Work with Illumination Plus
You can use Illumination Plus to perform the following tasks.
Workflow for Using Illumination Plus
Illumination enables you to build security policies for your workloads by following this workflow:
Group discovery: When you pair workloads, the VEN introspects those Workloads and determines their open ports, running services, and traffic flows. See the VEN Installation and Upgrade Guide for information about installing (also called pairing) VENs on workloads.
Prepare group for rules: Prepare a group for rules by applying labels to each workload in the group so you can write policies for them.
Rule writing: After you have prepared the group for rule writing, you can begin to write rules for the workloads in the group. This requires writing rules to allow communication between workloads across groups, between workloads in the same group, or between workloads and other entities outside the group (for example, the Internet or an IP List). Illumination Plus will also propose suitable rules for you to use or modify if you do not want to manually create rules from scratch. See "IP Lists" and "Rule Writing" in the Security Policy Guide for more information.
Rule Testing: Illumination gives you the power to test and evaluate your rules against existing traffic flows without enforcing the rules. Rules can be tested to ensure that legitimate traffic flows required by an application are permitted and malicious traffic is blocked. Exporting traffic summaries or using blocked traffic lets you know which traffic connections would be dropped if the rules were enforced. .
Policy Enforcement: When you are ready to implement the rules for a group, you can put the group into the enforced state. Leveraging the Illumio Coreallowlist policy model, any traffic flows that are not explicitly allowed by a rule are dropped. If a legitimate application flow is broken or an intrusion occurs, you can configure notifications to alert you.
About Unmanaged IP Address
From the Illumination Plus Map, you can quickly create unmanaged workloads from IP addresses. A reverse DNS lookup is done on the IP addresses to obtain and display the server name for the unmanaged workload. The server names are only displayed in the PCE web console. When you export the file, it lists IP addresses.
Note
The DNS names are not displayed in Illumination Plus for Illumio Core Cloud customers.
When you select an IP address in Illumination Plus that is not currently associated with another policy object, it automatically populates the IP address into an unmanaged workload with the following values:
A default interface of eth0
The hostname, which is the IP address by default
IPv4 or IPv6 addresses displayed in Illumination Plus can be selected from the internet, IP lists, or traffic links. The default interface and hostname can be changed if needed and labels can be added to the unmanaged workload.
Until new traffic for the unmanaged workload is observed, the traffic lines are not displayed for the unmanaged workload. The traffic lines in Illumination Plus are updated after new flows are reported by the PCE.
If you try to create an unmanaged workload from an IP address where an unmanaged workload already exists, an error message is displayed.
After you convert an unmanaged IP address to an unmanaged workload, you can use it in your policy; for example, you want to allow one of your hosts to communicate with a managed workload. A reverse DNS lookup is done on the IP addresses listed under the Consumer column and you see the name of the server instead of the IP address.
Create an Unmanaged Workload from an IP Address
The Illumination Plus Map includes groups for unmanaged IP addresses. First, the PCE maps IP addresses to an IP list; then, if the IP address is in the RFC set of IP addresses, those IP addresses appear in the private IP address group. Lastly, the Map contains a public IP address group that encompasses all the rest of the IP addresses that are part of the Internet. You can create unmanaged workloads for each type of IP address.
In the Illumio Plus Map view, click one of the following groups: IP List, Private Addresses, or Public Addresses.
The right-side panel for the object opens. For example, locate and click the IP List group:
When you click the IP List group, the Summary tab in right-side panel displays the IP addresses broken down into each of the IP lists that they match.
For private and public IP addresses, the tab displays the list of IP addresses.
For an IP address in an IP list, click a row to expand the IP addresses in that IP list. The panel refreshes and displays any unmanaged lP addresses that are communicating with your managed workloads. (For public and private IP addresses, you can skip this step.)
Note
If you have a reverse DNS lookup, the server name is used instead of the IP address.
Select the checkbox that you want to create an unmanaged workload for. The Create Unmanaged Workloads button becomes enabled.
Click Create Unmanaged Workloads. The Assign Labels dialog box appears.
From the drop-down list, select the labels to assign to the unmanaged workload and click Confirm.
