Rule Writing
This section explains how to write various rules.
Permitted Rule Writing Combinations
The following table explains the valid rule combinations between sources and destinations.
If Source is | And Service is | Destination can be |
|---|---|---|
Workload, All workloads, label, label group | Any service | Workload , IP list (including Any (0.0.0.0/0 and ::/0), label, label group, user groups, All workloads |
IP list | Any service | Workload, label, label group, user groups, All workloads |
Uses virtual services | Not applicable (the service is derived from the virtual service) | Workload, label, label group, IP lists, All workloads, uses virtual service, uses virtual services and workloads |
Uses virtual services and workloads | Any service | Workload, label, label group, IP lists, All workloads, uses virtual service, uses virtual services and workloads |
Workload, All workloads, label, or label groups | Any service | User groups and one or more of the following: workload, All workloads, label, label groups |
Stateless Rules
By default, all rules you write in the PCE are stateful, meaning the host's firewall keeps track of a connection for the entire session duration.
For workloads, you can specify stateless packet filtering for a rule (“stateless”: true). This means that the VEN instructs the host's firewall to not maintain persistent connections for all sessions. You can create this type of stateless rule for data center core services, such as DNS and NTP.
Caveats
In a stateless rule, you can add the following policy objects as Destinations:
An individual workload
A label (one each of a specific type, up to four total)
Any IP list plus All workloads
Be aware also of the following when enabling stateless rules:
Linux traffic does not get logged in the PCE
Windows traffic gets logged in the PCE if connections are established
Traffic is allowed in the opposite direction
If you attempt to add any other Destinations, you receive an error.
The Illumio Core limits the number of stateless rules to 100 to ensure that both stateful and stateless rules coexist on the host in a way that optimizes system and network performance. If you need more than 100 stateless rules in your Illumio policy, contact your Illumio Professional Services Representative for more information.
Warning
Existing active connections on workloads allowed by a stateless rule (for example, an SSH session) are terminated when workloads receive new rules from the PCE. Those connections need to be reestablished by the clients. For this reason, Illumio recommends using stateless rules for services that use high-frequency short-lived connections, such as DNS and SNMP.