Skip to main content

Illumio Administration Guide 25.4

Connectivity Settings

This section describes how to modify PCE settings that affect connectivity.

Note

Permission to edit these settings depends on your role.

Private Data Centers

The PCE uses connectivity settings to decide whether workloads can communicate with each other in private datacenters, private clouds, and shared network environments (private datacenter and public cloud).

By default, the Private Data Center connectivity setting is set and intended for workloads hosted in private data centers that do not have duplicate IP addresses in the network. When your network environment hosts workloads in your private data center and in a public cloud, and you want to change this setting, contact Illumio Support.

Offline Timers

You can configure Offline Timers in Settings > Offline Timers and choose appropriate settings for your workloads.

Note

To configure Offline Timers, you must be the Global Organization Owner for your PCE or a member of the Global Administrator role.

Warning

Disabling the Offline Timer setting degrades your security posture because the PCE will not remove IP addresses belonging to workloads that have been disconnected from those allowed to communicate with the disconnected workloads. You need to remove the disconnected workloads from the PCE to ensure its IP addresses are removed from the policy.

The PCE isolates a workload from the other workloads when the workload goes offline. The VEN sends a heartbeat message to the PCE every 5 minutes and a goodbye message when it is gracefully shut down. The PCE marks a workload offline when these conditions occur:

  • The PCE hasn't received a heartbeat message from the VEN for the configured period (whether default or custom).

  • The PCE receives a goodbye message from the VEN.

Under the following conditions, you can change the default Offline Timer settings before putting your workloads in enforcement:

  • The default setting might potentially disrupt your critical applications.

  • Application availability is more important than security.

Note

How you configure this setting is a tradeoff between benefiting from an increased zero-churn outage time window and increasing the window of time during which IP addresses could be reused. You should weigh the operational and security benefits and find a balance suitable for your applications.

Decommission and IP Cleanup Timer

Sets how much time must elapse before a managed workload is marked "offline" after it sends a goodbye message. By default, the High Security setting is:

  • Server VENs: 15 minutes

  • Endpoint VENs: 24 hours

Wait 1 hour/1 day - High Security (Default)

The PCE performs the following actions:

  1. Listens for Goodbye messages from the VEN.

  2. Pushes an updated policy to the peer workloads previously allowed to communicate with the removed workloads.

  3. Immediately cleans up those workloads' IP addresses from its active policy.

Never remove IP addresses - Highest Availability.

This setting has the following effect on the PCE:

  • Ignores Goodbye messages from workloads.

  • Keeps all IP addresses in policy and never automatically removes unused IP addresses.

  • Requires the removal of those unused IP addresses.

Custom Timeout

Enter a time period (minimum: 0 seconds).

The PCE performs the following actions:

  • Listens for Goodbye messages from the VEN.

  • Waits for the specified period before the cleanup of those workloads' IP addresses from its active policy.

  • Pushes an updated policy to the peer workloads previously allowed to communicate with the removed workloads.

Disconnect and Quarantine Timer

Sets how much time must elapse before a managed workload is marked "offline" after the PCE has received no heartbeat from the VEN. By default, the High Security setting is:

  • Server VENs: 60 minutes

  • Endpoint VENs: 24 hours

Wait 1 hour/1 day - High Security (Default)

The PCE performs the following actions:

  1. Waits for the configured time to receive a heartbeat from the disconnected workloads and then quarantines workloads that do not respond within that period.

  2. Removes the quarantined workloads' IP addresses from its active policy.

  3. Pushes an updated policy to the peer workloads previously allowed to communicate with the quarantined workloads.

Never remove IP addresses - Highest Availability.

This setting has the following effect on the PCE:

  • Never disconnects or quarantines workloads that fail to heartbeat.

  • Keeps all IP addresses in policy and never automatically removes unused IP addresses.

  • Requires the removal of those unused IP addresses.

Custom Timeout

Enter a time period (minimum: 300 seconds).

The PCE performs the following actions:

  1. Waits for the specified time period for the VEN to heartbeat.

  2. Quarantine those workloads that do not respond within that time period.

  3. Removes the quarantined workloads' IP addresses from its active policy.

  4. Pushes an updated policy to the peer workloads previously allowed to communicate with the quarantined workloads.

Disconnect and Quarantine Warning

Sets how much time must elapse before the PCE emits a warning event to indicate that the VEN missed heartbeats. The server VEN will appear warning on the VEN pages.

The default settings are:

  • Server VENs: Wait one-quarter of the Disconnect and Quarantine Timer.

  • Endpoint VENs: Disabled.

Wait one-quarter of the Disconnect and Quarantine Timer - (Default) (applies to Server VENs only)

The PCE performs the following actions:

  1. Wait one-quarter of the Disconnect and Quarantine Timer setting for the server VEN to heartbeat before emitting a warning event indicating that it has missed heartbeats. The server VEN appears warning on the VEN pages.

  2. If the Disconnect and Quarantine Timer is set Never to remove IP addresses - Highest Availability, the PCE emits a warning event 15 minutes after receiving the previous VEN heartbeat.

  3. If you set a custom time of 20 minutes or less for the Disconnect and Quarantine Timer and the PCE receives no heartbeat from the VEN at least 5 minutes after receiving the previous heartbeat, the PCE emits a warning event to indicate the missed heartbeat. The endpoint VEN will appear with a warning on the VEN pages.

Custom Timeout (applies to Server and Endpoint VENs)

Enter a period greater than 5 minutes (300 seconds) and less than the value specified for the Disconnect and Quarantine Timer.

  1. Waits for the specified time period for the VEN to heartbeat.

  2. VENs appear with a warning on the VEN pages.

Set the IP Version for Workloads

This section describes how to enforce a preference for IPv4 over IPv6 addresses.

Change Linux Workloads to Prefer IPv4

To ensure that your paired Linux VEN workloads prefer IPv4 over IPv6 addresses in your PCE organization, edit the /etc/gai.conf file on the VEN by adding the following line:

precedence ::ffff:0:0/96  100

This change will cause getaddrinfo system calls to return the IPv4 addresses before IPv6 addresses.

This method works when you assign IPv4 addresses to your workloads. However, it doesn't work when your workloads only have IPv6 addresses (meaning no IPv4 addresses for the hosts) or the software installed is hard-coded to look for IPv6 addresses.

Change Windows Workloads to Prefer IPv4

When you allow only IPv4 traffic for your PCE organization, the VENs on your workloads drop IPv6 traffic when they are in Enforced mode. This decision can lead to delays and communication failures in applications because applications will wait for IPv6 connection attempts to time out before attempting to connect over IPv4.

The problem occurs because, by default, the Windows OS prefers IPv6 over IPv4 and will attempt to connect over IPv6 before IPv4. As a workaround, you can change the order of connection attempts so that IPv4 is preferred over IPv6. With this change, applications will connect over IPv4 first and succeed or fail as governed by the workload's firewall policies.

For information about changing the connection order to prefer IPv4 over IPv6, see the Microsoft KB article Guidance for configuring IPv6 in Windows for advanced users.

As explained in the KB article, run the following command and reboot the Windows workload:

reg add hklm\system\currentcontrolset\services\tcpip6\parameters /v DisabledComponents /t REG_DWORD /d 0x20

To avoid rebooting the Windows workload, run the following commands:

netsh interface ipv6 delete prefixpolicy ::ffff:0:0/96
netsh interface ipv6 add prefixpolicy ::ffff:0:0/96 60 4