Manage Security Settings
This section describes how to modify PCE settings that affect connectivity.
How to Manage Security Settings
You can manage security settings by accessing the page Settings > Security:
Security for | Options | Description | |
|---|---|---|---|
VENS (Versions 20.2.0 and higher) | IPv6 traffic | Allow IPv6 traffic | Allowed based on policy |
Block IPv6 traffic | Blocked only in the Enforcement state. Always allowed on AIX and Solaris workloads. | ||
VENS (Versions lower than 20.2.0) | IPv6 traffic | Allow IPv6 traffic | All IPv6 traffic is allowed. |
Block IPv6 traffic | Blocked only in the Enforcement state. Always allowed on AIX and Solaris workloads. | ||
IKE Authentication | Authentication type | PSK | Use Pre-shared Keys for authentication. |
Certificate | Use certificates for authentication. | ||
Public cloud configuration | NAT Detection | Private Data Center or Public Cloud with 1:1 NAT (default) | For workloads in a known public cloud (such as AWS or Azure), the workload's public IP address as seen by the PCE is distributed along with the IP addresses of the workload's interfaces. Use this setting only if no shared SNAT IP addresses exist for egress traffic from the public cloud workloads. |
Public Cloud with SNAT/NAT Gateway (recommended setting if using a NAT gateway in AWS or Azure, or the default outbound access in Azure | The PCE will ignore the workload's public IP address in policy computation. This setting is used in environments where workloads in a known public cloud (e.g., AWS or Azure) connect to other workloads or the PCE outside the VPC or cloud via the SNAT IP address or SNAT pool (e.g., NAT Gateway in AWS), as the public IP seen by the PCE is not specific to any workloads. The policy distributes only the IP addresses of the network interfaces on the workload (usually the private IP addresses). |
Enable IP Forwarding
(For Linux VENs only)
In PCE versions earlier than 21.5.10, IP forwarding is automatically enabled for hosts in a container cluster that Kubelink reports to the PCE or hosts explicitly set to use the Container Inherit Host Policy feature.
Starting in PCE version 21.5.10, you can enable IP forwarding on hosts without using any container segmentation features. To enable this feature, contact Illumio Support.
In the PCE web console, choose Security > IP Forwarding. If the feature is enabled, the IP Forwarding tab will appear.
Note
Enable this feature using the API call to the PCE so it appears as an option in the Security menu.
In this tab, you can use labels and label groups to enable IP forwarding for the workloads that match the label combination. Use combinations of Role, Application, Environment, and Location labels and label groups in the same way you would to specify workloads for any other purpose; for example, in a Rule or any of the tabs under the Security Settings page.
Workloads with IP forwarding enabled will configure the host firewall to allow all forwarded traffic, including traffic forwarded through the host, without visibility.