Recommendations

When you use either of the Illumio Xpress Endpoint or Server Wizards, they examine your traffic and make recommendations for you to apply certain policies, and sometimes labels, to the identified service or server role. They present the option to accept, modify, or deny recommendations depending on the situation.

NOTE:

Once the recommendations are saved (accepted), in order to protect your machines, you will need to manually enforce the recommended policies. See Ways to Enforce Policy.

Purpose

The purpose of recommendations is to assist you in quickly protecting your network with best-practices instead creating policies by hand.

Workflow

The endpoint protection workflow allows you to install agents on endpoints on your network, and accept or decline the recommendations. See Protecting Endpoints for more information on endpoints.

The server protection workflow allows you to install agents on detected servers, and modify, accept, or decline the recommendations. See Protecting Servers for more information on servers.

About Recommendations

Recommendation Components

Recommendations are made of ruleset-based policies. Each rule in a ruleset specifies sources and destinations, as well as the allowed or denied source processes/services and destination services. Each source or destination must have a selected policy object (label, label group, service, IP list, or user group) that is either allowed or denied.

Rules define which workloads are allowed to communicate. Labels allow you to categorize the aspects of workloads that you wish to include in your rules. All of this is handled automatically in the wizard.

The Endpoint Wizard lists observed processes, ports, and protocols, along with a recommendation for you to allow or disallow them.

The Server Wizard lists servers by hostname, along with a protection schema recommended based on server roles, as well as listing the labels and policy rules that make up the schema (server-specific policy). Illumio Xpress supports up to 10 protection schemas per server workload. The Server Wizard lets you examine these labels and rules.

Rejecting Recommendations

Rejecting Endpoint Wizard Recommendations

If you wish to reject Endpoint Wizard recommendations, do not select Save Rules at the end. This will leave the endpoints without any applied security policy until you do the following:

  • Restart the Endpoint Wizard and select Save Rules at the end of the wizard

  • Manually create policies, rules, etc. For more information on policies, see The Illumio Xpress Policy Model.

Rejecting Server Wizard Recommendations

If you wish to reject Server Wizard recommendations, you can select Change in the Protection Schema column and deselect any and all protection schemas. Alternatively, do not select Save at the end.

If a particular server is not given a protection schema, or you change the protection schema to None, selecting Save will not update it to be protected. This will leave the server without any applied security policy until you do the following:

  • Restart the Server Wizard, choose a schema, and select Save at the end of the wizard

  • Manually create policies, rules, etc. For more information on policies, see The Illumio Xpress Policy Model.

Modifying Recommendations

You can modify Server Wizard recommendations by clicking Change in the Protection Schema column and selecting up to 10 different protection schemas in the pop-up dialog, each supporting multiple roles for the server.

Accepting Recommendations

In the Endpoint Wizard, you accept the recommendations by selecting Save Rules at the end of the wizard.

In the Server Wizard, with or without changing the recommended protection schemas, you accept the listed protection schemas by selecting Save at the end of the wizard. Note that a protection schema may create new labels in the system.

To protect your endpoints or servers, manually enforce the polices after accepting the recommendations. See Ways to Enforce Policy.

Recommendation Caveats

Endpoint Caveats

Do not delete any of the objects (e.g., labels, rulesets, pairing profiles, or services) associated with an endpoint group. This will break the onboarding, pairing, etc., which may result in unexpected behavior.

Server Caveats

If you use the classic user interface to "unlabel" a server that had been protected using the Server Wizard, this will leave the server unprotected, and may also result in unexpected behavior.