Skip to main content

Security Policy Guide 25.2.10

About Provisioning

Provisioning is the process of applying security policy changes from the Policy Compute Engine (PCE) to the Virtual Enforcement Nodes (VENs) on managed workloads. These changes define the enforcement behavior for workloads using iptables and nftables (Linux) or WFP (Windows), allowing Illumio to maintain a consistent and scalable segmentation policy.

When you provision updates, the PCE recalculates any changes made to policies, IP lists, services, label groups, and security settings and then transmits those changes to all VENs installed on your workloads.

When your PCE has changes that need to be provisioned, the orange badge on the Provision button indicates the number of changes that require provisioning.

Provisioning applies changes such as:

  • New or modified policy rules

  • Label and label group updates

  • Virtual service and service definitions

  • Policy scope or global settings changes

  • Static policy assignments

How Provisioning Works Internally

Provisioning works in stages that follow one another:

  1. Database commit: where the PCE first records and commits changes as follows:

    Policy rules (Allow, Deny, Override Deny, Custom iptables)

    Labels and Label Groups

    Virtual Services and Services

    Policy scopes and global settings

  2. Policy Calculation: where the PCE matches policy objects and rules against workloads using label-based scopes.

    Virtual Services and Services are resolved to port and traffic definitions.

    Workload-specific rule sets are generated based on which rules match their labels.

  3. IP Resolution and Rule Compilation: where Labels are mapped to IP addresses and interfaces.

    Final iptables (Linux) or WFP (Windows) rules are compiled per workload.

  4. Distribution to VENs: where VENs receive policy update notifications.

    Affected VENs securely retrieve and enforce their updated rules.

Full Provisioning

Full provisioning applies to all pending policy changes and impacted workloads.

  • It is used to roll out standard policies and for large-scope updates that involve multiple rules or labels.

  • With full provisioning, all impacted workloads receive updated rules.

Selective Provisioning (Quick Provision)

This type of provisioning applies changes to a single object (e.g., a specific rule, label, or service).

  • It is used for urgent updates (e.g., emergency deny rules) and controlled test deployments.

  • To implement Quick Provisioning, use the Quick Provision button in the object view.

Provisioning in Static Policy Mode

Static Policy allows provisioning to stage rules on workloads without enforcing them until they are explicitly applied. This enables testing and controlled rollout in sensitive environments.

  • Provisioned rules are staged but not enforced, and the Workloads display "Staged" status.

  • Administrators must manually click Apply Policy to enforce rules.

  • Use Static Policy mode when testing policy on production workloads without immediate enforcement, and as manual enforcement approval of workflows.

Versioning, Restore, and Revert

Illumio tracks every provision as a version, allowing administrators to audit, restore, or revert policy states.

Versioning Features

Each provision is saved as a version in the Changes > History tab and includes a timestamp, user ID, and a summary of the changes.

  • Policies can be restored either partially (selectively importing components like policies, labels, or services) or as a complete restore (replacing all current policy objects with the selected version)

  • Partial restore allows you to cherry-pick changes without overwriting unrelated policies.

  • Complete restore is useful when returning to a known good baseline or recovering from major errors.

Restore vs Revert Action

The Restore action loads an older version into the working configuration, while Revert Immediately rolls back and provisions a version.

Revert is used to undo a recent error, and Restore is used to return to a stable baseline.

Policy Versions

Each time you provision changes to policy items (such as policies, services, IP lists, label groups, and security settings), the entire set of changes you provisioned receives a version number. You can view the history of your policies and view their differences.

You can select a previous version to see information about that specific version. By default, the PCE retains only the last 1,000 versions of the policy and automatically removes older versions to improve performance. When a new change is provisioned, the oldest version of the policy is removed.

  1. Go to the page Drafts & Versions > Versions.

    The Policy Versions page displays the history of the last provisions in your organization.

  2. To view details about the changes, click one of the items. You can see the changes that have been provisioned for the selected item in this version.

Restore Policy

With the policy restore feature, you can revert to an older version of the policy when the newly provisioned policy does not work as expected.

Note

To use this feature, you must be a Global Administrator or Global Organization Owner.

The older policy version is copied to the current working draft version. You can immediately provision it to replace the non-working version.

You cannot restore to a previous version when there are pending changes. If you attempt to restore to this version, it will result in references to deleted non-versioned objects, such as labels and workloads. The restore will fail, and an error message will be displayed.

To revert to an older policy version:

  1. Go to the page Draft & Versions > Versions.

  2. On the Policy Versions page, click Restore for the policy version you want to revert to.