About VEN Administration on Workloads

The following topic explains the VEN states and characteristics necessary to understand when administering the VEN on workloads.

Workload Policy States

After activation, the VEN can be in one of the following policy states. The VEN policy state determines how the rules received from the PCE affect the network communication of a workload.

Change the policy state of the VEN by modifying settings in the PCE or by making calls to the REST API.

VEN Enforcement Characteristics

Policy enforcement is managed through both enforcement states and visibility states to specify how much data the VEN collects from a workload.

The following table summarizes the key enforcement characteristics of the VEN:

Workload Enforcement State

VEN Mode

VEN Visibility Level

Log Traffic

Idle

 

Idle

Limited

Limited
Visibility Only Illuminated

Off

Blocked

Blocked+Allowed

Enhanced Data Collection

VEN does not log traffic connection information

VEN logs connection information for blocked and potentially blocked traffic only

VEN logs connection information for allowed, blocked, and potentially blocked traffic

VEN logs byte counts in addition to connection details for allowed, blocked, and potentially blocked traffic
Selective Selective

Off

Blocked

Blocked+Allowed

Enhanced Data Collection

VEN does not log traffic connection information

VEN logs connection information for blocked and potentially blocked traffic only

VEN logs connection information for allowed, blocked, and potentially blocked traffic

VEN logs byte counts in addition to connection details for allowed, blocked, and potentially blocked traffic
Full Enforced

Off

Blocked

Blocked+Allowed

Enhanced Data Collection

VEN does not log traffic connection information

VEN logs connection information for blocked and potentially blocked traffic only

VEN logs connection information for allowed, blocked, and potentially blocked traffic

VEN logs byte counts in addition to connection details for allowed, blocked, and potentially blocked traffic

For more information, see Ways to Enforce Policy in the Security Policy Guide.

VEN Policy Sync

To help you administer and troubleshoot the VEN, it reports many Policy Sync states. Here are the Policy Sync states and their definitions:

  • Active (Syncing): Policy is currently being applied to the workload.
  • Active: The most recent policy provisioning was successful, no unwanted changes to the workload's firewall have been reported, none of the configured SecureConnect connections are in an erroneous state, and all VEN processes are running correctly.
    • For more information on SecureConnect see Security Policy Guide.
  • Staged:The PCE has successfully sent policy to the VEN, and it is staged and scheduled to be applied at a later time. This state only appears when you have configured the Policy Update Mode for the workload to use Static Policy. See Static Policy and Staged Policy for information. For information, see Types of Illumio Policy in the Security_Policy_Guide.
  • Error: One of the following errors has been reported by the VEN: 
    • The most recent policy provisioning has failed.
    • Unwanted changes to the workload's firewall have been reported.
    • At least one VEN process is not running correctly.
    • There is a SecureConnect or Machine Authentication policy, but leaf certificates are not set up properly.
  • Warning: At least one SecureConnect connection is in an erroneous state, and either the most recent policy provisioning was successful or no unwanted changes to the workload's firewall have been reported.
  • Suspended: Used by admins to debug. Rules programmed into the platform firewall (including custom iptables rules) are removed completely. No Illumio-related processes are running on the workload.

VEN Health Status on Workloads

The VEN health status on the workload's details page displays information related to the current state of VEN connectivity, the most recently provisioned policy changes to that workload, and any errors reported by the VEN.

These errors include any unwanted changes to the workload's firewall settings, any SecureConnect functionality issues, or any VEN process health errors.

To view a workload's VEN health status, view the VEN section on the Summary tab for the workload's details page.

VEN Process Health

The health status of the VEN can be monitored from the PCE web console. If for any reason one or more Illumio processes on the workload are not running, the VEN reports the error to the PCE.

The PCE marks the workload as in an error state and adds a notification on the Workloads page. It also logs an audit event that includes the Illumio processes which were not running on the workload.

Workload Clone Alerts

Workloads can be filtered according to whether a cloned node has been detected. On Windows, Linux, and Mac OS systems, when the PCE detects a cloned node, it notifies the VEN through a heartbeat. The VEN verifies that a clone exists, prevents it from being activated, and deletes it.

In the Illumio REST API, detection is done by using the clone_detected state. In the PCE web console UI, search the workloads list by filtering on, "clone detected." If there are workloads in the clone_detected state, a red banner (similar to workloads in suspension) is displayed at the top of the workload list page.

VEN Software Management from PCE

The ability to manage VEN software and install the VEN by using the PCE has been enhanced in this release in the following ways:

  • You can upgrade all VENs or just a subset of VENs from the PCE.
  • You can upgrade VENs by using filters, such as for labels, OSs, VEN health, IP address, current VEN version.
  • When upgrading, the PCE informs you of the version the VENs will be upgraded to.
  • You can monitor and troubleshoot VEN upgrade issues.
  • You can perform VEN version reporting and compatibility.

