Stateful vs. Stateless Rules
By default, all rules you write in the PCE are stateful, which means that the host's firewall keeps track of a connection for the entire duration of the session.
Stateless Rules
For workloads, you can specify stateless packet filtering for a rule (“stateless”: true). This means that the VEN instructs the host's firewall not to maintain persistent connections for all sessions. You can create this type of stateless rule for data center core services, such as DNS and NTP.
Caveats
In a stateless rule, you can add the following policy objects as destinations:
An individual workload
A label (one each of a specific type, up to four total)
Any IP list plus all workloads
If you attempt to add any other destinations, you receive an error.
The limit ensures that the number of stateless rules is capped at 100, allowing both stateful and stateless rules to coexist on the host in a way that optimizes system and network performance. If you require more than 100 stateless rules in your Illumio policy, please get in touch with your Illumio Professional Services Representative for further information.
Warning
Existing active connections on workloads allowed by a stateless rule (for example, an SSH session) are terminated when workloads receive new rules from the PCE. Those connections need to be reestablished by the clients. For this reason, Illumio recommends using stateless rules for services that utilize high-frequency, short-lived connections, such as DNS and SNMP.