Quarantined Resources
When you quarantine a resource, Illumio blocks resource traffic according to quarantine policy except for resource granted controlled access.
Important
For the Quarantine button to appear on the Resource Insights page, you must have a trial or paid Segmentation license.
Use the Quarantine dashboard to view the status of all the resources that have been quarantined.
Quarantined: The quarantine was successful.
Quarantine In Progress: The quarantine is still in progress and you must wait for it to complete.
Quarantine Failed: The quarantine failed. See Illumio events to understand the cause.
Note
Quarantine is available only on Cloud resources.
Use the Quarantine tab to restore a quarantined resource after you have sanitized it. Once restored, Illumio removes the quarantine label from the resource.
Use the Controlled Access tab to view, add, and remove controlled access resources, which are allowed to talk to a quarantined resource. When you add a machine, a dialog filter lets you quickly pick the one you want. Adding a machine means that it has permissions to talk to all quarantined resources.
Quarantine dashboard known limitations
If you have an allow rule for incoming traffic on a quarantined machine, the traffic will still go through even from machines that are not labeled as controlled access. This limitation does not apply to outgoing traffic rules. Quarantining a resource creates an override deny rule for outbound traffic that takes precedence over any Illumio allow rule. However, if an allow rule for outbound traffic has a higher priority than Illumio’s segmentation outbound override deny rule, the traffic will be permitted as specified in the higher-priority allow rule.
Quarantining a resource or removing a resource from quarantine may not work due to the following issues:
If there are conflicting Illumio policies authored in Illumio Segmentation for the Cloud, or conflicting policies authored on the customer side.
For more information, see the policy documentation on the Illumio technical documentation portal, which is available from the Illumio support page. In the documentation portal, click the Illumio Segmentation for the Cloud tile. From there, click any of the subsequent tiles and browse to Policy > Organization Policy versus Application Policy.
If Illumio Segmentation for the Cloud is unable to write the rules on the security control due to permission issues or quotas, it may not be able to quarantine the resource.
The resource must be attached to a security control (enforcement point) that Illumio Cloud supports in order to quarantine that resource.
Illumio Segmentation for the Cloud limitations that may affect quarantining
If an Azure subnet-level NSG is applied to the workload, quarantining the workload will also affect other workloads in the subnet, potentially causing a customer outage.
Quarantine is not supported on AWS and GCP due to restrictions in AWS Security Groups and GCP Firewall rules.
Illumio does not enforce quarantine policy if it lacks write permissions. For example, you selected read-only permissions when onboarding the account containing the security control associated with the workload/resource to be quarantined.
Illumio may not enforce various security controls depending on the enforcement preferences selected in policy settings. For example, if you want to quarantine a VM on Azure associated with a NIC NSG, a subnet NSG, and a firewall, Illumio may program only the NIC NSG, depending on the enforcement preference selected.
Illumio may not be able to program a security control if the security control is locked. (Some cloud providers, like Azure, let customers lock a security control).
If you have an existing Azure allow rule with a lower rule number (higher priority), Illumio's quarantine rules will not override it.
If Illumio already has Azure allow rules for the quarantined workload, “Controlled Access” becomes ineffective because workloads outside the Controlled Access group can still reach it. This is an example of an allow rule conflict.
If you hit the rule quota for an enforcement point that is attached with resources, then Quarantine will not work.
Quarantine will not work for read only accounts. For shared resources (AWS), if the owner account has not been onboarded, then Illumio won't be able to program the quarantine policy.