Static Policies
A static policy lets admins stage updates for workloads based on labeled scopes. These workloads will receive new firewall rules but won't apply them until manual approval is granted (via UI or API's Apply Policy action).
While adaptive security is ideal for safeguarding most workloads from threats, it's crucial to customize the application of new or modified OS-level firewall rules to specific scenarios. By configuring workloads with static policies, you dictate when VENs implement new rules received from the PCE.
Consider static policies a security control setting rather than a policy type. They allow you to manage the precise application of new firewall rules to workloads, creating an audit trail of rule application by Illumio users.
Static Policy Details
Before configuring your workloads to use a static policy, review the prerequisites, limitations, and Illumio recommendations.
Prerequisites
Access requires a Global Organization Owner or Global Administrator role.
VENs on impacted workloads must run version 17.2 or later to support static policies.
Static Policy Limitations
Label groups must be provisioned before incorporation into the static policy.
Immediate security updates occur in specific scenarios: new workload pairing, VEN tampering detection, or offline VENs returning online.
Offline-then-online VENs may lead to out-of-sync rules compared to continuously online VENs.
Recommendation:
Hold security policy updates in the draft state until they are final to prevent immediate application by VENs.For optimal performance, PCE sends up to 5,000 firewall updates until completion.
Regenerate response.
Static Policy Recommendations
Implement static policies for specific cases under experienced user supervision. While the system typically updates security policies dynamically, configuring workloads with static policies alters this behavior, potentially causing inconsistencies.
Limit static policies to maintain operational efficiency as per business needs.
Use Cases for Static Policies
While the PCE typically updates security policies dynamically, there are instances where you may need to regulate when OS-level firewall rules updates apply to workloads. Here are some examples:
Business-Critical Application Policies: Some organizations require explicit control over security updates for critical applications, setting specific dates and times for these updates to ensure oversight and compliance.
Maintenance Window Policies: IT teams often establish policies for applying security updates during maintenance windows to minimize application downtime and mitigate risks. This approach may involve staggered upgrades to maintain application availability.
Environment-Specific Security Policies: Central security teams may choose to use static policies for certain environments and adaptive policies for others. For instance, development environments might follow adaptive policies based on labels, while production environments necessitate static policies for stricter control.
See Caveats for guidance on choosing when to configure workloads with a static policy.
Static Policy Workflow Example
Retail app security team configures static policy for production database tier.
Automated scaling adds web servers during a demand spike.
PCE updates the security policy for web servers connecting to the database tier.
During the maintenance window, the team applies staged policy changes.
VENs receive and apply the latest OS-level firewall rules.
Applying a Static Policy
Default Setting: Adaptive security applied across all roles, applications, environments, and locations.
Customization: Add a static policy to control OS-level firewall rule updates for workloads.
Configuration: Designate workloads by setting the Policy Update Mode in Security Settings. Define roles, applications, environments, and locations for static policy application. Multiple scopes can be added without overlap. Label groups are not supported; use separate scopes for multiple labels of the same type.
See Static Policy Prerequisites, Limitations, and Recommendations before you complete this task.
Add a Static Policy
From the PCE web console menu, choose Settings > Security > Static Policy
To define the scope, click Add.
A dialog box appears, where you set the scope of the static policy.
Select labels to select workloads for a static policy (Role, Application, Environment, Location).
Click OK.
The static policy is listed.
Click Provision from the PCE web console toolbar.