About VEN Administration on Workloads

The following topic explains the VEN states and characteristics necessary to understand when administering the VEN on workloads.

VEN Software Management from PCE

The ability to manage VEN software and install the VEN by using the PCE has been enhanced in this release in the following ways:

You can upgrade all VENs or just a subset of VENs from the PCE.
You can upgrade VENs by using filters, such as for labels, OSs, VEN health, IP address, current VEN version.
When upgrading, the PCE informs you of the version the VENs will be upgraded to.
You can monitor and troubleshoot VEN upgrade issues.
You can perform VEN version reporting and compatibility.

VEN Proxy Support on Linux, AIX, and Solaris

VEN proxy support includes Linux, AIX, Solaris, and Windows devices.

For information, see VEN Proxy Support in VEN Installation and Upgrade Guide.

Support on IBM Z With RHEL 7 and RHEL 8

IBM Z® is a family of modern z/Architecture hardware that runs z/OS, Linux, z/TPF, z/VM and IBM Z systems software.

Illumio supports installing and operating the VEN on IBM Z systems running Red Hat Enterprise Linux 7 (RHEL 7) and RHEL 8. Additionally, Illumio supports the VEN running on IBM Z systems using both KVM and z/VM as hypervisors.

Support on SLES 11 SP2

The VEN can be installed on systems running SLES 11 SP2 when the following packages are installed:

From the SLES 11 SP2 Latest Updates:

libipset2-6.12-0.7.7.1
ipset-6.12-0.7.7.1
libmnl0-1.0.3-0.5.4
kernel-default-3.0.101-0.7.17.1
kernel-default-base-3.0.101-0.7.17.1

From the SLES 11 SP4 DVD:

libxtables9-1.4.16.3-1.37
libiptc0-1.4.16.3-1.37
iptables-1.4.16.3-1.37
libnfnetlink0-1.0.0+git1-9.5.56

Debian 11 Support

Starting from Release 21.2.3, Illumio supports installing and operating the VEN on the Debian 11 operating system.

Workload Policy States

After activation, the VEN can be in one of the following policy states. The VEN policy state determines how the rules received from the PCE affect the network communication of a workload.

Change the policy state of the VEN by modifying settings in the PCE or by making calls to the REST API.

VEN Enforcement Characteristics

Policy enforcement is managed through both enforcement states and visibility states to specify how much data the VEN collects from a workload.

The following table summarizes the key enforcement characteristics of the VEN:

Workload Enforcement State	VEN Mode	VEN Visibility Level	Log Traffic
Idle	Idle	Limited	Limited
Visibility Only	Illuminated	Off Blocked Blocked+Allowed Enhanced Data Collection	VEN does not log traffic connection information VEN logs connection information for blocked and potentially blocked traffic only VEN logs connection information for allowed, blocked, and potentially blocked traffic VEN logs byte counts in addition to connection details for allowed, blocked, and potentially blocked traffic
Selective	Selective	Off Blocked Blocked+Allowed Enhanced Data Collection	VEN does not log traffic connection information VEN logs connection information for blocked and potentially blocked traffic only VEN logs connection information for allowed, blocked, and potentially blocked traffic VEN logs byte counts in addition to connection details for allowed, blocked, and potentially blocked traffic
Full	Enforced	Off Blocked Blocked+Allowed Enhanced Data Collection	VEN does not log traffic connection information VEN logs connection information for blocked and potentially blocked traffic only VEN logs connection information for allowed, blocked, and potentially blocked traffic VEN logs byte counts in addition to connection details for allowed, blocked, and potentially blocked traffic

For more information, see Ways to Enforce Policy in the Security Policy Guide.

