About This Release
This documentation portal describes the new features, enhancements, platform support, and new and modified REST APIs for the Illumio Core 21.2 release.
Product Versions
PCE Version: 21.2.7 (LTS)
VEN Version: 21.2.5 (LTS)
C-VEN Version: 21.2.1+H4 (LTS)
NEN Version: 2.1.0+H7
Kubelink Version: 2.0.2
FlowLink Version: 1.1.2+H2
PCE CLI Tool Version 1.4.1
Standard versus LTS Releases
21.2.4-PCE and 21.2.5-VEN are LTS releases. For information on Illumio software support for Standard and LTS releases, see Versions and Compatibility on the Illumio Support portal.
Release Types and Numbering
Illumio Core release numbering uses the following format: “a.b.c-d+e”
- “a.b”: Standard or LTS release number, for example “21.2”
- “.c”: Maintenance release number, for example “.1”
- “-d”: Optional descriptor for pre-release versions, for example “preview2”
- “+e”: Hot Fix release descriptor, for example “+H1”, “+H2”, “+H3”.
VEN Version Requirements
The following minimum VEN versions are applicable to the features and changes in this release.
General Advisory or Announcement | Minimum VEN Version |
---|---|
Debian 11 Support | 21.2.3 |
Changes to Teredo Tunnel Interfaces | 21.2.0 |
Change to Limited Ruleset Manager Role | Any supported version |
Higher Maximum Number of Database Results | Any supported version |
Enhanced Security for TLS | Any supported version |
VEN Package Format Changes | 21.2.1 |
Containerized VEN Base Image | 21.2.1 |
Object Limit: Max Security Principal Permissions | Any supported version |
EOL: PCE Virtual Appliance | Any supported version |
EOS: CentOS 6.x and RHEL 6.x | Any supported version |
EOS: Illumio Core REST API v1 | Any supported version |
EOS: Internet Explorer 11 | Any supported version |
EOS: External VEN Repo | Any supported version |
EOS: System Events for OVA | Any supported version |
EOS: Organization Events | Any supported version |
Deprecated: Runtime Environment File Parameter | Any supported version |
Deprecated: Network Function Control | Any supported version |
General Advisories
The information in this section provides general advisories about important aspects of this release. To ensure proper operation of the system after upgrade, you might need to take account on these advisories.
Supported Operating Systems
The 21.2.0 PCE and VEN are supported on operating systems detailed on the Illumio Support portal.
See PCE OS Support and Package Dependencies and VEN OS Support and Package Dependencies.
Supported Orchestration Platforms for Containerized VEN
In 21.2.0, the Containerized VEN now supports the OpenShift 4.x platform. In the previous release, the OpenbShift 4.x platform was in Preview.
See VEN OS Support and Package Dependencies for more information. Select the “Containerized VEN/Kubelink” option for the supported platforms.
VEN Package Format Changes
Starting with the 21.2.1 Illumio Core release, the Windows VEN installer switches from MSI to EXE package format. Customers using the PCE-based VEN deployment, such as the VEN Library, must take an extra step for the transition. Specifically, Illumio Core customers running older MSI-based Windows VENs must upgrade to 19.3.6+H1-VEN or 21.2.0+H2-VEN before upgrading their VENs to 21.2.1 or a later version. The 21.2.0+H2-VEN release contains the necessary VEN changes to handle the transition in the VEN packaging from MSI to EXE.
Containerized VEN Base Image
Illumio detected a vulnerability in the Containerize VEN (C-VEN) image for 21.2.0. The Illumio C-VEN container image used a lightweight version of RHEL 7.8. In C-VEN 21.2.1, Illumio has resolved this issue by updating the C-VEN base OS image to RHEL 7.9 to address this vulnerability. We will strongly encourage our customers to upgrade to the new image in the C-VEN 21.2.1 release.
For more information, see the Illumio Containerized VEN Release Notes 21.2.1, Resolved Issues in 21.2.1.
Open Source Package Updates
Illumio updated several open source packages for the PCE in this release. See the “Change History” in Illumio Open Source Licensing Disclosures 21.2.0 and the “Change History” in Illumio Open Source Licensing Disclosures 21.2.1 for information.
Changes to Teredo Tunnel Interfaces
Teredo tunnel interfaces are no longer reported from Windows workloads. The change is to fix an issue with the interface's IP addresses changing very frequently. The Teredo interface is used for IPv6 connectivity, and is disabled by default.
The behavior to report Teredo tunnel interfaces changed in the Core 21.2.0 release; however, Windows workloads continued to report them. This issue is resolved in Core 21.2.1; for more information see the Illumio Core Release Notes 21.2.1, Resolved Issues in 21.2.1, VEN Resolved Issues, Issue E-75043.
Change to Limited Ruleset Manager Role
Users with the Limited Ruleset Manager role can no longer create or modify extra-scope rules.
Higher Maximum Number of Database Results
This advisory is applicable to Illumio Core On Premises customers only.
The maximum number of results that can be retrieved from the PCE database has changed. The maximum number of results that can be retrieved from the database is 200,000 for each PCE. In a Supercluster, a query run on the leader PCE can return 200,000 results for each PCE in the Supercluster, including the leader. For example, in a Supercluster with four regions, the maximum is 800,000. When logged in to a member PCE on a Supercluster, the limits are the same as for any stand-alone PCE. In every case, the maximum number of results that can be shown in the PCE web console is 100,000, as in earlier releases. If more than 100,000 results are retrieved, the full results are available as a downloaded CSV file, and the first 100,000 are available in the web console.
