Rulesets
You can use rulesets to write policies so the workloads in your application can communicate. A ruleset consists of rules and scopes:
Rules define which workloads are allowed to communicate.
Scopes define which workloads the rules are applied to.
Basic versus Scoped Rulesets
You have the option to create basic or scoped rulesets. Choose whether you want to include scopes when creating new rulesets.
When the PCE is configured to create scopeless rulesets, you create simple rules that do not apply to specific environments, locations, applications, or other categories you may have defined using flexible label types. Such rules are scopeless because they do not belong to a ruleset that uses scopes.
You might want to create basic rules when you are new to using Illumio Core and creating your first security policy rules, such as creating a simple rule to control SSH traffic for all your workloads. As you become more familiar with Illumio Core or you need to create more complicated rules, you can create scoped rules: intra-scope, extra-scope, and custom iptables rules.
Creating scoped rules allows you to create rulesets and rules that are defined for specific environments, locations, applications (typically larger environments), or other categories you define in flexible label types.
When the PCE is configured to create scopeless rulesets, you can still add a scope to a ruleset after saving the ruleset. Select a rule on the page and click Add Scope.
Scopeless rulesets in PCE web console
The following details apply to scopeless rulesets in the PCE web console:
An option in the Policy Settings page determines whether new rulesets are created with or without scopes. However, the permission every Illumio Core user has to create rulesets is always based on the scopes they can access, even when the PCE is configured to create scopeless rulesets.
Disabling scopes in rulesets does not invalidate the Ruleset Manager or Ruleset Provisioner roles used for user authentication or Role-Based Access Control (RBAC). For more information about these roles, see "PCE Organization and Users" in PCE Administration Guide .
When the PCE is configured to create scopeless rules, the Ruleset details page for a ruleset displays a single Rules tab where you add basic rules, including container hosts as Destination.
When you add a scope to a scopeless ruleset after creating the ruleset, the page refreshes and displays and tabs. If any rules include container hosts for Destinations, those rules are moved to the tab.
Adding custom iptables rules is not available for scopeless rulesets. To create custom iptables rules, you must add a scope to the ruleset.
When you remove all scopes from a ruleset, the PCE merges the rules in the and tabs into a single Rules tab. However, any custom iptables rules created in the ruleset remain in the tab.
Ruleset Scope
The scope of a ruleset determines which workloads receive the ruleset's rules and enables the rules in a ruleset to apply to workloads in a group (one scope).
When workloads share the same set of labels defined in a ruleset's scope, those workloads receive all the rules from the ruleset. When you add a second scope, all the workloads within both scopes receive the rules from the ruleset.
A single scope is defined by using labels that identify the workload:
Application: To which application (for example, ERP or HRM) do these workloads belong?
Environment: Which type of environment (for example, development, production, or testing) describes these workloads?
Location: Where are these workloads physically located (for example, rack server or AWS) or geographically (for example, US, EU, or CA)?
Flexible labels: If you have defined custom label types, you can use them to define a scope.
A scope (or collection of workloads that the rules are applied to) is defined as ERP | Prod | US, which means that the rules apply to any workload that meets the following three requirements:
Workloads in the ERP application
Workloads in the Prod (Production) environment
Workloads in the US location
That example is relatively simple, but combining rules and scopes can create complex security policies.
Single ruleset scopes
Using a single scope in a ruleset narrows the list of workloads that the rules apply to and allows workload cross-communication.
When you are defining rules, you have the option of using the “All” label in the scope. The “All” label applies to all instances of that label type (Application, Environment, Location, or a flexible label type you have defined). For example, creating a rule with a scope of “All | All | All” means that the rule applies to all workloads.
When you create a rule with a scope of “HRM | All | US,” this rule applies only to workloads using the HRM and US labels, regardless of Environment (“All”). For example, the following ruleset:
Multiple ruleset scopes
Using multiple scopes in a ruleset applies the rules to each scope in isolation and does not allow workload cross-communication.
Labels in scopes and rules
When the same label is used multiple times in a rule, it is expanded to multiple rules with one label for each rule.
The following examples further demonstrate how scopes work with rules.
Note
When the service in a rule is DNS, the Destination must be in IP Lists,
Manage Rulesets
In this section, you will learn how to enable or disable scopes for rulesets, view ruleset status, and create rulesets.
Create a Ruleset
You can create a ruleset to write rules that define the allowed communication between workloads in a single group or multiple groups.
When you write a rule for a Windows workload, you can add a Windows service name without specifying a port or protocol. The rule will allow communication for that service over any port and protocol.
Note
Illumio recommends creating no more than 500 rules per ruleset, or the PCE web console will not be able to display all of the rules.