VEN Policy Sync

To help you administer and troubleshoot the VEN, it reports many Policy Sync states. Here are the Policy Sync states and their definitions:

Active (Syncing): Policy is currently being applied to the workload.
Active: The most recent policy provisioning was successful, no unwanted changes to the workload's firewall have been reported, none of the configured SecureConnect connections are in an erroneous state, and all VEN processes are running correctly.
- For more information on SecureConnect see Security Policy Guide.
Staged:The PCE has successfully sent policy to the VEN, and it is staged and scheduled to be applied at a later time. This state only appears when you have configured the Policy Update Mode for the workload to use Static Policy. See Static Policy and Staged Policy for information. For information, see Types of Illumio Policy in the Security_Policy_Guide.
Error: One of the following errors has been reported by the VEN:
- The most recent policy provisioning has failed.
- Unwanted changes to the workload's firewall have been reported.
- At least one VEN process is not running correctly.
- There is a SecureConnect or Machine Authentication policy, but leaf certificates are not set up properly.
Warning: At least one SecureConnect connection is in an erroneous state, and either the most recent policy provisioning was successful or no unwanted changes to the workload's firewall have been reported.
Suspended: Used by admins to debug. Rules programmed into the platform firewall (including custom iptables rules) are removed completely. No Illumio-related processes are running on the workload.

VEN Health Status on Workloads

The VEN health status on the workload's details page displays information related to the current state of VEN connectivity, the most recently provisioned policy changes to that workload, and any errors reported by the VEN.

These errors include any unwanted changes to the workload's firewall settings, any SecureConnect functionality issues, or any VEN process health errors.

To view a workload's VEN health status, view the VEN section on the Summary tab for the workload's details page.

VEN Process Health

The health status of the VEN can be monitored from the PCE web console. If for any reason one or more Illumio processes on the workload are not running, the VEN reports the error to the PCE. The PCE marks the workload as in an error state and adds a notification on the Workloads page. It also logs an audit event that includes the Illumio processes which were not running on the workload.

Workload Clone Alerts

Workloads can be filtered according to whether a cloned node has been detected. On Windows and Linux, when the PCE detects a cloned node, it notifies the VEN through a heartbeat. The VEN verifies that a clone exists, prevents it from being activated, and deletes it.

In the Illumio REST API, detection is done by using the clone_detected state. In the PCE web console UI, search the workloads list by filtering on, "clone detected." If there are workloads in the clone_detected state, a red banner (similar to workloads in suspension) is displayed at the top of the workload list page.

Stopped VEN Status

The stopped status has the following affect on the PCE web console UI:

On the Workload list page, the "Connectivity" column is replaced with "Status."
On the Workload details pages, "VEN Connectivity" is changed to "VEN status."
You can filter the Workload list page by the new VEN stopped status.

Aggressive Tampering Protection for nftables

Firewall changes that are not explicitly configured by the VEN are logged as tampering attempts. This feature extends Release 19.3 nftables support with the inclusion of aggressive tampering protection.

VEN File Settings Option

In 21.2.1, the VEN IPFilter state table supports a new option for AIX workloads to support traffic from NFS servers:

VEN File Setting:IPFILTER_TCPCLOSED=<value>

ipfilter Setting:fr_tcpclosed=<value>

For more information about this option, see VEN Activate Command Reference in the VEN Installation and Upgrade Guide.

Windows VEN Proxy Fallback Enhancement

Starting from Illumio Core 21.2.1 and 21.2.2, the VEN automatically detects a web proxy. However, it always attempts to connect directly to the PCE first. In this release, Illumio enhanced the heuristic in the VEN for falling back to the configured web proxy. After an attempt fails to connect to the PCE directly due to an HTTPS intercepting proxy, the VEN falls back to use the configured web proxy.

Label-based Security Setting for IP Forwarding

Illumio has enabled IP forwarding to hosts running Linux. A container networking solution routes the traffic to the VMs. To configure IP forwarding, use the new IP Forwarding tab in the PCE web console. In this tab, you can use labels and label groups to enable IP forwarding for the workloads that match the label combination.

To enable this feature, contact Illumio Support. For details about how to set up IP forwarding for workloads, see Connectivity Settings in the PCE Administration Guide.

Uninterrupted Traffic Between the VEN and the PCE

The VEN implementation provides an extra layer of self-protection that prevents any erroneous policy from being applied to the VEN. The VEN employs a defensive approach that reviews policies before applying them. In case the VEN detects that the new policy may disrupt communications between the VEN and the PCE, the VEN automatically isolates that policy and logs an error in the event log. The VEN then continues to communicate with the PCE using the existing functional policy.

