Segmentation Templates
Illumio's Segmentation Templates offer pretested security policies for intricate applications such as Active Directory. These templates simplify creating and implementing security policies, minimizing errors and bolstering protection for vital assets. Leveraging enterprise application knowledge, Illumio streamlines policy creation, ensuring rapid deployment within organizations. The PCE web console automatically sets up key policy objects after installation to facilitate seamless application communication.
Catalog Retrieved from Support Portal
When you go to the Segmentation Templates page, the PCE web console automatically retrieves the latest Segmentation Templates catalog from the Illumio Support portal and displays it in the web console.
Note
You can access the Segmentation templates only directly through the Support Portal.
Access the Support portal using your Illumio Support portal username and password. (Illumio Cloud customers are automatically logged into the Illumio Support portal.)
Click TOOLS > Illumio Segmentation Templates .
To view the contents of a Segmentation Template, click its name or icon.
The Segmentation Template details page describes the template and lists all the policy objects that belong to the template. Policy objects appear as hyperlinks when another template has already installed them. (Templates can share policy objects.)
Features of Segmentation Templates
Segmentation Templates share the following key features.
Template Contents
Each Segmentation Template adds an associated group of unique, non-overlapping, predefined services, and can contain any of the following policy objects:
Labels
Label groups
IP lists
Rulesets
Some templates contain all the necessary rulesets, services, and labels to secure a specific application, while others contain only port-based service definitions.
Dynamic Processes and Ports in Microsoft Environments
Segmentation templates are valuable in Microsoft environments, where dynamically allocated ports are frequently used for Remote Procedure Calls (RPC). Microsoft applications like Active Directory require dynamic port ranges to enhance security. The Illumio PCE, being service and process-aware, secures against dynamic processes such as Netlogon by focusing on specific server processes and paths while implementing precise rules for heightened security.
Sharing Policy Objects
Multiple Segmentation Templates can use services, labels, label groups, and IP lists. However, multiple templates never use a ruleset.
Identifying Policy Objects Added by Templates
You can recognize all objects integrated into the PCE through Segmentation Templates. In the object's details page External Data Set field, these policy objects are labeled with the format:
IST – type_of_object
(IST represents Illumio Segmentation Template). For better readability, the PCE also presents complete names. For instance, "IST - [AD] - Client to Domain Controller" is displayed as "IST - Active Directory Client to Domain Controller."
Segmentation Template Prerequisites and Limitations
The following prerequisites and limitations bind Segmentation Templates.
Internet Connectivity
Internet connectivity is not mandatory to use Segmentation Templates, enabling you to connect to the PCE web console without internet access. If offline, you can download Segmentation Templates from the Illumio Support portal on an internet-connected device and upload them locally.
Upgrade Policy Object Installed by Segmentation Templates
The PCE recognizes when Segmentation Templates install policy objects from the values in the External Data Reference field.
Unique Names for Labels, Label Groups, and IP Lists
Policy object names in the PCE web console must be unique. If duplicates exist, the template installation process prompts users to modify the object names for clarity and consistency.
Note
In Segmentation Templates, policy objects are named using the following convention: IST – type_of_object
Delete Labels Associated with Segmentation Templates
Removing labels associated with Segmentation Templates requires removing rulesets and label groups first. Labels cannot be deleted until these prerequisites are met.
Editing Segmentation Templates
When you install a Segmentation Template, it brings in a fixed set of services and allows for the inclusion of labels, label groups, IP lists, and rule sets.
Editing a policy object tied to a Segmentation Template differs from editing other objects in the PCE web console. The appearance and identification of a Segmentation Template remain constant in the PCE web console even after modifying associated policy objects.
Before altering policy objects linked to a Segmentation Template, consider:
Editing Policy Object Names or IDs
The PCE assigns an ID number to each policy object associated with a template, displayed in the Description and External Data Reference fields on object details or Summary pages.
Policy objects tied to Segmentation Templates are identified by their names, structured like:
IST – type_of_object
Altering the policy object name doesn't impact PCE validation of its installation, but editing the External Data Reference field through the Illumio API does affect this validation.
Note
Illumio strongly recommends not changing the IDs in the External Data Reference fields.
Deleting or Editing Policy Objects
Deleting policy objects linked to templates or modifying their attributes comes with the following considerations:
If you remove a policy object associated with a template after installation, the object will be re-added when the template is updated.
For instance, if you delete the common LDAP service from a Segmentation Template, an update to the template will re-add the LDAP ports.
Editing attributes of policy objects tied to a template necessitates a choice in the PCE web console when updating to the next version: whether to maintain or overwrite the changes you made.