If you want to create a ruleset with more than 500 rules, split the rules across multiple rulesets or use REST API, where there is no limit on the number of rules you can create per ruleset.
The following task creates a single scope, which means the rules in the ruleset apply to a single group. Add a second scope indicated by the group's labels to apply the rules to another group.
You can use a template or create a ruleset from scratch.
Create a Ruleset from Scratch
Choose Policies > Add.
In the Add Ruleset dialog, enter the name and description of the ruleset.
In Scope, select the labels for the ruleset: Application, Environment, Location, or any custom label types you have defined using Flexible Labels.
These labels define the scope of the ruleset, which is its range or boundary. The scope defines the workloads affected by this ruleset or all workloads that share the same labels in the scope.
Note
The Scope field only appears when the PCE is configured to display it.
Add a Ruleset from a Template
Choose Policies > Add.
To create a ruleset from a template, you have the following choices:
Ransomware: This creates a set of deny rules for services and ports frequently used by Ransomware to spread across the environment.
Inbound Admin Access: This creates a set of rules for inbound traffic using SSH and RDP services and ports (including Jump boxes).
Outbound Admin Access: This creates a set of rules for outbound traffic using SSH and RDP services and ports.
Block Internet Access: This creates a deny rule that restricts all outbound traffic to the internet.
Active Directory: This creates a set of rules for default services and ports for domain controllers in your environment.
ICMP: Internet. Control Message Protocol, used for network maintenance and troubleshooting.
Select one of the templates and click Next.
Add a Ruleset for Ransomware
When you select the Ransomware template, a list of the existing deny rules is displayed.
You can confirm the selection and save or edit the Sources, Destinations, or Destination Services for any Deny rules.
To edit the Source, click on the specific Source link, and the next page will show whether the source can be edited. For example, a default IP List cannot be edited or removed.
To edit a Destination, click on the specific Destination link.
Click Add to add new members to the label group.
Select as many new members from the dropdown list as you wish.
Click Ok.
The Label Groups page now includes the added new members.
Click Provision to get this addition provisioned.
You can use this same page to remove any existing label groups.
To edit the Destination Service, click on the specific link in that group.
On the Services page, click Edit.
Change the Description, Protection Severity, or Attributes.
RANSOMWARE PROTECTION: Choose one of the severity levels: None, Low, Medium, High, or Critical
ATTRIBUTES: Use the option Service Definitions to add or remove ports and/or protocols
Add a Ruleset for Inbound Admin Access
When you select the Inbound Admin Access template, a list of the existing rulesets and deny rules is displayed.
RULESET x
You can edit the name or scope for each ruleset on the rulesets page.
Scope displays whether the ruleset contains extra-scope or intra-scope rules.
Edit Sources, Destinations, and/or Destination Services for any existing extra- or intra-scope rules (when allowed).
DENY RULES
Names of the Deny rules are not editable.
Sources and Destinations of the Deny rules are not editable as well.
The Destination Services page shows general information and attributes. To edit the service, click Edit.
GENERAL: You can edit both the name and the description
RANSOMWARE PROTECTION: Choose one of the severity levels: None, Low, Medium, High, or Critical
ATTRIBUTES: Use the option Service Definitions to add or remove ports and/or protocols.
Add a Ruleset for Outbound Admin Access
For the outbound admin access, there are only Deny rules.
DENY RULES
Names of the Deny rules are not editable.
Sources are editable, and you can add new members to the label groups using the dropdown list.
You can also remove any of the existing members of the label group.
Add a Ruleset that Blocks Internet Access
You can add a deny rule restricting all outbound traffic to the internet.
DENY RULES
Names of the Deny rules are not editable.
Sources (applications) can be edited by adding new label group members from the dropdown list.
Destinations (list of IP addresses) can be edited by removing any of the existing IKP addresses using a trash icon that shows after you double-click on the address. To add FQDN, type or paste a fully qualified name or FQDN inside the FQDN window.
Once the changes are in, click Confirm and Save.
Add a Ruleset for Active Directory
You can add a ruleset for default services and ports for domain controllers.
In the Rules for Active Directory page:
The Name of the ruleset is editable.
The scope of the ruleset is editable: add any existing label groups using the dropdown list.
Intra-scope rules in the ruleset:
Sources:
If denoted by
(all), rules are not editable.If denoted by
(any), rules Destinations and Destination Services are editable.Once the changes are in, click Confirm and Save.
Add a Ruleset for ICMP
You can add a ruleset for ICMP (Internet. Control Message Protocol).
RULESET x
The Name of the ruleset is editable.
The scope of the ruleset is editable in the following instances:
If denoted by
(all), the rule is not editable.If denoted by
(any), rules Destination Services are editable.Once the changes are in, click Confirm and Save.