Connectivity Settings
This section describes how to modify PCE settings that affect connectivity.
Permission to edit these settings is dependent on your role. See About Roles, Scopes, and Granted Access for information.
Private Data Centers
The PCE uses connectivity settings to decide whether workloads are allowed to communicate with each other in private datacenters, private clouds, and shared network environments (private datacenter and public cloud).
By default, the Private Data Center connectivity setting is set and intended for workloads that are hosted in private datacenters, which do not have duplicate IP addresses in the network. When your network environment hosts workloads in your own private datacenter and in a public cloud, and you want to change this setting, contact Illumio Support.
Offline Timers
You can configure Offline Timers in the PCE web console and choose appropriate settings for your workloads.
To configure Offline Timers, you must be the Global Organization Owner for your PCE or a member of the Global Administrator role. See About Roles, Scopes, and Granted Access for information.
Disabling the Offline Timer setting degrades your security posture because the PCE will not remove IP addresses that belonged to workloads that have been disconnected from those that were allowed to communicate with the disconnected workloads. You need to remove the disconnected workloads from the PCE to ensure that its IP addresses are removed from the policy.
The PCE isolates a workload from the other workloads when the workload goes offline. The VEN sends a heartbeat message every 5 minutes and a goodbye message when it is gracefully shutdown. The PCE marks a workload offline when these conditions occur:
- The PCE hasn't received a heartbeat message from the VEN for 3600 seconds (1 hour).
- The PCE receives a goodbye message from the VEN.
You can change the default Offline Timer settings before putting your workloads in enforcement under the following conditions:
- The default setting might potentially disrupt your critical applications.
- Application availability is more important than security.
How you configure this setting is a tradeoff between benefiting from an increased zero-churn outage time window versus increasing the window of time where IP addresses could be reused. You should weigh the operational and security benefits and find a balance suitable for your applications.
Decommission and IP Cleanup Timer
Sets the time period to wait after a managed workload sends a goodbye message to mark it offline. By default, the High Security setting is Wait 15 minutes before IP Cleanup. This default setting has the following affect on the PCE:
-
Listens for Goodbye messages from the VEN.
NOTE:The default VEN goodbye timeout was increased from zero to 15 minutes. When required, you can reset it to 0.
- Pushes an updated policy to the peer workloads that were previously allowed to communicate with the removed workloads.
- Immediately cleans up those workloads IP addresses from its active policy.
Disconnect and Quarantine Timer
Sets the time period to wait with no heartbeat before a managed workload is marked offline.
By default, the High Security setting is Wait One Hour before Timeout. This default setting has the following affect on the PCE:
- Waits for an hour for the disconnected workloads to heartbeat and then quarantine those workloads that do not respond at the end of the hour.
- Removes the quarantined workloads IP addresses from its active policy.
- Pushes an updated policy to the peer workloads that were previously allowed to communicate with the quarantined workloads.
Edit Offline Timers Settings
Edit the Offline Timers setting to change the values from the default settings.
-
From the PCE web console menu, choose Settings > Offline Timers.
The Settings page for Offline Timers appears, which displays the current settings for the timers.
- Click Edit to change the settings from the default values.
-
Disconnect and Quarantine Timer: Select a setting from the drop-down list to change the value from the High Security (Default) setting:
-
Never Timeout or Quarantine - Highest Availability
This setting has the following affect on the PCE:
-
Never disconnects or quarantines workloads that fail to heartbeat.
-
Keeps all IP addresses in policy and never automatically removes unused IP addresses.
-
Requires a removal of those unused IP addresses.
-
Custom Timeout - Wait a Specified Time before Quarantine
Enter a time period; the minimum wait time is 300 seconds.
The PCE performs the following actions:
- Waits for the specified time period for the disconnected workloads to heartbeat.
- Quarantines those workloads that do not respond at the end of that time period.
- Removes the quarantined workloads IP addresses from its active policy.
- Pushes an updated policy to the peer workloads that were previously allowed to communicate with the quarantined workloads.
-
-
Decommission and IP Cleanup Timer: Select a setting from the drop-down list to change the value from the Highest Security (Default) setting:
-
Never clean up - Highest Availability
This setting has the following affect on the PCE:
-
Ignores Goodbye messages from workloads.
