Services

When workloads are paired with the PCE, the VEN discovers all running services on a workload and makes those services available for use when writing rules. You can see those discovered services when you view the Services tab on the Workload's details page.

However, you can also create your own to services to specify the service type, as well as the ports and protocols the services use to communicate.

NOTE:

Service names can be unrestricted, for example, sc.exe qsidtype “WebSAT Plant.” You can write rules with unrestricted service IDs (SIDs). When there is a restricted SID, you should write rules without the SID. Including the SID might cause a disconnect between the Reported view and Draft view because the Draft view assumes that the SID works.

Service Types

When you create a service, you can choose one of two general types: 

  • All OS: Port Based: This type of service can be used for writing rules for any workloads and is defined by specifying a port and protocol, a port range, or in some cases, only the protocol. For example: 80 TCP, 500 UDP, 1000-2000 TCP. For GRE or IPIP, you only need to specify the protocol.

  • Windows: Process/Service-Based: This type of service can be used by Windows Workloads only and is defined by specifying ports and protocols, processes, or Windows service name. For example: 

    • Windows services/process: Add quotation marks and the full path for processes: "Schedule" or "c:\windows\myprocess.exe"

    • Port/protocol and process/service: 540 TCP "c:\windows\myprocess.exe” or 80 TCP "c:\windows\myprocess.exe" "myservice"

    • Port or port/protocol: 80 TCP, 500 UDP, 1000-2000 TCP, GRE, IPIP, ICMP, 89/2 ICMP, 133 ICMP, ICMP6, 89/2 ICMP6, 133 ICMP, or IGMP

Windows Process-based Rules

Rules to Allow System Created Processes

Rules can be created to allow all system-initiated processes in Windows. This approach allows all traffic related to drivers and other operating system modules. You can create a service of type Windows—process or service-based—with word “system” (case-insensitive) in the Port/Protocol text input field. Once you create this service, you can use it in rules.

To create a service that allows all system-initiated processes:

  1. From the PCE web console menu, choose Policy Objects > Services.
  2. Click Add.
  3. Enter a name and description for the service you are adding.
  4. From the Operating System drop-down list, choose Windows: Process/Service-Based.
  5. In the Ports, Protocols, Processes and Services field, specify a port/protocol, a process or service, or a port/protocol with a process or service, separating the port and protocol with a space.
  6. Click Save.

Service Using Windows Environmental Variables

Rules can be created to allow all processes using the Windows environmental variables to specify the full path. This action can be done by creating a service of type Windows—process or service-based—with the environmental variables in the Port/Protocol text input field. After you create this service, you can use it in rules.

To create a service that uses Windows environmental variables:

  1. From the PCE web console menu, choose Policy Objects > Services.
  2. Click Add.
  3. In the Name field, enter system (case-insensitive).
  4. From the Operating System drop-down list, select Windows: Process/Service-based.

  5. In the Ports & Protocols field, specify the port/protocol, separating the port and protocol with a space. Enter %systemroot% in quotes, followed by the name of the process. For example:

    540 TCP "%systemroot%\myprocess.exe"

  6. Click Save.
NOTE:

Currently, only the Windows system variable is supported in the process path.

IGMP Services

IGMP can be added as a service and used in rules to write granular inbound or outbound policy for IGMP, which is typically used for multicast. No range is required for IGMP.

You can export IGMP traffic in JSON, CEF, or LEEF format.

You can also create and update services that use the IGMP protocol by using the Illumio Core REST API. See Services in the REST API Developer Guide for information about using the REST API to create services.

Caveats

  • When IGMP service is used in a rule, all IGMP types are allowed; however, granular control and specific multicast addresses are not supported.
  • IGMP is not supported in the Illumination map.

ICMP Services

ICMP can be added as a service and used in rules to write granular inbound or outbound policy for ICMP. ICMP is usually used for traceroute and path MTU discovery.

You can export ICMP traffic in JSON, CEF, or LEEF format.

NOTE:

When these services are blocked, they do not appear in the Blocked Traffic list and the connection is dropped silently.

ICMP types/codes (such as 0 ICMP or 3/2 ICMP) are supported. The ICMP range is from 0 to 255.

The following table describes the correct format for each type of supported ICMP rule:

Example Format Meaning in Rule
ICMP (on a new line) Protocol name only Allow all ICMP traffic
3 ICMP Protocol and code All ICMP traffic is type 3 (Destination Unreachable) allowed, regardless of the code used in the rule
3/6 ICMP Protocol name, type, and code

Only type 3 and code 6 ICMP traffic is allowed

ICMP traffic is displayed in Explorer, similar to TCP/UDP traffic. From the 19.1.0 release on, you can see ICMP traffic flows in Illumination and the App Groups Map. You can choose to conceal them by using the filter in Illumination.

You can also create and update services that use the ICMP protocol using the Illumio Core REST API. See Services in the REST API Developer Guide for information about using the REST API to create services.

Caveats

  • ICMP is not supported for virtual services.
  • When an ICMP service is used in a rule, all ICMP types are allowed; however, granular control and specific multicast addresses are not supported.

  • When you enable IPv6 on Windows VENs, IPv6 systems rules are not propagated to those VENs. You need to write security rules to ensure robust IPv6 functionality. The ICMPv6 types that are required in those rules are as follows:

    ICMPv6 Message  ICMPv6 Type
    Router Solicitation Message 133
    Router Advertisement Message 134
    Neighbor Solicitation Message 135
    Neighbor Advertisement Message

    136

Upgrading from Illumio Core Version 17.1

If the ICMP Echo option was allowed in your PCE prior to upgrade, the PCE automatically adds and provisions a rule during the upgrade to allow ICMP Echo on all workloads. During the upgrade, the PCE checks the current organization settings and takes the following actions:

  1. Creates a new service named “ICMP.”
  2. Creates a new rule in the default ruleset to allow outbound ICMP for all workloads.
  3. When the ICMP Echo setting was enabled, creates a new service named “ICMP ECHO” to allow echo requests and a new rule to allow all “ICMP ECHO” on all workloads.
  4. Adds the rules to the active version of the policy.

Filter the Services List

You can filter the Services list using the property filter at the top of the list. You can filter list by entering a service name, description, port, protocol, and provision status (draft or active).

Services in a Rule

When you create a rule, you can select a service to indicate the allowed communication between workloads and other entities.

Create a Service

When you create a service, that service becomes available to use in a rule.

For a list of the types of services you can create, see Service Types.

To create a service from the Services page:

  1. From the PCE web console menu, choose Policy Objects > Services.
  2. Click Add.
  3. Enter the service a name and description (optional).
  4. Under Attributes, choose whether you want to create a port-based or Windows service-based service.
  5. In the Ports & Protocols section, enter the ports, using a space to separate them from the protocol. If you want to enter a range, separate the port numbers by a hyphen. You can also copy and paste lists of services here from another source.
  6. When the service uses any UDP ports, enter them as well.
  7. Click Save.

To create a service from the Ruleset page:

To make rule writing easier, you can create a new service in a ruleset as you are writing rules.

NOTE:

The service is not associated with the ruleset.

  1. Create an extra-scope or an intra-scope rule. (See Rule Writing.)

  2. In the Select Service field, choose Create Service at the end of the list.