VEN Activate Command Reference
The following topic describes the commands for activating the VENs either during or after installation, and the ways that you can configure the VEN during activation.
About the Command Options
You use the activate
options in these ways:
- When pairing a VEN with a pairing script and you activate the VEN during installation:
pair.sh
(Linux)pair.ps1
(Windows)
- When activating a VEN (all supported operating systems) after VEN installation by using the
illumio-ven-ctl
control script
If you are activating with a PCE that has a pairing profile configured to block changes to policy state (the illumio-ven-ctl
option --mode
) or label assignment (the illumio-ven-ctl
options --env
, --loc
, --role
, --app
), you must not use these options on these blocked configurations or the activation will fail.
When you use the VEN CTL or a pairing script to install a Windows VEN on a workload, you cannot include colons in the values for the options. Including a colon in a command value causes VEN activation to fail. For example, including the following values in the -role
option, causes VEN activation to fail:
-role "R: UNKNOWN" -app "A:UNKNOWN" -env "E: UNKNOWN"
Activation fails because Windows uses the colon as a special character and cannot interpret the value even when you include quotation marks around the value.
Description of the activate
Command Options
The options and arguments are the same for Windows and Unix (Linux, Solaris, and Solaris), except the options with two dashes on Unix should be replaced with a single dash on Windows (for example, --loc
on Linux should be replaced with -loc
on Windows).
The following options are optional unless noted in the description.
Option | Arguments | Description |
---|---|---|
activation-code | -a
|
<activation_code>
|
REQUIRED: Inputs the activation code of the VEN into the pairing script. This code is auto-generated by the pairing profile. Activation code: one-time use or unlimited use In the PCE web console, you can specify that an activation code is for one-time use or for unlimited uses. Be sure you have generated the correct type for your needs. Do not use a single one-time use activation code for more than one workload. Example: |
management-server | -m
|
<PCE_FQDN:port> | <IPaddress:port>
|
REQUIRED: Sets the domain name or IP address and port of the host where the VEN can retrieve master configuration information. Example: |
name | -n
|
<server_friendly _name>
|
Sets a friendly name that will be used for this workload when it appears in the PCE web console. Example: |
env
|
<environment_label>
|
Assigns an Environment label for this workload. Example: |
loc
|
|
Assigns a Location label for this workload. Example: |
role
|
<role_label>
|
Assigns a Role label for this workload. Example: |
app
|
|
Assigns an Application label for this workload. Example: |
proxy_server
|
<proxy-string>
|
[Linux, Solaris, AIX only] You only need to specify this option when configuring a proxy server for a Linux, Solaris, or AIX workload. Windows automatically detects a proxy server; therefore, you do not need to specify this option when installing a VEN on a Windows workload. For information about configuring a proxy server, see VEN Proxy Support. |
log-traffic
|
|
Enables or disables traffic logging. If not specified, logging is set to true by default. Default: Interacts with the |
mode
|
illuminated | enforced | idle
|
Sets the policy state for the workload. For an explanation of the various states, see "Workload Policy States" in the VEN Administration Guide. |
enforcement_mode
|
full | visibility_only | selective | idle
|
Default: Enables the new
|
visbility-level
|
|
Default: Defines the extent of the data the VEN collects and reports to the PCE from a workload in the Full enforcement or Visibility policy states, so you can control resource demands on workloads. The higher levels of detail are useful for visualizing traffic flows in greater detail in the Illumination map inside the PCE web console. Interacts with the |
visibility-level
Arguments
Argument | Value in Policy States | Notes |
---|---|---|
flow_summary
|
Included in all policy states |
Default. The VEN collects traffic connection details for both allowed and blocked connections: source and destination IP address and port and protocol. This argument creates traffic links in the Illumination map and is typically used initially after installing the VEN to determine the full scope of potential policy impact on the workload. |
|
Valid only in full policy state |
The VEN collects connection details only for blocked traffic: source and destination IP address and port and protocol. This argument produces less detail for Illumination but demands fewer workload system resources than |
flow_off
|
Valid in all policy states |
The VEN does not collect any details about traffic connections. This option produces no details for the Illumination map but requires the fewest number of workload resources. Useful when you are satisfied with policy rules and do not need additional detail. |
Allowable Combinations of log-traffic
and visibility-level
The following rules apply to using the log-traffic
and visibility-level
options together with the activate command:
- The
visibility-level
argument takes precedence over thelog-traffic argument
. visibility-level flow_off
and--log-traffic true
is an invalid combination.visibility-level flow_drops
is invalid in Illuminated policy state.
VEN Modes in Illumio Core 20.2.0 and later
In Illumio Core 20.2.0, Illumio introduced a new feature called Selective Enforcement. For an explanation of how this feature changed policy functionality in the release, see Selective Enforcement in What's New in This Release, 20.2.0.
This change to the VEN modes affects the VEN in Illumio Core 20.2.0 and later releases.
In particular, the feature changed the workload policy states. To further understand how the policy state changed between releases, see these topics:
- Workload Policy State in the Security Policy Guide, 19.3.x releases
- Workload Enforcement States in the Security Policy Guide, 21.2.0 release
The changes to policy states in 20.2.0 impacted the VEN mode
option that you specify with the activate
command in the following ways.
Do not use both the mode
and enforcement_mode
options together on the command line because you could specify contradictory options. Specify one or the other. To specify the new Selective Enforcement option, enter the enforcement_mode selective
option and argument.
- Adds a new option for the
activate
command:enforcement full|visibility_only|selective|idle
- Retains the
mode
option from the previous release for backward compatibility - The arguments for the
mode
option map to those for theenforcement_mode
option in this way:illuminated
maps tovisibility_only
enforced
maps tofull
idle
is the same in both optionsenforcement_mode
option adds theselective
argumentUse the
selective
argument to set the VEN mode as Selective Enforcement state. For information about using Selective Enforcement in policy, see Enforcement Modes for Rules in the Security Policy Guide.
-
The
visibility-level
option and argument are unchanged in Illumio Core 20.2.0 and later releases; however, the Selective Enforcement feature separated the workload policy visibility state from the policy enforcement state; in particular, the PCE web console has separate drop-down menus (Enforcement and Visibility) in the Workloads page for these two options.The arguments for the
visibility-level
option map to the new visibility states in 20.2.0 and later releases in this way:flow_off
maps to Offflow_drops
maps to Blockedflow_summary
maps to Blocked + Allowed