Stateful vs. Stateless Rules
By default, all rules you write in the PCE are stateful, meaning the host's firewall keeps track of a connection for the entire session duration.
Stateless Rules
For workloads, you can specify stateless packet filtering for a rule (“stateless”: true). This means the VEN instructs the host's firewall not to maintain persistent connections for all sessions. You can create this stateless rule for data center core services like DNS and NTP.
Caveats
In a stateless rule, you can add the following policy objects as destinations:
An individual workload
A label (one each of a specific type, up to four total)
Any IP list plus all workloads
If you attempt to add any other destinations, you receive an error.
The limit ensures that the number of stateless rules is capped at 100, allowing both stateful and stateless rules to coexist on the host in a way that optimizes system and network performance. If you require more than 100 stateless rules in your Illumio policy, please contact your Illumio Professional Services Representative for further information.
Warning
Existing active connections on workloads allowed by a stateless rule (for example, an SSH session) are terminated when workloads receive new rules from the PCE. Clients need to reestablish those connections. For this reason, Illumio recommends using stateless rules for services that utilize high-frequency, short-lived connections, such as DNS and SNMP.