Skip to main content

Security Policy Guide 25.2.10

Services

When workloads are paired with the PCE, the VEN discovers all running processes and services on a workload and makes those services available for use when writing rules. You can see those discovered services when you view the Processes tab on the Workload's details page.

However, you can also create your own to services to specify the service type, as well as the ports and protocols the services use to communicate.

Note

Service names can be unrestricted, for example, sc.exe qsidtypemyservice. You can write rules with unrestricted service IDs (SIDs). When there is a restricted SID, you should write rules without the SID. Including the service with a restricted SID type causes the traffic to be dropped and might cause traffic between the Reported view and Draft view to be reported inaccurately.

Service Types

When you create a service, you can choose one of two general types:

  • All OS: Port-Based:: This type of service can be used for writing rules for any workloads and is defined by specifying a port and protocol, a port range, or in some cases, only the protocol. For example: 80 TCP, 1000-2000 TCP, 500 UDP. For GRE or IPIP, you only need to specify the protocol.

  • Windows: Process/Service-Based: This type of service can be used for writing rules for Windows Workloads only, and is defined by specifying one of the following combinations or scenarios:

    • Port and/or Protocol, Windows Process, and Windows Service

      443 TCP c:\windows\myprocess.exe myservice

    • Port and/or Protocol and Windows Process

      443 TCP c:\windows\myprocess.exe

    • Port and/or Protocol and Windows Service

      443 TCP myservice

    • Windows Port and/or Protocol

      514 UDP

    • Windows Process

      c:\windows\myprocess.exe

    • Windows Service

      myservice

Windows Process-based Rules
Rules to Allow System Created Processes

You can create rules to allow all system-initiated processes in Windows. This approach allows all traffic related to drivers and other operating system modules. You can create a service of type Windows—process or service-based—with word “system” (case-insensitive) in the Port/Protocol text input field. Once you create this service, you can use it in rules.

To create a service that allows all system-initiated processes:

  1. From the PCE web console menu, choose Policy Objects > Services.

  2. Click Add.

  3. Enter a name and description for the service you are adding.

  4. ATTRIBUTES:

    Operating System

    To add a service definition, from the Operating System drop-down, select either All Operating Systems:Port Based , Windows Inbound: Process/Service-Based, or Windows Outbound: Process/Service-Based

    If you select All Operating Systems: Port-Based, you can only indicate a port, a protocol, or both, separating the port and protocol with a space. For example, port 512 TCP.

    If you select Windows Process/Service-Based, from the Port and/or Protocol drop-down, specify a port/protocol, a process or service, or a port/protocol with a process or service, separating the port and protocol with a space. For example, port 512 TCP, process C:\windows\myprocess.exe, and Windows service,myprocess.

    Service Definitions

    To remove a service definition, from the Operating System drop-down, select either All Operating Systems:Port Based or Windows Process/Service-Based:

    Click the check box next to the Port and/or Protocol. You may select a single or multiple entries.

    Click Remove.

Service Using Windows Environmental Variables

The Windows environmental variable can be used to specify the full path. This can be done by creating a Service of type Windows: Process or Service based with the environment variables in the Port Protocol text input field

Note

Currently, only the Windows System variable is supported for use in the process path. For example %systemroot%\myprocess.exe

Rules can be created to allow all system-initiated processes in Windows. This will allow all traffic related to drivers and other operating system modules. This can be done by placing the word system (case-insensitive) in the text input field.

To create a service that uses Windows environmental variables:

  1. From the PCE web console menu, choose Policy Objects > Services.

  2. Click Add.

  3. In the Name field, enter system (case-insensitive).

  4. From the Operating System drop-down list, select Windows: Process/Service-based.

  5. In Ports & Protocols, specify the port/protocol, separating the port and protocol with a space. For example:

    %systemroot%\myprocess.exe

  6. Click Save.

IGMP Services

You can add Internet Group Management Protocol (IGMP) as a service for use in rules to write granular inbound or outbound policy for IGMP, which is typically used for multicast. No range is required for IGMP.

You can export IGMP traffic in JSON, CEF, or LEEF format.

