Workload Enforcement States
Policy state determines how the rules affect a workload's network communication.
In Illumio Segmentation for Data Centers the workload list page includes four policy states for workloads. If a workload is unmanaged, the Policy State column is not displayed.
Note
The PCE representation of the enforcement state is the desired state to be applied to the next policy update. If there is an issue applying the enforcement state, a Policy Sync error will be shown for the workload.
Idle
You can use a pairing profile to pair workloads into the Idle state.
Note
SecureConnect (IPv6 compatibility) is not supported on workloads in the Idle state. The traffic between these workloads can be impacted when you activate SecureConnect for a rule that applies to workloads in both Idle and Non-idle policy states.
Visibility Only
In the Visibility Only state, the VEN inspects all open ports on a workload and reports traffic flow between it and other workloads to the PCE. In this state, the PCE displays the traffic flow to and from the workload, providing insight into the data center and its applications. No traffic is blocked in this state. This state is useful when firewall policies are not yet known. This state can be used to discover the application traffic flows in the organization and then generate a security policy that governs required communication.
Selective Enforcement
Segmentation rules are enforced only for selected inbound services when a workload is within the scope of a Selective Enforcement Rule.
Full Enforcement
Segmentation Rules are enforced for all inbound and outbound services. Traffic that is not allowed by a Segmentation Rule is blocked.