Services

When workloads are paired with the PCE, the VEN discovers all running processes and services on a workload and makes those services available for use when writing rules. You can see those discovered services when you view the Processes tab on the Workload's details page.

However, you can also create your own to services to specify the service type, as well as the ports and protocols the services use to communicate.

NOTE:

Service names can be unrestricted, for example, sc.exe qsidtype myservice. You can write rules with unrestricted service IDs (SIDs). When there is a restricted SID, you should write rules without the SID. Including the service with a restricted SID type causes the traffic to be dropped and might cause traffic between the Reported view and Draft view to be reported inaccurately.

Service Types

When you create a service, you can choose one of two general types: 

  • All OS: Port Based: This type of service can be used for writing rules for any workloads and is defined by specifying a port and protocol, a port range, or in some cases, only the protocol. For example: 80 TCP, 1000-2000 TCP, 500 UDP. For GRE or IPIP, you only need to specify the protocol.
  • Windows: Process/Service-Based: This type of service can be used for writing rules for Windows Workloads only and is defined by specifying one of the following combinations or scenarios. The Windows Process Path and the Windows Service Name must be surrounded by quotation marks: 

    • Port and/or Protocol, Windows Process, and Windows Service

      443 TCP c:\windows\myprocess.exe myservice

    • Port and/or Protocol and Windows Process

      443 TCP c:\windows\myprocess.exe

    • Port and/or Protocol and Windows Service

      443 TCP myservice

    • Windows Port and/or Protocol

      514 UDP

    • Windows Process

      c:\windows\myprocess.exe

    • Windows Service

      myservice

Windows Process-based Rules

Rules to Allow System Created Processes

Rules can be created to allow all system-initiated processes in Windows. This approach allows all traffic related to drivers and other operating system modules. You can create a service of type Windows—process or service-based—with word “system” (case-insensitive) in the Port/Protocol text input field. Once you create this service, you can use it in rules.

To create a service that allows all system-initiated processes:

  1. From the PCE web console menu, choose Policy Objects > Services.

  2. Click Add.
  3. Enter a name and definition for the service you are adding.
    • To add a service definition, from the Operating System drop-down, select either All Operating Systems:Port Based or Windows Process/Service-Based:
      • If you select All Operating Systems: Port-Based, you can only indicate a port, a protocol, or both, separating the port and protocol with a space. For example, port 512 TCP.
      • If you select Windows Process/Service-Based, from the Port and/or Protocol drop-down, specify a port/protocol, a process or service, or a port/protocol with a process or service, separating the port and protocol with a space. For example, port 512 TCP, process C:\windows\myprocess.exe, and Windows service,myprocess.
    • To remove a service definition, from the Operating System drop-down, select either All Operating Systems:Port Based or Windows Process/Service-Based:
      1. Click the check box next to the Port and/or Protocol. You may select a single or multiple entries.
      2. Click Remove.
  4. Click Save.

Service Using Windows Environmental Variables

    The Windows environmental variable can be used to specify the full path. This can be done by creating a Service of type Windows: Process or Service based with the environment variables in the Port Protocol text input field

    NOTE:

    Currently, only the Windows System variable is supported for use in the process path. For example %systemroot%\myprocess.exe

Rules can be created to allow all system-initiated processes in Windows. This will allow all traffic related to drivers and other operating system modules. This can be done by placing the word system (case-insensitive) in the text input field.

To create a service that uses Windows environmental variables:

  1. From the PCE web console menu, choose Policy Objects > Services.
  2. Click Add.
  3. In the Name field, enter system (case-insensitive).
  4. From the Operating System drop-down list, select Windows: Process/Service-based.
  5. In Ports & Protocols, specify the port/protocol, separating the port and protocol with a space. For example:

    %systemroot%\myprocess.exe

  6. Click Save.

IGMP Services

IGMP can be added as a service and used in rules to write granular inbound or outbound policy for IGMP, which is typically used for multicast. No range is required for IGMP.

You can export IGMP traffic in JSON, CEF, or LEEF format.

