Adaptive Segmentationmicro-segmentation October 13, 2020

Dan Gould,

Illumio’s CEO Andrew Rubin recently shared details of our partnership with CrowdStrike to deliver Illumio Edge either via our agent or CrowdStrike’s Falcon agent.

Here, I’d like to take you through a step-by-step on how Illumio Edge for CrowdStrike actually works to shrink your enterprise attack surface and greatly reduce the risk of ransomware and malware spreading between endpoints without the fear of false positives.

Illumio Edge for CrowdStrike stops ransomware and malware propagation through allowlist policies. It blocks all communications between endpoints except for essential traffic that is allowlisted – which vastly reduces the risk of ransomware and malware spreading laterally, between endpoints.

This containment by default makes every endpoint a Zero Trust endpoint, blocking all unnecessary inbound network communications. And it is can all be done via the Falcon agent.

Getting Started

Existing CrowdStrike customers will need either Falcon Prevent or Falcon Insightin place prior to deploying Illumio Edge for CrowdStrike. To get started, merely click “Try it Free” in the Illumio page in the CrowdStrike store.

Illumio Edge and Falcon provisioning will happen automatically, all done in the cloud. This includes the activation of Falcon Firewall Management module on your existing Falcon agent, the provisioning of the Illumio Edge for CrowdStrike cloud-delivered dashboard to create policy and streaming of necessary endpoint telemetry to the cloud via the Falcon Data Replicator.

How it Works

You begin by creating allowlist policies in the Illumio Edge dashboard. We have automated this with Illumio’s simple three-step policy workflow, so there is no need to write manual Windows firewall rules or Group Policy Objects. Often, organizations have turned to Microsoft Group Policy Object to reduce attack surfaces, but in practice this is too much elbow grease, is not dynamic when your environment changes, and won’t support policy updates for off-network endpoints.

Illumio Edge’s automated policy workflow solves for this.

The three steps can be seen at the top of the following screenshot:

  1. Select incoming services
  2. Configure permitted IP ranges
  3. Preview and confirm

First policy page image

First, you define what group of endpoints the policy is intended for; in this case, you are creating policy for endpoints in the Finance department.Then, decide what to permit.

Step 1: Select incoming services

Illumio Edge blocks all communications between endpoints except for essential traffic that is allowlisted. Step 1 builds the allowlist policy for the Finance department to allow any services (in the All Service section on the left) you’d like to permit between endpoints.You do this either from a pre-defined list or you can define your own custom services.

Step 2: Configure permitted IP ranges

Once you have selected the services you’d like to allow, you can select the permitted inbound IP ranges for those services to further control what connects inbound to Finance endpoints.

Permitted IP range

Step 3: Preview and confirm

Merely click ‘Done’ to finish creating policy for your endpoints. Policy is created in three simple steps.

Illumio Edge and Falcon meet in the cloud for a solution that is cloud-delivered using only the Falcon agent on endpoints.

In the Falcon console, you can see the Illumio policy. When you navigate to host groups, you see a new group called “Illumio managed hosts” was created automatically. You can then click ‘Edit Group’ and assign this group to all endpoints you’d like to manage with this policy.

Falcon Managed Hosts

In this example, we apply the Finance group policy to your employee Jon’s laptop.

While in Falcon, you can also confirm the new host firewall rules that have been automatically created by Illumio’s three-step workflow we completed above and sent to Falcon to be enforced through the Firewall Management module, which programs the native host firewall in Windows.


Back in Illumio Edge, you see a new endpoint discovered from CrowdStrike that is ready for policy.

Discovered endpoints, Jon’s in this case, are then moved into the Finance group you created.

Once in the group, Illumio Edge will begin to show top inbound communications to the group’s endpoints and the policy decision. Red denotes blocked traffic and green, when visible, denotes traffic that is permitted by allowlist policy.

block connections

You can dive deeper into any service’s individual flows with Explorer. This view gives details about the traffic’s source and the process it attempted to connect in on. What really matters is that you can see potentially blocked traffic in “draft” view, allowing you to test policy prior to going into enforcement – helping thread the needle between business needs and security.


To sum it up, together, Illumio Edge and CrowdStrike enable you to better protect your endpoints:

  • Gain complete endpoint protection with state-of-the-art CrowdStrike endpoint protection and Illumio Zero Trust containment.
  • Enable risk-free Zero Trust by easily allowlisting legitimate traffic and preventing ransomware propagation.

For more information, 


Adaptive Segmentationmicro-segmentation
Share this post: