The following topic explains the VEN states and characteristics necessary to understand when administering the VEN on workloads.
Workload Policy States
After activation, the VEN can be in one of the following policy states. The VEN policy state determines how the rules received from the PCE affect the network communication of a workload.
Change the policy state of the VEN by modifying settings in the PCE.
VEN Enforcement Characteristics
Policy enforcement is managed through both enforcement states and visibility states to specify how much data the VEN collects from a workload.
The following table summarizes the key enforcement characteristics of the VEN:
|
Workload Enforcement State |
VEN Mode |
VEN Visibility Level |
Log Traffic |
|---|---|---|---|
|
Idle |
Idle |
Limited |
Limited |
| Visibility | Selective or full enforcement | Full enforcement: Off, Blocked, Blocked and Allowed | For Blocked, and Blocked and Allowed |
| Selective | Selective or full enforcement | Full enforcement: Off, Blocked, Blocked and Allowed | For Blocked, and Blocked and Allowed |
| Full | Selective or full enforcement | Full enforcement: Off, Blocked, Blocked and Allowed | For Blocked, and Blocked and Allowed |
For more information, see Ways to Enforce Policy in the Security Policy Guide.
VEN Policy Sync Full Enforcement
To help you administer and troubleshoot the VEN, it reports many Policy Sync states. Here are the Policy Sync states and their definitions:
- Active (Syncing): Policy is currently being applied to the workload.
- Active: The most recent policy provisioning was successful, no unwanted changes to the workload's firewall have been reported, none of the configured SecureConnect connections are in an erroneous state, and all VEN processes are running correctly.
- Staged:The PCE has successfully sent policy to the VEN, and it is staged and scheduled to be applied at a later time. This state only appears when you have configured the Policy Update Mode for the workload to use Static Policy. See Static Policy and Staged Policy for information. For information, see Types of Illumio Xpress Policy in the Security_Policy_Guide.
- Error: One of the following errors has been reported by the VEN:
- The most recent policy provisioning has failed.
- Unwanted changes to the workload's firewall have been reported.
- At least one VEN process is not running correctly.
- There is a SecureConnect or Machine Authentication policy, but leaf certificates are not set up properly.
- Warning: At least one SecureConnect connection is in an erroneous state, and either the most recent policy provisioning was successful or no unwanted changes to the workload's firewall have been reported.
- Suspended: Used by admins to debug. Rules programmed into the platform firewall (including custom iptables rules) are removed completely. No Illumio Xpress-related processes are running on the workload.
VEN Health Status on Workloads
The VEN health status on the workload's details page displays information related to the current state of VEN connectivity, the most recently provisioned policy changes to that workload, and any errors reported by the VEN.
These errors include any unwanted changes to the workload's firewall settings, any SecureConnect functionality issues, or any VEN process health errors.
To view a workload's VEN health status, view the VEN section on the Summary tab for the workload's details page.
VEN Process Health
The health status of the VEN can be monitored from the PCE web console. If for any reason one or more Illumio Xpress processes on the workload are not running, the VEN reports the error to the PCE.
The PCE marks the workload as in an error state and adds a notification on the Workloads page. It also logs an audit event that includes the Illumio Xpress processes which were not running on the workload.
Workload Clone Alerts
Workloads can be filtered according to whether a cloned node has been detected. On Windows, Linux, and Mac OS systems, when the PCE detects a cloned node, it notifies the VEN through a heartbeat. The VEN verifies that a clone exists, prevents it from being activated, and deletes it.