You can also create and update services using the IGMP protocol using the Illumio Core REST API.

See "Services" in REST API Developer Guide for information about using the REST API to create services.

Caveats

  • When IGMP service is used in a rule, all IGMP types are allowed; however, granular control and specific multicast addresses are not supported.

  • IGMP is not supported in the Illumination map.

ICMP Services

ICMP can be added as a service and used in rules to write granular inbound or outbound policy for ICMP. ICMP is usually used for traceroute and path MTU discovery.

You can export ICMP traffic in JSON, CEF, or LEEF format.

Note

When these services are blocked, they do not appear in the Blocked Traffic list and the connection is dropped silently.

ICMP types/codes (such as 0 ICMP or 3/2 ICMP) are supported. The ICMP range is from 0 to 255.

The following table describes the correct format for each type of supported ICMP rule:

Example

Format

Meaning in Rule

ICMP (on a new line)

Protocol name only

Allow all ICMP traffic

3 ICMP

Type = 3

Protocol name = ICMP

All ICMP traffic of type 3 (Destination Unreachable) is allowed regardless of the code used in the rule.

3/6 ICMP

Type = 3

Code = 6

Protocol name = ICMP

Only type 3 and code 6 ICMP traffic is allowed.

3 ICMP, 6 ICMP

Type 3 of ICMP,

Type 6 of ICMP

Tip

Use this format to add as many types as you need.

Only type 3 and type 6 ICMP traffic is allowed regardless of the code used in the rule.

ICMP traffic is displayed in Explorer, similar to TCP/UDP traffic. From the 19.1.0 release on, you can see ICMP traffic flows in Illumination and the App Groups Map. You can choose to conceal them by using the filter in Illumination.

You can also create and update services that use the ICMP protocol using the Illumio Core REST API. See Services in REST API Developer Guide for information about using the REST API to create services.

Caveats

  • ICMP is not supported for virtual services.

  • When an ICMP service is used in a rule, all ICMP types are allowed; however, granular control and specific multicast addresses are not supported.

  • When you enable IPv6 on Windows VENs, IPv6 system rules are not propagated to those VENs. You need to write security rules to ensure robust IPv6 functionality. The ICMPv6 types that are required in those rules are as follows:

    ICMPv6 Message

    ICMPv6 Type

    Router Solicitation Message

    133

    Router Advertisement Message

    134

    Neighbor Solicitation Message

    135

    Neighbor Advertisement Message

    136

View or Edit a Service

To view or edit an existing service:

  1. Click the name of the desired service. You can filter the list by various attributes. See Filter the Services List for details.

  2. Go to Policy Objects > Services> to view information about the service, including its general data, attributes, and, if appropriate, the external data for the service and ransomware protection details.

  3. Double-click on the Service to view the Service page and then Edit to enter edit mode.

  • GENERAL: Change the Name or Description of the service.

  • RANSOMWARE PROTECTION:

    Select severity: None, Low, Medium, High, or Critical

    OS Exposure: Select one or more OSes

    Port Type: Admin or Legacy

  • ATTRIBUTES:

    Operating Systems: All Operating Systems: port-based

    Service Destinations: Add or Remove port and/or protocol

Filter the Services List

The property filter at the top allows you to filter the Services list by entering a service name, description, port, protocol, and provision status (draft or active).

services_filter.png
Create a Service

When you create a rule, you can select a service to indicate the allowed communication between workloads and other entities.

When you create a service, that service becomes available to use in a rule.

For a list of the types of services you can create, see Service Types.

To create a service from the Services page:

  1. From the PCE web console menu, choose Policy Objects > Services.

  2. On the Services page, click Add.

  3. Enter the service a name and description (optional).

  4. Under Attributes, choose whether you want to create a port-based or Windows service-based service.

  5. In the Port and/or Protocol section, click Add and enter the ports, using a space to separate them from the protocol. To enter a range, separate the port numbers by a hyphen. You can also copy and paste lists of services from another source here.

  6. When the service uses any UDP ports, enter them as well.

  7. Click Save.