IPv6 Support and Features for the VEN

In Illumio Core 20.2.0 and later releases, the VEN supports both IPv4 and Ipv6 address versions and the IP address version appears correctly in the PCE; for example, in the Workload section of the VEN summary page in the PCE web console.

You can configure how the PCE treats IPv6 traffic from workloads. For more information, see Allow or Block IPv6 Traffic in the PCE Administration Guide.

The VEN supports IPv6 in the following ways.

IPv6 is Enabled by Default on Datacenter VENs

Release 20.2.0 and later support configuring inbound or outbound IPv6 traffic by organization (ORG). In previous releases, you are only able to block all, or allow all IPv6 traffic by organization.

The default settings are as follows:

If the previous ORG-wide IPv6 policy is to block all IPv6 traffic, then this setting is preserved.

If the previous ORG-wide IPv6 policy is to allow all IPv6 traffic, then this setting is not preserved.

IPv6 Support for Linux and Windows VENs

Beginning with Release 20.1, the Linux and Windows VENs support IPv6 rules.

VEN Compatibility Report for IPv6 Support

Illumio supports IPv6 for workloads. This includes providing a warning in the Compatibility Report. The Compatibility Report is used to detect the possible issues before moving VEN out of idle state. See VEN Compatibility Check in the VEN Installation and Upgrade Guide. In this release, Illumio updated the options in the Compatibility Report to increase it's usability.

The following command and command options are supported:

On Linux and SunOS, this command option is available regardless of whether IPv6 is enabled:
- ipv6_forwarding_enabled
  - At least 1 iptables forwarding rule is detected in the IPv6 forwarding chain. VEN removes existing iptables rules in the non-Idle policy state.

On Windows, we do not support all IPv6 transition tunnels that is a part of the IPv6 transition technology (RFC 4213). The following options are available:
- teredo_tunneling_enabled
  - Teredo tunneling allows for IPv6 connectivity.
  - Teredo is an IPv6 transition tunnel.
  - We do not report on Teredo adapters.
- IPv6 enabled
  - Continues to be supported.
  - Detects potential transition technology usage on Windows.

VEN Features by Initial Release

The following tables list key Illumio Core features by their introductory release.

VEN Features in Release Pre-19.3.0

Feature	Initial Release
Firewall coexistence	Pre-9.3.0
illumio-ven-ctl start/stop/activate/unpair	Pre-9.3.0
illumio-ven-ctl unpair open\|saved\|recommended	Pre-9.3.0
illumio-ven-ctl suspend	Pre-9.3.0
IPSec (SecureConnect)	Pre-9.3.0
Kerberos PKI-based Pairing on Solaris/AIX	Pre-9.3.0
PCE Repo Upgrade	Pre-9.3.0
Process-based Policies	Pre-9.3.0
Solaris Zone Support	Pre-9.3.0
Support report	Pre-9.3.0

VEN Features in Release 19.3.x

Feature	Initial Release
Compatibility Report for IPv6 Support	19.3
Custom iptable Rules	19.3
Easy installation of VEN on container hosts	19.3
Ignored Interfaces on Windows VENs	19.3
Management of Conntrack Table Size	19.3
Modes: idle, illuminated, enforced	19.3
nftables for RHEL 8	19.3
Solaris 11.4 Support	19.3
Support Reports New Options	19.3
Faster Supercluster Full Restore	19.3.0
FQDN policy on Domain controller/DNS server	19.3.0
State Table Sizes on AIX and Solaris	19.3.0
illumio-ven-ctl deactivate	19.3.0
CRI-O Support	19.3.1
Loadbalancer TCP port 8302 and TCP+UDP port 8302 Enhancements	19.3.1
Docker/ContainerD/CRIO	19.3.1
SLES on Power Series hardware	19.3.2
Oracle Exadata Support	19.3.4
Oracle ZDLRA Support	19.3.4
FQDN-Based Rules Enhancements	19.3.5
LDAP Authentication	19.3.5
Aggressive Tampering Protection for nftables	19.3.6
Illumio Core REST API	19.3.6
Debian 11 Support	19.3.7
IBM Z Support	19.3.7

