Deactivate and Unpair VENs
This topic describes how to deactivate and unpair VENs by operating system. Additionally, it explains the security implications for performing these tasks and makes recommendations on how to properly deactivate and unpair VENs.
See Effects of Unpairing VENs.
Deactivate Using the VEN Command Line
To deactivate the VEN, you must use the illumio-ven-ctl
command.
deactivate
breaks the PCE-to-workload connection but doesn't uninstall the VEN software (as unpair
would).
After deactivation, the workload reverts to its pre-Illumio native firewall settings.
Linux/AIX/Solaris
# /opt/illumio_ven/illumio-ven-ctl deactivate
Windows
<VEN Installation Directory>\illumio-ven-ctl.exe deactivate
Unpair Using the VEN Command Line
The unpair
command breaks the PCE-to-workload connection, and uninstalls the VEN software. The unpair
command gives you control over the post-unpair state, as described below.
Linux/AIX/Solaris
With illumio-ven-ctl unpair
, specify the post-unpair state for the VEN:
# /opt/illumio_ven/illumio-ven-ctl unpair [recommended | saved | open]
Note
On Linux, the unmanaged
option is not available.
Unpair Options on Linux/AIX/Solaris
recommended
: Uninstalls the VEN and temporarily allows only SSH/22 until reboot.Important
Security implications: When the workload is running a production application, it could break because this workload will no longer allow any connections to it other than SSH on port 22.
saved
: Uninstalls the VEN and reverts to pre-Illumio policy to the state before the VEN was first installed. Revert the state of the workload's iptables to the state before the VEN was installed. The dialog displays the amount of time that has passed since the VEN was installed.Important
Security implications: Depending on how old the iptables configuration is on the workload, VEN removal could impact the application.
open
: Uninstalls the VEN and leaves all ports on the workload open.Important
Security implications: When iptables or Illumio are the only security being used for the workload, the workload is open to anyone and becomes vulnerable to attack.
Windows
Issue illumio-ven-ctl.exe unpair
to specify the post-deactivation state for the VEN:
<VEN Installation Directory>\illumio-ven-ctl.exe unpair [recommended | saved | open | unmanaged]
Unpair Options for Windows VENs
Note
On Windows VENs, issuing the unpair
command without specifying an option simply uninstalls the VEN and removes the Illumio policy from the workload. (It has the same effect as specifying the saved
command).
recommended
: Temporarily allows only RDP/3389 and WinRM/5985,5986 until reboot.Important
Security implications: If the workload is running a production application, the application could break because the workload no longer allows any connections to it.
saved
: Uninstalls the VEN and removes the Illumio policy from the workload. It has the same effect as not specifying any option.Important
Security implications: Depending on how old the WFP configuration was on the workload, VEN removal could impact the application.
open
: Uninstalls the VEN and leaves all ports on the workload open.Important
Security implications: When WFP or the PCE are the only security being used for the workload, the workload is open to anyone and becomes vulnerable to attack.
unmanaged
: Use this option when removing a Windows VEN that has never been paired to a PCE; it will leave the firewall configuration unchanged.
Unpair Using System Commands
You can issue illumio-ven-ctl
(Linux/AIX/Solaris) or illumio-ven-ctl.exe
(Windows) to unpair the VEN.
Important
While it is possible to use the system uninstall
command to unpair the VEN, however it is not recommended. You should use that command only if you're unable to unpair with illumio-ven-ctl
or illumio-ven-ctl.exe
.
Linux
RPM:
rpm -e illumio-ven
DPKG:
dpkg -P illumio-ven
Windows
Use the Control Panel to uninstall the VEN.
AIX
installp -u illumio-ven
Solaris
pkgrm illumio-ven