Skip to main content

Illumio Core 25.1 Administration Guide

Connectivity Settings

This section describes how to modify PCE settings that affect connectivity.

Note

Permission to edit these settings depends on your role.

Private Data Centers

The PCE uses connectivity settings to decide whether workloads are allowed to communicate with each other in private datacenters, private clouds, and shared network environments (private datacenter and public cloud).

By default, the Private Data Center connectivity setting is set and intended for workloads that are hosted in private datacenters which do not have duplicate IP addresses in the network. When your network environment hosts workloads in your own private datacenter and in a public cloud, and you want to change this setting, contact Illumio Support.

Offline Timers

You can configure Offline Timers in Settings > Offline Timers and choose appropriate settings for your workloads.

Note

To configure Offline Timers, you must be the Global Organization Owner for your PCE or a member of the Global Administrator role.

Warning

Disabling the Offline Timer setting degrades your security posture because the PCE will not remove IP addresses that belonged to workloads that have been disconnected from those that were allowed to communicate with the disconnected workloads. You need to remove the disconnected workloads from the PCE to ensure that its IP addresses are removed from the policy.

The PCE isolates a workload from the other workloads when the workload goes offline. The VEN sends a heartbeat message to the PCE every 5 minutes and a goodbye message when it is gracefully shutdown. The PCE marks a workload offline when these conditions occur:

  • The PCE hasn't received a heartbeat message from the VEN for the configured period time (whether default or custom).

  • The PCE receives a goodbye message from the VEN.

Under the following conditions, you can change the default Offline Timer settings before putting your workloads in enforcement:

  • The default setting might potentially disrupt your critical applications.

  • Application availability is more important than security.

Note

How you configure this setting is a tradeoff between benefiting from an increased zero-churn outage time window versus increasing the window of time where IP addresses could be reused. You should weigh the operational and security benefits and find a balance suitable for your applications.

Decommission and IP Cleanup Timer

Sets how much time must elapse before a managed workload is marked "offline" after it sends a goodbye message. By default, the High Security setting is:

  • Server VENs: 15 minutes

  • Endpoint VENs: 24 hours

Wait 1 hour/1 day - High Security (Default)

The PCE performs the following actions:

  1. Listens for Goodbye messages from the VEN.

  2. Pushes an updated policy to the peer workloads that were previously allowed to communicate with the removed workloads.

  3. Immediately cleans up those workloads IP addresses from its active policy.

Never remove IP addresses - Highest Availability

This setting has the following affect on the PCE:

  • Ignores Goodbye messages from workloads.

  • Keeps all IP addresses in policy and never automatically remove unused IP addresses.

  • Requires a removal of those unused IP addresses.

Custom Timeout

Enter a time period (minimum: 0 seconds).

The PCE performs the following actions:

  • Listens for Goodbye messages from the VEN.

  • Waits for the specified time period before cleanup of those workloads IP addresses from its active policy.

  • Pushes an updated policy to the peer workloads that were previously allowed to communicate with the removed workloads.

Disconnect and Quarantine Timer

Sets how much time must elapse before a managed workload is marked "offline" after the PCE has received no heartbeat from the VEN. By default, the High Security setting is:

  • Server VENs: 60 minutes

  • Endpoint VENs: 24 hours

Wait 1 hour/1 day - High Security (Default)

The PCE performs the following actions:

  1. Waits for the configured time to receive a heartbeat from the disconnected workloads and then quarantines workloads that do not respond within that time period.

  2. Removes the quarantined workloads IP addresses from its active policy.

  3. Pushes an updated policy to the peer workloads that were previously allowed to communicate with the quarantined workloads.

Never remove IP addresses - Highest Availability

This setting has the following affect on the PCE:

  • Never disconnects or quarantines workloads that fail to heartbeat.

  • Keeps all IP addresses in policy and never automatically removes unused IP addresses.

  • Requires a removal of those unused IP addresses.

Custom Timeout

Enter a time period (minimum: 300 seconds).

The PCE performs the following actions:

  1. Waits for the specified time period for the VEN to heartbeat.

  2. Quarantines those workloads that do not respond within that time period.

  3. Removes the quarantined workloads IP addresses from its active policy.

  4. Pushes an updated policy to the peer workloads that were previously allowed to communicate with the quarantined workloads.

Disconnect and Quarantine Warning

Sets how much time must elapse before the PCE emits a warning event to indicate that the VEN missed heartbeats. The server VEN will appear in a warning state on the VEN pages.

The default settings are:

  • Server VENs: Wait one-quarter of the Disconnect and Quarantine Timer.

  • Endpoint VENs: Disabled.

Wait one-quarter of the Disconnect and Quarantine Timer - (Default) (applies to Server VENs only)

The PCE performs the following actions:

  1. Wait one-quarter of the Disconnect and Quarantine Timer setting for the server VEN to heartbeat before emitting a warning event indicating that the server VEN has missed heartbeats. The server VEN appears in a warning state on the VEN pages.

  2. If the Disconnect and Quarantine Timer is set to Never remove IP addresses - Highest Availability, the PCE emits a warning event 15 minutes after receiving the previous VEN heartbeat.