-
Keeps all IP addresses in policy and never automatically remove unused IP addresses.
-
Requires a removal of those unused IP addresses.
-
Custom Timeout - Wait a Specified Time before IP Cleanup
Enter a time period; the minimum wait time is 0 seconds.
The PCE performs the following actions:
- Listens for Goodbye messages from the VEN.
- Waits for the specified time period before cleanup of those workloads IP addresses from its active policy.
- Pushes an updated policy to the peer workloads that were previously allowed to communicate with the removed workloads.
-
-
Click Save.
A message appears displaying your current and new settings.
- Click OK to save the new settings.
Set the IP Version for Workloads
This section describes how to enforce a preference for IPv4 over IPv6 addresses.
Change Linux Workloads to Prefer IPv4
To ensure that your paired Linux VEN workloads prefer IPv4 over IPv6 addresses in your PCE organization, edit the /etc/gai.conf
file on the VEN by adding the following line:
$ precedence ::ffff:0:0/96 100
This change will cause getaddrinfo
system calls to return the IPv4 addresses before IPv6 addresses.
This method works when you assign IPv4 addresses to your workloads. However, it doesn't work when your workloads only have IPv6 addresses (meaning, no IPv4 addresses for the hosts) or the software installed is hard coded to look for IPv6 addresses.
Change Windows Workloads to Prefer IPv4
When you choose to allow only IPv4 traffic for your PCE organization, the VENs on your workloads drop IPv6 traffic when they are in Enforced mode. This decision can lead to delays and communication failures in applications because applications will wait for IPv6 connection attempts to time out before attempting to connect over IPv4.
The problem occurs because, by default, the Windows OS prefers IPv6 over IPv4 and will attempt to connect over IPv6 before IPv4. As a workaround, you can change the order of connection attempts so that IPv4 is preferred over IPv6. With this change, applications will connect over IPv4 first and succeed or fail as governed by the workload's firewall policies.
For information about changing the connection order to prefer IPv4 over IPv6, see the Microsoft KB article Guidance for configuring IPv6 in Windows for advanced users.
As explained in the KB article, run the following command and reboot the Windows workload:
reg add hklm\system\currentcontrolset\services\tcpip6\parameters /v DisabledComponents /t REG_DWORD /d 0x20
To avoid rebooting the Windows workload, run the following commands:
netsh interface ipv6 delete prefixpolicy ::ffff:0:0/96
netsh interface ipv6 add prefixpolicy ::ffff:0:0/96 60 4
Allow or Block IPv6 Traffic
When your network environment allows IPv6 traffic, you can configure the PCE to allow or block IPv6 traffic.
By default, all IPv6 traffic is allowed.
When you want Windows workloads to use IPv4 instead of IPv6, see Set the IP Version for Workloads.
To allow or block IPv6 traffic:
- From the PCE web console menu, choose Settings > Security.
-
Click Edit > Change IPv6.
By default, the All Allowed option is selected.
-
To block all IPv6 traffic, select All Blocked.
The IPv6 traffic is blocked only for workloads in the Enforced policy state. IPv6 traffic is allowed for workloads in the Build policy states.
- Click Save.
-
To implement these changes, click the Provision icon at the top right of the PCE web console, and select Pending Changes.
The Provision page appears.
- Select the checkbox corresponding to the change or the Change checkbox to select all changes, and click Provision > Confirm & Provision.
Enable IP Forwarding
(For Linux VENs only)
In PCE versions earlier than 21.5.10, IP forwarding is automatically enabled for hosts in a container cluster that is reported by Kubelink to the PCE or hosts explicitly set to use the Containers Inherit Host Policy feature.
Starting in PCE version 21.5.10, you can enable IP forwarding on hosts without using any container segmentation features. To enable this feature, contact Illumio Support.
-
In the PCE web console, choose Security > IP Forwarding. The IP Forwarding tab appears if the feature is enabled.
-
In this tab, you can use labels and label groups to enable IP forwarding for the workloads that match the label combination. Use combinations of Role, Application, Environment, and Location labels and label groups in the same way that you would to specify workloads for any other purpose; for example, in a Rule or any of the tabs under the Security Settings page.
Workloads with IP forwarding enabled will configure the host firewall to allow all forwarded traffic without visibility, including traffic forwarded through the host.