Deactivate and Unpair VENs

This topic discusses how to deactivate and unpair VENs by operating system.

Additionally, it explains the security implications for performing these tasks and makes recommendations on how to properly deactivate and unpair VENs.

See also VEN Unpairing Details for further information.

Deactivate Using VEN Command Line

To deactivate the VEN, you must use the illumio-ven-ctl command.

deactivate breaks the PCE-to-workload connection but doesn't uninstall the VEN software (as unpair would).

After deactivation, the workload reverts to its pre-Illumio native firewall settings.

Linux/AIX/Solaris

# /opt/illumio_ven/illumio-ven-ctl deactivate

Windows

PS C:\Program Files\Illumio> .\illumio-ven-ctl.ps1 deactivate

Unpair Using VEN Command Line

The unpair command breaks the PCE-to-workload connection, and uninstalls the VEN software. The unpair command gives you control over the post-unpair state, as described below.

Linux/AIX/Solaris

With illumio-ven-ctl unpair, specify the post-unpair state for the VEN:

# /opt/illumio_ven/illumio-ven-ctl unpair [recommended | saved | open]
NOTE:

On Linux, the unmanaged option is not available.

Unpair Options on Linux/AIX/Solaris

  • recommended: Uninstalls the VEN and temporarily allows only SSH/22 until reboot.

    IMPORTANT:

    Security implications: When the workload is running a production application, it could break because this workload will no longer allow any connections to it other than SSH on port 22.

  • saved: Uninstalls the VEN and reverts to pre-Illumio policy to the state before the VEN was first installed. Revert the state of the workload's iptables to the state before the VEN was installed. The dialog displays the amount of time that has passed since the VEN was installed.

    IMPORTANT:

    Security implications: Depending on how old the iptables configuration is on the workload, VEN removal could impact the application.

  • open: Uninstalls the VEN and leaves all ports on the workload open.

    IMPORTANT:

    Security implications: When iptables or Illumio are the only security being used for the workload, the workload is open to anyone and becomes vulnerable to attack.

Windows

With illumio-ven-ctl.ps1 unpair, specify the post-deactivation state for the VEN:

PS C:\Program Files\Illumio> .\illumio-ven-ctl.ps1 unpair [recommended | saved | open | unmanaged]

Unpair Options on Windows

  • recommended: Temporarily allow only RDP/3389 and WinRM/5985,5986 until reboot.

    IMPORTANT:

    Security implications: If the workload is running a production application, the application could break because the workload no longer allows any connections to it.

  • saved: Restores firewall rules and configuration to the state it was in at the time the workload was paired. Reverts the state of the firewall to before Illumio was installed.

    IMPORTANT:

    Security implications: Depending on how old the WFP configuration was on the workload, VEN removal could impact the application.

  • open: Uninstalls the VEN and leaves all ports on the workload open.

    IMPORTANT:

    Security implications: When WFP or the PCE are the only security being used for the workload, the workload is open to anyone and becomes vulnerable to attack.

  • unmanaged: Uninstalls the VEN and reverts to the workload's currently configured Windows Firewall policy.

Unpair Using System Commands

You can use the illumio-ven-ctl (Linux/AIX/Solaris) or illumio-ven-ctl.ps1 (Windows) to unpair the VEN.

IMPORTANT:

As an alternative, you can use the system uninstall command to unpair the VEN, however it is not recommended. This command should only used as a fallback if there are issues with unpairing with illumio-ven-ctl or illumio-ven-ctl.ps1.

Linux

  • RPM: rpm -e illumio-ven
  • DPKG: dpkg -P illumio-ven

Windows

  • Use the Control Panel to uninstall the VEN.

AIX

  • installp -u illumio-ven

Solaris

  • pkgrm illumio-ven