VEN Flow Duration Attributes

The 20.2.0 VEN sends two new attributes to syslog and fluentd output. The new attributes, appended to the flow data, describe the flow duration:

ddms - delta flow duration in milliseconds. The duration of the aggregate within the current sampling interval. This field enables you to calculate the bandwidth between two apps in a given sampling interval. The formula is dbo (delta bytes out) / delta_duration_ms, or dbi / delta_duration_ms.

tdms – total flow duration in milliseconds. The duration of the aggregate across all sampling intervals. This field enables you to calculate the average bandwidth of a connection between two apps. The formula is tbo (total bytes out) / total_duration_ms, or tbo / total_duration_ms. It also enables you to calculate the average volume of data in a connection between two apps. The formula is tbo (total bytes out) / count (number of flows in an aggregate), or tbi / count.

Stopped VEN Status

The addition of the stopped status has the following affect on the PCE web console UI:

  • On the Workload list page, the "Connectivity" column is replaced with "Status."
  • On the Workload details pages, "VEN Connectivity" is changed to "VEN status."
  • You can filter the Workload list page by the new VEN stopped status.

Aggressive Tampering Protection for nftables

Firewall changes that are not explicitly configured by the VEN are logged as tampering attempts. This feature extends Release 19.3 nftables support with the inclusion of aggressive tampering protection.

VEN Proxy Support on Linux, AIX, and Solaris

This release extends VEN proxy support to include Linux, AIX, and Solaris devices, in addition to Windows.

For more information, see VEN Proxy Support in VEN Installation and Upgrade Guide.

Uninterrupted Traffic Between the VEN and the PCE

IMPORTANT:

This feature requires the Illumio Core VEN version 21.2.0 or later.

The current VEN implementation in Release 21.2.0 provides an extra layer of self-protection that prevents any erroneous policy from being applied to the VEN. The VEN employs a defensive approach that reviews policies before applying them. In case the VEN detects that the new policy may disrupt communications between the VEN and the PCE, the VEN automatically isolates that policy and logs an error in the event log. The VEN then continues to communicate with the PCE using the existing functional policy.

Prior to Release 21.2.0, if an erroneous policy was inadvertently propagated from the PCE to the VENs, it caused a permanent disruption in communications. All VENs and all workloads were impacted and would remain in an undesirable state until the correct policies were reapplied. Manual intervention was required to reload the correct policy to resume communications between the VEN and the PCE. This is no longer required.

VEN File Settings Option

In 21.2.1, the VEN IPFilter state table supports a new option for AIX workloads to support traffic from NFS servers:

VEN File Setting:IPFILTER_TCPCLOSED=<value>

ipfilter Setting:fr_tcpclosed=<value>

For more information about this option, see VEN Activate Command Reference in the VEN Installation and Upgrade Guide.

Debian 11 Support

Starting from Release 21.2.3, Illumio supports installing and operating the VEN on the Debian 11 operating system.

Windows VEN Proxy Fallback Enhancement

Starting from Illumio Core 21.2.1 and 21.2.2, the VEN automatically detects a web proxy. However, it always attempts to connect directly to the PCE first. In this release, Illumio enhanced the heuristic in the VEN for falling back to the configured web proxy. After an attempt fails to connect to the PCE directly due to an HTTPS intercepting proxy, the VEN falls back to use the configured web proxy.

IPv6 Support and Features for the VEN

In Illumio Core 20.2.0 and later releases, the VEN supports both IPv4 and Ipv6 address versions and the IP address version appears correctly in the PCE; for example, in the Workload section of the VEN summary page in the PCE web console.

You can configure how the PCE treats IPv6 traffic from workloads. For more information, see Allow or Block IPv6 Traffic in the PCE Administration Guide.

The VEN supports IPv6 in the following ways.

IPv6 is Enabled by Default on Datacenter VENs

Release 20.2.0 and later support configuring inbound or outbound IPv6 traffic by organization (ORG). In previous releases, you are only able to block all, or allow all IPv6 traffic by organization.

The default settings are as follows:

  • If the previous ORG-wide IPv6 policy is to block all IPv6 traffic, then this setting is preserved.
  • If the previous ORG-wide IPv6 policy is to allow all IPv6 traffic, then this setting is not preserved.

IPv6 Support for Linux and Windows VENs

Beginning with Release 20.1, the Linux and Windows VENs support IPv6 rules.

VEN Compatibility Report for IPv6 Support

Illumio supports IPv6 for workloads. This includes providing a warning in the Compatibility Report. The Compatibility Report is used to detect the possible issues before moving VEN out of idle state. See VEN Compatibility Check in the VEN Installation and Upgrade Guide. In this release, Illumio updated the options in the Compatibility Report to increase it's usability.

The following command and command options are supported:

  • On Linux and SunOS, this command option is available regardless of whether IPv6 is enabled:

    • ipv6_forwarding_enabled

      • At least 1 iptables forwarding rule is detected in the IPv6 forwarding chain. VEN removes existing iptables rules in the non-Idle policy state.

  • On Windows, we do not support all IPv6 transition tunnels that is a part of the IPv6 transition technology (RFC 4213). The following options are available:

    • teredo_tunneling_enabled

      • Teredo tunneling allows for IPv6 connectivity.
      • Teredo is an IPv6 transition tunnel.
      • We do not report on Teredo adapters.

    • IPv6 enabled

      • Continues to be supported.
      • Detects potential transition technology usage on Windows.