architectural feature of Illumio’s enforcement model, designed to support interoperability with native and third-party firewalls. By evaluating rule injection behavior and maintaining policy integrity, Illumio ensures consistent security outcomes across diverse platforms. This section provides an OS-specific breakdown of how Coexistence Mode is implemented and what visibility and control mechanisms are in place.

Windows Server VEN

Coexistence Mode	Windows Firewall ¹	3rd Party WFP Firewalls	Tampering Behavior	Visibility
Exclusive	Illumio disables Windows Advanced Firewall/Defender Policy.	Illumio coexists with all 3rd party non-Illumio WFP filters. WFP is fundamentally a coexisting firewall and Illumio coexists with all non-Microsoft Windows firewalls.	Standard ²	The VEN reports all traffic flows passing through the Illumio WFP filter. The reported policy decision is based solely on the Illumio policy.
Coexistence Primary & Coexistence Non-Primary	Illumio coexists with Windows Advanced Firewall/Defender Policy.	Illumio coexists with all 3rd party non-Illumio WFP filters. WFP is fundamentally a coexisting firewall and Illumio coexists with all firewalls.

Coexistence Mode

Windows Firewall ¹

3rd Party WFP Firewalls

Tampering Behavior

Visibility

Exclusive

Illumio disables Windows Advanced Firewall/Defender Policy.

Illumio coexists with all 3rd party non-Illumio WFP filters. WFP is fundamentally a coexisting firewall and Illumio coexists with all non-Microsoft Windows firewalls.

Standard ²

The VEN reports all traffic flows passing through the Illumio WFP filter. The reported policy decision is based solely on the Illumio policy.

Coexistence Primary

Coexistence Non-Primary

Illumio coexists with Windows Advanced Firewall/Defender Policy.

Illumio coexists with all 3rd party non-Illumio WFP filters. WFP is fundamentally a coexisting firewall and Illumio coexists with all firewalls.

Windows Endpoint VEN

Coexistence Mode	Windows Firewall ¹	3rd Party WFP Firewalls	Tampering Detection Behavior	Visibility
Coexistence Primary ³	Illumio coexists with Windows Advanced Firewall/Defender Policy.	Illumio coexists with all 3rd party non-Illumio WFP filters. WFP is fundamentally a coexisting firewall and Illumio coexists with all firewalls.	Standard ²	The VEN reports all traffic flows passing through the Illumio WFP filter. The reported policy decision is based solely on the Illumio policy.

Linux IPTables

Coexistence Mode	IPtables Rules	3rd Party IPtables Firewalls	Tampering Detection Behavior	Visibility
Exclusive	Illumio rules are inserted at the top of the filter table and only Illumio‑defined rules are executed. Rules appearing after the Illumio firewall are not reached because Illumio rules are designed to be final. Illumio doesn't alter existing services such as `firewalld`⁴ and nftables (not to be confused with the kernel module of the same name that implements the firewall itself).	Overwrites or ignores 3rd Party Firewall Rules	Standard ²	The VEN reports all traffic flows passing through the Illumio IPTables filter. The reported policy decision is based solely on the Illumio policy.
Coexistence Primary	Illumio rules are inserted at the top of the filter table and all Blocks are final. Any rules appearing after the Illumio firewall are evaluated or processed if the Illumio policy decision was to Allow. Illumio doesn't alter existing services such as `firewalld`⁴ and nftables (not to be confused with the kernel module of the same name that implements the firewall itself).	Coexists with 3rd party IPTables firewalls	Will tolerate only rules appearing after Illumio in the filter table.
Coexistence Non-Primary	Will tolerate rules appearing before or after Illumio in the filter table.	The VEN does not report traffic blocked from rules before Illumio because the Illumio IPTables filter never evaluates that traffic. The VEN reports all traffic flows passing through the Illumio IPTables filter.

Coexistence Mode

IPtables Rules

3rd Party IPtables Firewalls

Tampering Detection Behavior

Visibility

Exclusive

Illumio rules are inserted at the top of the filter table and only Illumio‑defined rules are executed. Rules appearing after the Illumio firewall are not reached because Illumio rules are designed to be final.

Illumio doesn't alter existing services such as firewalld⁴ and nftables (not to be confused with the kernel module of the same name that implements the firewall itself).