You can also create and update services that use the IGMP protocol by using the Illumio Core REST API. See Services in the REST API Developer Guide for information about using the REST API to create services.

Caveats

  • When IGMP service is used in a rule, all IGMP types are allowed; however, granular control and specific multicast addresses are not supported.
  • IGMP is not supported in the Illumination map.

ICMP Services

ICMP can be added as a service and used in rules to write granular inbound or outbound policy for ICMP. ICMP is usually used for traceroute and path MTU discovery.

You can export ICMP traffic in JSON, CEF, or LEEF format.

NOTE:

When these services are blocked, they do not appear in the Blocked Traffic list and the connection is dropped silently.

ICMP types/codes (such as 0 ICMP or 3/2 ICMP) are supported. The ICMP range is from 0 to 255.

The following table describes the correct format for each type of supported ICMP rule:

Example Format Meaning in Rule
ICMP (on a new line) Protocol name only Allow all ICMP traffic
3 ICMP Protocol and code All ICMP traffic is type 3 (Destination Unreachable) allowed, regardless of the code used in the rule
3/6 ICMP Protocol name, type, and code

Only type 3 and code 6 ICMP traffic is allowed

ICMP traffic is displayed in Explorer, similar to TCP/UDP traffic. From the 19.1.0 release on, you can see ICMP traffic flows in Illumination and the App Groups Map. You can choose to conceal them by using the filter in Illumination.

You can also create and update services that use the ICMP protocol using the Illumio Core REST API. See Services in the REST API Developer Guide for information about using the REST API to create services.

Caveats

  • ICMP is not supported for virtual services.
  • When an ICMP service is used in a rule, all ICMP types are allowed; however, granular control and specific multicast addresses are not supported.
  • When you enable IPv6 on Windows VENs, IPv6 systems rules are not propagated to those VENs. You need to write security rules to ensure robust IPv6 functionality. The ICMPv6 types that are required in those rules are as follows:

    ICMPv6 Message  ICMPv6 Type
    Router Solicitation Message 133
    Router Advertisement Message 134
    Neighbor Solicitation Message 135
    Neighbor Advertisement Message

    136

Upgrading from Illumio Core Version 17.1

If the ICMP Echo option was allowed in your PCE prior to upgrade, the PCE automatically adds and provisions a rule during the upgrade to allow ICMP Echo on all workloads. During the upgrade, the PCE checks the current organization settings and takes the following actions:

  1. Creates a new service named “ICMP.”
  2. Creates a new rule in the default segmentation ruleset to allow outbound ICMP for all workloads.
  3. When the ICMP Echo setting was enabled, creates a new service named “ICMP ECHO” to allow echo requests and a new rule to allow all “ICMP ECHO” on all workloads.
  4. Adds the rules to the active version of the policy.

Filter the Services List

You can filter the Services list using the property filter at the top of the list. You can filter list by entering a service name, description, port, protocol, and provision status (draft or active).

Services in a Rule

When you create a rule, you can select a service to indicate the allowed communication between workloads and other entities.

Create a Service

When you create a service, that service becomes available to use in a rule.

For a list of the types of services you can create, see Service Types.

To create a service from the Services page:

  1. From the PCE web console menu, choose Policy Objects > Services.
  2. Click Add.
  3. Enter the service a name and description (optional).
  4. Under Attributes, choose whether you want to create a port-based or Windows service-based service.
  5. In the Port and/or Protocol section, click Add and enter the ports, using a space to separate them from the protocol. If you want to enter a range, separate the port numbers by a hyphen. You can also copy and paste lists of services here from another source.
  6. When the service uses any UDP ports, enter them as well.
  7. Click Save.

To create a service from the Ruleset page:

To make rule writing easier, you can create a new service in a segmentation ruleset as you are writing rules.

NOTE:

The service is not associated with the segmentation ruleset.

  1. Create an extra-scope or an intra-scope rule. (See Rule Writing.)
  2. In the Select Service field, choose Create Service at the end of the list.