  3. If you set a custom time of 20 minutes or less for the Disconnect and Quarantine Timer and the PCE receives no heartbeat from the VEN at least 5 minutes after receiving the previous heartbeat, the PCE emits a warning event to indicate the missed heartbeat. The endpoint VEN will appear in a warning state on the VEN pages.

Custom Timeout (applies to Server and Endpoint VENs)

Enter a time period greater than 5 minutes (300 seconds) and less than the value specified for the Disconnect and Quarantine Timer.

  1. Waits for the specified time period for the VEN to heartbeat.

  2. VENs appear in a warning state on the VEN pages.

Set the IP Version for Workloads

This section describes how to enforce a preference for IPv4 over IPv6 addresses.

Change Linux Workloads to Prefer IPv4

To ensure that your paired Linux VEN workloads prefer IPv4 over IPv6 addresses in your PCE organization, edit the /etc/gai.conf file on the VEN by adding the following line:

precedence ::ffff:0:0/96  100

This change will cause getaddrinfo system calls to return the IPv4 addresses before IPv6 addresses.

This method works when you assign IPv4 addresses to your workloads. However, it doesn't work when your workloads only have IPv6 addresses (meaning, no IPv4 addresses for the hosts) or the software installed is hard coded to look for IPv6 addresses.

Change Windows Workloads to Prefer IPv4

When you choose to allow only IPv4 traffic for your PCE organization, the VENs on your workloads drop IPv6 traffic when they are in Enforced mode. This decision can lead to delays and communication failures in applications because applications will wait for IPv6 connection attempts to time out before attempting to connect over IPv4.

The problem occurs because, by default, the Windows OS prefers IPv6 over IPv4 and will attempt to connect over IPv6 before IPv4. As a workaround, you can change the order of connection attempts so that IPv4 is preferred over IPv6. With this change, applications will connect over IPv4 first and succeed or fail as governed by the workload's firewall policies.

For information about changing the connection order to prefer IPv4 over IPv6, see the Microsoft KB article Guidance for configuring IPv6 in Windows for advanced users.

As explained in the KB article, run the following command and reboot the Windows workload:

reg add hklm\system\currentcontrolset\services\tcpip6\parameters /v DisabledComponents /t REG_DWORD /d 0x20

To avoid rebooting the Windows workload, run the following commands:

netsh interface ipv6 delete prefixpolicy ::ffff:0:0/96
netsh interface ipv6 add prefixpolicy ::ffff:0:0/96 60 4

Manage Security Settings

You can manage security settings by accessing the page Settings > Security:

Security for

Options

Description

VENS (Versions 20.2.0.and higher)

IPv6 traffic

Allow IPv6 traffic

Allowed based on policy

Block IPv6 traffic

Blocked only in Enforcement state. Always allowed on AIX and Solaris workloads

VENS (Versions lower than 20.2.0)

IPv6 traffic

Allow IPv6 traffic

All IPv6 traffic allowed

Block IPv6 traffic

Blocked only in Enforcement state. Always allowed on AIX and Solaris workloads

IKE Authentication

Authentication type

PSK

Use Pre-shared Keys for authentication

Certificate

Use certificates for authentication

Public cloud configuration

NAT Detection

Private Data Center or

Public Cloud with 1:1 NAT (default)

For workloads in a known public cloud (such as AWS or Azure) the public IP address of the workload as seen by the PCE is distributed along with the IP addresses of the interfaces on the workload. Use this setting only if there are no shared SNAT IP addresses for egress traffic from the public cloud workloads.

Public Cloud with SNAT/NAT Gateway (recommended setting if using a NAT gateway in AWS or Azure or the default outbound access in Azure

The PCE will ignore the public IP address of the workload in policy computation. This setting is used in environments where workloads in a known public cloud (e,g, AWS or Azure) that connect to other workloads or the PCE outside the VPC or cloud via the SNAT IP address or SNAT pool (e,g, NAT Gateway in AWS) as the public IP seen by the PCE is nit specific to any workloads. Only the IP address of the network interfaces on the workload (usually the private IP addresses) is distributed in the policy.

Enable IP Forwarding

Note

For Linux VENs only

In PCE versions earlier than 21.5.10, IP forwarding is automatically enabled for hosts in a container cluster that is reported by Kubelink to the PCE or hosts explicitly set to use the Container Inherit Host Policy feature.

Starting in PCE version 21.5.10, you can enable IP forwarding on hosts without using any container segmentation features. To enable this feature, contact Illumio Support.

  1. In the PCE web console, choose Security > IP Forwarding.

    The IP Forwarding tab appears if the feature is enabled.

    Note

    Use the API call to the PCE to enable this feature so it appears in the Security menu as an option.

  2. In this tab, you can use labels and label groups to enable IP forwarding for the workloads that match the label combination.

    Use combinations of Role, Application, Environment, and Location labels and label groups in the same way that you would to specify workloads for any other purpose. For example, in a Rule or any of the tabs under the Security Settings page.

Workloads with IP forwarding enabled will configure the host firewall to allow all forwarded traffic without visibility, including traffic forwarded through the host.