VEN Features in Release 20.x

Feature	Initial Release
Agent Monitor	20.1.0
REJECT Rules	20.1.0
Workloads and VENs Separation	20.1.0
Flow Duration Attributes	20.2.0
IPv6 for Linux and Windows VENs	20.2.0
IPv6 for VEN	20.2.0
IPv6 is Enabled by Default on Datacenter VENs	20.2.0
Software Management from PCE	20.2.0
Stopped Status	20.2.0
Tamper Detection	20.2.0
Clone Detection	20.2.0 (Edge 20.1, Core 20.2)
Selective Enforcement	20.2.0-PCE

VEN Features in Release 21.x

Feature	Initial Release
Core 21.2.0, Illumio previewed the Reports feature	21.2.0
Enforcement Boundaries	21.2.0
Linux Pairing Script Activation for Proxy Servers	21.2.0
Network-Specific Policy	21.2.0
Uninterrupted Traffic between the VEN and the PCE	21.2.0
Network_deny List	21.2.0-PCE
Adaptive User Segmentation	21.2.0-VEN
Explorer Allows Label Search of All Types	21.2.1
Open Source Package Updates for 21.2.1	21.2.1
RHEL 8 support for PCE	21.2.1
Supercluster 8-Region Support in 21.2.1	21.2.1
Syslog Forwarding Change	21.2.1
Threshold Configuration Settings	21.2.1
File Settings Option	21.2.1
VEN Package Format Changes	21.2.1
Proxy Fallback Enhancement on Windows	21.2.4
Robustness and Reliability	21.5.0
Run as a Different User with AUS on Windows	21.5.0
IBM Z with RHEL 7 and RHEL 8	21.5.11
Label-based Security Setting for IP Forwarding	21.5.11

VEN Features in Release 21.x-C (Container)

Feature	Initial Release
Containerized VEN	21.2.0-C VEN
Containerized VEN Base Image	21.2.1-C-VEN

VEN Features in Release 22.x

Feature	Initial Release
Advanced Diags (strace/tcpdump)	22.5.0
Configurable Time for Heartbeat Warning Events	22.2.0
Disable and Enable Enforcement Boundaries	22.2.0
Essential Rule Coverage in Illumination and Explorer	22.2.0
Firewall Script Logging	22.2.0
Traffic Flow Query Report	22.2.0
Wireless Connections and VPNs	22.2.0

Major VEN Features by Supported OS

The following table lists key VEN features by supported platform.

Feature	Windows	Windows Edge	Linux	C-VEN	CentOS8	AIX	Solaris	MacOS (Endpoint)
Firewall	WFP	?WFP	IPtables	IPtables	NFTables	IPFilter	IPFilter/PF	PF
Firewall coexistence	ü	ü	ü	ü	ü	-	-	ü
Container support	-	-	ü	ü	ü	-	-	-
IPv6	ü	ü	ü	ü	ü	-	ü	ü
PCE repo upgrade	ü	ü	ü	-	ü	-	-	ü
Aggressive Tampering Detection	ü	ü	ü	-	-	-	-	-
Process-based policies	ü	ü	-	-	-	-	-	-
Extended process path/args (vtap)	ü	ü	ü	ü	ü	ü	ü	ü
Flow-byte counting	ü	ü	ü	-	-	-	-	-
Kerberos	ü	ü	ü	ü	ü	ü	ü	ü
FIPS	ü	ü	ü	ü	ü	ü	ü	-
FQDN Policies	ü	ü	ü	ü	ü	-	-	-
FQDN Traffic reporting	ü	ü	ü	ü	ü	-	-	-
IPSec (SecureConnect)	ü	ü	ü	ü	ü	-	-	-
Installer	MSI; EXE (from 21.2.1)	MSI; EXE (from 21.2.1)	pkg	apk; rpm (from 19.3.2)	pkg	bff	pkg	dmg
Pairing script (oneliner from PCE UI)	ü	ü	ü	ü	ü	-	-	ü
Process-based policies	ü	ü	o e-bpf	-	-	-	-	o (P1) networkextension