Overwrites or ignores 3rd Party Firewall Rules

Standard ²

The VEN reports all traffic flows passing through the Illumio IPTables filter. The reported policy decision is based solely on the Illumio policy.

Coexistence Primary

Illumio rules are inserted at the top of the filter table and all Blocks are final. Any rules appearing after the Illumio firewall are evaluated or processed if the Illumio policy decision was to Allow.

Illumio doesn't alter existing services such as firewalld⁴ and nftables (not to be confused with the kernel module of the same name that implements the firewall itself).

Coexists with 3rd party IPTables firewalls

Will tolerate only rules appearing after Illumio in the filter table.

Coexistence Non-Primary

Will tolerate rules appearing before or after Illumio in the filter table.

The VEN does not report traffic blocked from rules before Illumio because the Illumio IPTables filter never evaluates that traffic. The VEN reports all traffic flows passing through the Illumio IPTables filter.

Linux nftables

Coexistence Mode	nftables Rules	3rd Party nftables Firewalls	Tampering Detection Behavior	Visibility
Exclusive	Illumio doesn't alter existing services such as `firewalld`⁴ and nftables (not to be confused with the `nf_tables` kernel, which is different). However, Illumio will delete all non-Illumio filters. Illumio rules are inserted into Illumio-specific filters. In Exclusive mode it's assumed there are no non-illumio filters (they were deleted). Therefore, all policy decisions are final.	Illumio will delete all non-Illumio filters. Note: if SE Linux prevents Illumio from deleting other filters, a policy sync error is triggered. Note: If the user fails to disable `firewalld` and `firewalld` adds filters, then Illumio treats this as tampering.	Illumio doesn't tolerate any rule changes within any nftable spaces.	The VEN reports all traffic flows passing through the Illumio nftables space. The reported policy decision is based solely on the Illumio policy.
Coexistence Primary & Coexistence Non-Primary	Illumio doesn't alter existing services such as `firewalld`⁴ and nftables (not to be confused with the kernel module by the same name that implements the firewall itself). Illumio does not delete any non illumio filters. Illumio rules are inserted into Illumio-specific filters. Non-Illumio filters operating at higher priority may pre-empt Illumio filters. Illumio filters may block traffic based on the programmed rules. Non-Illumio filters operating at lower priority are evaluated only if Illumio filters do not block.	Illumio coexists with all 3rd party non-Illumio nftable spaces. NFT is fundamentally a coexisting firewall, and Illumio coexists with all non-Illumio firewalls.	Illumio doesn't tolerate any rule changes within Illumio nftable spaces.	The VEN does not report traffic blocked from rules with a higher priority than Illumio because nftable never evaluates that traffic. The VEN reports all traffic flows passing through the Illumio nftable space.

Coexistence Mode

nftables Rules

3rd Party nftables Firewalls

Tampering Detection Behavior

Visibility

Exclusive

Illumio doesn't alter existing services such as firewalld⁴ and nftables (not to be confused with the nf_tables kernel, which is different).

However, Illumio will delete all non-Illumio filters.

Illumio rules are inserted into Illumio-specific filters. In Exclusive mode it's assumed there are no non-illumio filters (they were deleted). Therefore, all policy decisions are final.

Illumio will delete all non-Illumio filters.

Note: if SE Linux prevents Illumio from deleting other filters, a policy sync error is triggered.

Note: If the user fails to disable firewalld and firewalld adds filters, then Illumio treats this as tampering.

Illumio doesn't tolerate any rule changes within any nftable spaces.

The VEN reports all traffic flows passing through the Illumio nftables space. The reported policy decision is based solely on the Illumio policy.

Coexistence Primary

Coexistence Non-Primary

Illumio doesn't alter existing services such as firewalld⁴ and nftables (not to be confused with the kernel module by the same name that implements the firewall itself).

Illumio does not delete any non illumio filters.

Illumio rules are inserted into Illumio-specific filters. Non-Illumio filters operating at higher priority may pre-empt Illumio filters. Illumio filters may block traffic based on the programmed rules. Non-Illumio filters operating at lower priority are evaluated only if Illumio filters do not block.

Illumio coexists with all 3rd party non-Illumio nftable spaces. NFT is fundamentally a coexisting firewall, and Illumio coexists with all non-Illumio firewalls.

