Ways to Enforce Policy

Illumio provides several ways to enforce policy on your managed workloads. For information about creating a managed workload, see Workload Setup Using PCE Web Console. For information about creating security policy by defining rulesets and rules, see Rulesets and Rules.

Enforcement States for Rules

The Illumio policy model follows an allowlist model whereby all communication between workloads is denied unless explicitly allowed by Illumio security policy. Users create rules to allow traffic between their workloads. For information about the allowlist model, see Understanding Rulesets and Rules.

This method of controlling traffic ensures secure communication between your workloads. However, as you work toward applying the allowlist model for security policy, you might choose a more targeted approach to applying security policy. In addition to creating rules for your workloads, you can control the enforcement state for your workloads.

A workload's enforcement state operates alongside the rules that govern it. By choosing an enforcement mode, you can separate policy enforcement and visibility states per workload. Applying selective enforcement to a workload is based on one or more labels or label groups.

Using selective enforcement mode, you can protect a subset of your services and ports on your managed workloads. The other ports on the workload remain in visibility-only state and function as if the entire workload is in visibility-only mode. In addition to gradually expanding your policy enforcement envelope, selective enforcement is useful for temporarily enforcing policy on specific ports in case a vulnerability is detected and you need to take action quickly.

Another way to think of selective enforcement of security policy is as an intermediate enforcement state on the workload:

In this intermediate enforcement mode, label-based rules designate the workloads and the services/ports that need to be enforced; while other services and ports are in visibility-only mode. Policy enforcement is applied only on the provider side (ingress traffic) of the rules.

For more information about visibility modes, see Workload Enforcement States and Visibility Level in this guide and Set Group Enforcement in the Visualization Guide.

Limitations for Applying Selective Enforcement State

  • Selective enforcement state is directional. If you want to manage traffic between both ends of a connection, create both provider-centric and consumer-centric policy to apply to inbound and outbound connections.
  • Selective enforcement state only applies to managed workloads; it is not supported for NEN-controlled or other unmanaged workloads.
  • Virtual Services are enforced at the workload level. As a result, selective enforcement state does not affect virtual services directly; instead, selective enforcement state affects the workloads they are comprised of.

Workload Enforcement States

Policy mode determines how the rules affect a workload's network communication. Illumio Core includes four policy modes for workloads. If a workload is unmanaged, the Enforcement column is not displayed on the workload list page.

Idle

The Idle state is used for installing and activating VENs on workloads without changing the workloads' firewalls. In the Idle state, the VEN on the workload does not take control of the workload’s iptables (Linux) or Windows firewall (Windows), but uses workload network analysis to provides relevant details about the workload to the PCE, such as the workload’s IP address, operating system, and traffic flows. This snapshot is taken every 10 minutes.

A pairing profile can be used to pair workloads in the idle state.

NOTE:

SecureConnect (IPv6 compatibility) is not supported on workloads in the Idle state. When you activate SecureConnect for a rule that applies to workloads that are in both Idle and Non-idle enforcement states, it can impact the traffic between these workloads.

Visibility Only

In the Visibility Only state, the VEN inspects all open ports on a workload and reports the flow of traffic between it and other workloads to the PCE. In this state, the PCE displays the flow of traffic to and from the workload, providing insight into the datacenter and the applications running in it. No traffic is blocked in this state. This state is useful when firewall policies are not yet known. This state can be used for discovering the application traffic flows in the organization and then generating a security policy that governs required communication.

Selective Enforcement

Rules are enforced directionally for selected services when a workload is within the scope of an Enforcement Boundary.

Full Enforcement

Rules are enforced for all inbound and outbound services. Traffic that is not allowed by a rule is blocked.

Visibility Level

You can choose from three levels of visibility for workloads. These modes allow you to specify how much data the VEN collects from a workload when in the Full Enforcement state:

  • Off: The VEN does not collect any information about traffic connections. This option provides no Illumination detail and demands the least amount of system resources from a workload.

    This property is only available for workloads that are in the Full Enforcement state.

  • Blocked: The VEN only collects the blocked connection details (source IP, destination IP, protocol and source port and destination port), including all packets that were dropped. This option provides less Illumination detail but also demands fewer system resources from a workload than high detail.
  • Blocked + Allowed: The VEN collects connection details (source IP, destination IP, protocol and source port and destination port). This applies to both allowed and blocked connections. This option provides rich Illumination detail but requires some system resources from a workload.