Enhanced Security for TLS: Changes to Configuration Settings
This advisory is applicable to Illumio Core On Premises customers only.
This release changes PCE configuration that increases the security of TLS on the PCE. For more information about the reasons for these changes, see Enhanced Security for PCE TLS Configuration.
-
This release includes a new PCE runtime parameter
insecure_tls_weak_ciphers_enabled
. You use this parameter to control how the PCE accepts weak TLS ciphers, such as cipher block chaining (CBC) ciphers. By default, this runtime parameter is enabled on the PCE. However, you can choose to disable this parameter so that your PCE uses strong ciphers. See Reference: PCE Runtime Parameters in the PCE Installation and Upgrade Guide for more information. -
The default minimum TLS version is now 1.2. This is a new default setting for the existing flag
min_tls_version
. See TLS Versions for Communications.
New Object Limit: Maximum Permissions for Security Principal
This advisory is applicable to Illumio Core On Premises customers only.
The max_permissions_per_auth_security_principal
is a new object limit setting. It controls how many permissions a given user can have. The default is 50. In previous releases, this was a runtime parameter.
Be Sure Prerequisites and Settings are Correct Before Installing
This advisory is applicable to Illumio Core On Premises customers only.
The PCE Installation and Upgrade documentation contains detailed information about required prerequisites and settings. Always follow these instructions precisely to be sure your PCE continues to function properly over time.
Important documentation changes have been made in this area for 21.2.0. See the PCE Installation and Upgrade Guide for information.
Before Upgrading to This Release
Before upgrade, review all changes from your current version to version 21.2.0.
To ensure readiness, Illumio strongly encourages you to review the prior release notes, from your currently installed version of Illumio Core to version 21.2.0. To view the release notes for versions prior to Core 19.3.x, go to the Documentation page on the Support portal (login required) and select the version from the drop-down menu.
For information about the upgrade path and tools, go to the Illumio Support portal and review the PCE Upgrade paths and the VEN Upgrade paths (login required).
Manage Data and Disk Capacity Carefully
This advisory is applicable to Illumio Core On Premises customers only.
Beginning with PCE 18.2, the amount of data collected and stored by the PCE has increased. Events, Explorer, and the internal syslog all generate more data to be stored in PCE databases and log files. If the amount of stored data is not managed carefully, disks can become overfull, or backup size can increase, making restores take longer.
To successfully manage these concerns, consider the following:
- Identify: Know your organization's policies, backup strategies, and monitoring strategies.
- Detect: Monitor ongoing disk usage.
- Respond: Know how to troubleshoot and fix issues related to data storage.
- Recover: Set up your PCE deployment to reduce disk usage.
For more information, see Manage Data and Disk Capacity in the PCE Administration Guide.
Supported Supercluster Configuration
This advisory is applicable to Illumio Core On Premises customers only.
Starting at Illumio Core 21.1.0, Supercluster support is limited to 3 PCEs with 25k VENs per PCE (4x2 configuration).
Announcements
End of Support Announcements, Deprecations , On-premises Upgrade Paths, Compatibility
End of Life
Virtual Appliance
This announcement is applicable to Illumio Core On Premises customers only.
The PCE Virtual Appliance will no longer be published, and you can no longer deploy a PCE using the Virtual Appliance.
End of Support
CentOS 6.x and RHEL 6.x
This announcement is applicable to Illumio Core On Premises customers only.
CentOS 6.x and Red Hat Enterprise Linux 6.x are not supported for PCE versions 21.2.0 and later. PCE versions 18.2 LTS and 19.3 LTS continue to support CentOS 6.x and RHEL 6.x until their published end-of-support dates, but upgrading to a newer version of the operating system is recommended. For PCE version 19.3, upgrade to CentOS 7 or RHEL 7. For PCE version 18.2, first upgrade to PCE 19.3, then upgrade to CentOS 7 or RHEL 7.
Illumio REST API v1
The version 1 of Illumio REST APIs (API v1) is not supported effectively with the 21.1 and later releases. Illumio recommends that you upgrade to API v2.
Internet Explorer 11
Illumio Core 19.1 was the last release to support Internet Explorer 11. Internet Explorer 11 will no longer be supported in Illumio Core 19.2 and later releases. Illumio recommends Chrome, Edge, or Firefox for use with the PCE web console.
External VEN Repo
This announcement is applicable to Illumio Core On Premises customers only.
The external VEN repo is no longer supported for VEN versions 18.2 and later releases. Customers must migrate to using the new PCE-based VEN deployment or install VEN packages directly on workloads.
System Events for OVA
Events 2.0 system events are no longer supported. (For reference, see E-48119)
Organization Events
Since the 19.1.0 release, the older form of events, known as “audit or organization events,” is no longer supported or available.
Any versions of the former SIEM Integration Guide that are earlier than version 18.2.1 are valid only for their corresponding versions, not version 18.2.1 or later releases.
Customers should upgrade to the latest version of Illumio Adaptive Security and take advantage of the newly designed auditable events. See the Events Administration Guide for information.
Deprecation
Runtime Environment File Parameter
This announcement is applicable to Illumio Core On Premises customers only.
The runtime environment file parameter syslog_event_export_format
is deprecated.
Network Function Control
The Network Function Control (NFC) was discontinued in the 19.3.0 release. It is now a part of the Network Enforcement Node (NEN). You can use the NEN module to interface with the F5 Server Load Balancer. For more information, see the NEN Installation and Usage Guide.