This topic explains how to use the VEN Compatibility Check feature after installing VENs on workloads.
About Compatibility Checks
When you pair a VEN in the Idle state or change the VEN state to Idle, the VEN performs several compatibility checks and sends the results to the PCE. This process occurs every 24 hours and checks whether the preexisting workload state will have issues when the VEN is moved out of the Idle state.
After reviewing the results of the VEN Compatibility Check, you can determine if the VEN is ready to be moved out of the Idle state, or resolve any detected issues, such as backing up any system firewall rules.
The VEN Compatibility Check is per-workload and is only available for VENs in the Idle state and is not available for the Visibility, Selective, or Full states. If a workload reverts from any of these states to the Idle policy state, the VEN Compatibility Check is performed.
All detected issues are categorized as:
- Red: Major incompatibility detected
- Yellow: A potential incompatibility detected
- Green: No major incompatibilities detected
The Compatibility Check results are displayed in the PCE web console. To view the results, select the workload's details page, then select the Compatibility Report tab.
If no incompatibilities have been detected on the VEN, the page displays "No incompatibilities found."
After viewing the results, you can export them as a text file by clicking Export.
The compatibility checks vary by the workload's operating system.
Linux Operating Systems
| Incompatibility Type | Reason for incompatibility with Illumio Xpress | Results |
|---|---|---|
| IPv4 forwarding enabled | At least 1 iptables forwarding rule is detected in the forwarding chain. VEN removes existing iptables rules in the non-Idle policy state. |
Yellow |
| IPv4 forwarding packet count | Complementary check whether IPv4 forwarding is enabled. | |
| iptables rule count | At least 1 iptables filter rule is detected. VEN removes existing iptables rules in the non-Idle policy state. |
Yellow |
| IPv6 global scope enabled | IPv6 is enabled for the workload. |
Yellow |
| IPv6 active connection count | Complementary check whether IPv6 global scope is enabled. | |
| ip6tables rule count | At least 1 iptables filter rule is detected. VEN removes existing ip6tables rules in the Visibility policy state |
Yellow |
| IPsec service enabled | UDP port 500/4500 is in use by other services. Do not enable SecureConnect for the workload. | Red |
| Routing table conflict | The StrongSwan routing table setting conflicts with exiting networking routing tables. Do not enable SecureConnect for the workload. | Red |
Windows Workloads
| Incompatibility Type | Reason for incompatibility with Illumio Xpress | Results |
|---|---|---|
| IPv6 enabled | IPv6 is enabled for the workload. |
Yellow |
| Virtual loopback interfaces | Virtual loopback interface is detected. Untested and unsupported configuration. |
Yellow |
| Firewall GPO |
Windows firewall Group Policy Object (GPO) is detected. For more information, see KB Article #3545, Firewall GPO Warning Under Compatibility Report (login required). |
Yellow |
| IPsec service enabled | IKEEXT service is disabled. Do not enable SecureConnect for the workload. | Yellow |
AIX and Solaris Workloads
| Incompatibility Type | Reason for incompatibility with Illumio Xpress | Results |
|---|---|---|
| IPv4 forwarding enabled | IPv4 is enabled for the workload. |
Yellow |
| IPv4 forwarding packet count | Complementary check whether IPv4 forwarding is enabled. | |
| iptables rule count | At least 1 iptables filter rule is detected. VEN removes existing iptables rules in the non-Idle policy state. |
Yellow |
| IPv6 global scope enabled | IPv6 is enabled for the workload. |
Yellow |
| IPv6 active connection count | Complementary check whether IPv6 global scope is enabled. | |
| ip6tables rule count | At least 1 iptables filter rule is detected. VEN removes existing ip6tables rules in the Visibility policy state |
Yellow |
| IPsec service enabled | IPsec service is already in use. Do not enable SecureConnect for the workload. | Red |