Illumio doesn't tolerate any rule changes within Illumio nftable spaces.

The VEN does not report traffic blocked from rules with a higher priority than Illumio because nftable never evaluates that traffic. The VEN reports all traffic flows passing through the Illumio nftable space.

Typical Firewall State on New Linux Installation

OS version	Firewall Stack	Firewall Service Name	Typical State of Firewall on New OS Installation
CentOS 5 – 6	IP Tables	n/a	n/a
CentOS 7	IP Tables	`firewalld`	Disabled; no default rules; allows all traffic by default
CentOS 8 – 10	NetFilter Tables (aka NFT)	`firewalld`	Enabled; active with default rules in “public” zone; restricts inbound traffic to essentially just SSH and DHCP by default
RedHat	see CentOS	`firewalld` (+ nftables)	See CentOS
SUSE 11 – 14	IP Tables	SuSEfirewall2	Enabled; active with default rules in “external” zone; restricts inbound traffic to essentially just SSH and DHCP by default.
SUSE 15 < SP3	IP Tables	`firewalld`	Enabled; active with default rules in “public” zone; restricts inbound traffic to essentially just SSH and DHCP by default.
SUSE 15 >= SP3	NetFilter Tables (aka NFT)	`firewalld`

The following table details the typical state of the firewall on new installations of select Linux distributions.

Solaris/AIX

Coexistence Mode	Behavior
Coexistence is enabled by default and can't be disabled.	Illumio coexists with all 3rd party Packet Filter firewalls. ⁵

macOS

Coexistence Mode	Behavior
Coexistence is enabled by default and can't be disabled.	Illumio coexists with all 3rd party Packet Filter firewalls.

Notes

¹ For example, Group Policy, not the Windows Filtering Platform (WFP).

²Separate from rule execution, Illumio’s tamper‑detection logic may inspect external rule injections to ensure they do not conflict with the Illumio policy. Non‑disruptive injections that pose no risk to the enforced policy are tolerated, while disruptive injections are not.

³ On Endpoint VENs, Coexistence mode is enabled by default and can't be disabled.

⁴ Services such as firewalld are often configured out-of-the-box to block most inbound ports by default. To avoid confusion around potentially conflicting rules, Illumio recommends (but doesn't require) that services like firewalld be disabled.

⁵ Don't disable these services in Solaris:

Packet Filter (PF)
- Service: Managed by the SMF service svc:/network/firewall
- Configuration: Rules are configured in the /etc/firewall/pf.conf file.
IP Filter (IPF)
- Service: Managed by the SMF service svc:/network/ipfilter
- Configuration: Rules are configured in the /etc/ipf/ipf.conf file

Firewall Tampering Protection

The purpose of Illumio Firewall Tampering Protection is to automatically detect and remediate, where possible, changes to firewall rules that would interfere with Illumio policy.

Note

For firewall types that are fundamentally coexisting, such as WFP and NFT, it's not feasible to detect or remediate tampering that occurs outside of Illumio "table spaces."

Standard tampering detection behavior means that Illumio reviews external rule injections for policy impact. Illumio permits such injections only if it determines that no conflict with Illumio's defined policy is possible. Non-disruptive injections are tolerated.
Non-standard tampering detection behaviors are detailed in the Coexistence Mode by Operating System tables above.

Configure Firewall Coexistence

Note

You can configure firewall coexistence from either the PCE web console or the Illumio REST API.

Define a scope to specify the workloads you want Firewall Coexistence to apply to. The scope comprises the labels that identify your target workloads.

From the PCE web console menu, go to Settings > Security > Firewall Coexistence.
Click Edit.
Click Add.
From Scope, select the labels that identify the workloads you want Firewall Coexistence to apply to.
From Enforcement, select All, Enforced, or Illuminated (Visibility).
In the Illumio is Primary Firewall, select either Yes or No.
When finished, click Add.

Illumio Core 24.5 Administration Guide

Firewall Coexistence

Note

Important

Coexistence Mode by Operating System

Windows Server VEN

Windows Endpoint VEN

Linux IPTables

Linux nftables

Typical Firewall State on New Linux Installation

Solaris/AIX

macOS

Notes

Firewall Tampering Protection

Note

Configure Firewall Coexistence

Note

Search results