More Information About Pairing Endpoints
What Gets Created When Onboarding Endpoints
The following information provides some background on what happens when onboarding an endpoint.
-
Groups are Created:
Two Groups are created by default during onboarding: Endpoint Group: User and Endpoint Group: Admin.
When a group is created, Illumio Xpress automatically creates a label, ruleset, and pairing profile. Each one of these is named after the group. Services may also be created during onboarding if Illumio Xpress encounters a new unique service. If re-entering onboarding, it simply updates the existing groups ruleset
-
Services are Created:
These created services are based on observed allowed traffic and will appear in the groups' respective ruleset if the traffic API returns a process name for them. For Windows environments, these services are created with the port and protocol, or a process.
-
Rules are Created:
During onboarding Illumio Xpress adds certain allow rules to both groups (Endpoint Group: User and Endpoint Group: Admin.). These rules are dynamically based off of known allowed traffic in the past 24 hours. By default, both groups share the allow rule entries that are created based on traffic with process names. These allow rules include services that are not explicitly blocked in the static list of services to block. The main difference between the two default groups' rulesets is that the Endpoint Group: Admin group receives another entry in the allow rules to allow traffic from any IP over port 3389 in addition to the dynamic traffic-based service entries.
Caveats
-
By default the VEN is not paired in Visibility Only or Selective Enforcement mode. If you wish to begin with workloads already in an enforced state, move your default user or administrator group pairing profiles into Selective Enforcement. Otherwise, you will need to move the endpoint (workload) into the desired enforcement level for policy to be enforced. See Ways to Enforce Policy.
-
Do not delete any of the objects (e.g., labels, rulesets, pairing profiles, or services) associated with an endpoint group. This will break the onboarding, pairing, etc., which may result in unexpected behavior.
-
If you encounter issues with policy being applied, make sure that you have the correct VEN version installed. See Prerequisites for VEN Installation.
-
Endpoint groups cannot be deleted in the UI.
-
Endpoint groups outside of the defaults cannot be created in the UI.
-
You cannot rename a group. Groups cannot be directly updated; only their constituent parts (label, ruleset, pairing profile) can. However, do not update the names of these constituent parts.