A dialog box appears indicating that the unmanaged workload was created.
[Optional] Recalculate your map with the newly created unmanaged workload by clicking Recalculate in the confirmation dialog box.
To complete the configuration of the unmanaged workload, perform the rest of the steps.
From the PCE web console main menu, choose Workloads and VENs > Workloads.
The Workloads page appears.
In the Workloads list, locate the new unmanaged workload you created. Identify the unmanaged workload by its name, which is its IP address.
The new unmanaged workload does not list any information for its enforcement because it does not have a VEN installed on it.
To complete the configuration for the unmanaged workload, click its IP address in the Workload list.
The Unmanaged Workload page appears.
Click Edit and complete the workload information. For information about the fields for unmanaged workloads, see "Add an Unmanaged Workload" in the Security Policy Guide.
Click Save.
Add Rules for Traffic Using Illumination Plus
You can use Illumination Plus to add rules for traffic flows by selecting traffic flows and then allowing the selected connections.
In the Table view, you can only write rules for one page of traffic flows at a time. You must click through each page. (This limitation matches the way other tasks are performed in the Table view.)
To add rules for traffic flows:
From the PCE web console main menu, choose Illumination Plus.
From the Table view, select Label-Set Connections and a Draft view: All, Potentially Blocked, or Blocked.
Using the checkboxes, select traffic flows that you want to write rules for.
The Allow Selected Connections button changes color from pale to bright blue and includes the number of allowable connections for which the PCE can write rules.
Click Allow Selected Connections.
Note
Under certain conditions the button won’t be enabled; for example, you’ve only selected traffic flows that are already allowed. When this occurs, either select other traffic flows or click the Edit Labels button to modify the traffic flows.
The page refreshes and displays proposed rulesets or rules depending on whether you have enabled basic or advanced modes for rule writing. See "Basic and Advanced Modes for Rules" in the Security Policy Guide for a distinction between these modes.
When you are using the basic mode for rule writing, the page contains only a list of proposed rules, and you aren't able to add scoped rulesets. You can only select global rulesets.
When advanced mode for rule writing is enabled (so that you can create scoped rules), the page contains tabs for relevant intra-scope and extra-scope rules for the ruleset. The PCE chooses the proposed ruleset based on the scope of the traffic flows you selected.
For example, you have selected two traffic flows that have the same set of labels so that they fall within the same scope. When you have a ruleset that already has that scope, the PCE defaults to that ruleset. Therefore, the PCE displays a list of options that match that scope. Alternatively, you select a third traffic flow that has different labels from the first two traffic flows, the PCE will display the global rulesets as an option to add the rules to.
Either accept the default ruleset or select a different ruleset to add the rules to.
When in advanced rule writing mode, the Add to Ruleset drop-down menu contains these categories: rulesets appropriate for the scope, global rulesets, and the ability to search all rulesets, and create a new ruleset.
When you elect to create a new ruleset, the Add Ruleset dialog box appears. Select the Add Scopes checkbox to see all the scopes that are common to the selected traffic flows you are adding rules for.
As needed, edit the scopes for your ruleset and click the Save icon:
After clicking the Edit icon, the scope field become editable:
If you remove all the scopes from the ruleset, the labels for the scope appear in the rules.
[Optional] To control how the PCE uses services in the rules, click the Settings button.
You can choose to use all services or broad services. When selecting Broad Services, the PCE doesn't require an exact match on the service. For example, you want to use service TCP 3306, but the PCE contains TCP/UDP 3306. Selecting Broad Service enables the rule to use TCP/UDP 3306 as a matching service. When the PCE doesn't have a matching service, you can choose to use the port/protocol in the rule or create a new service. By default, the PCE creates the rules by using the port/protocol.
As needed, edit the proposed rules, and save your changes by clicking the Save icons at the end of the rows.
Note
When you edit rules and if any overlap exists between rules due to your changes, the PCE will optimize the rules so that duplicates are eliminated. For each duplicate rule that isn't provisioned, the PCE displays a label in left column “Proposed Delete” and will delete that rule.
One you’re satisfied with the ruleset selected and the rules within the ruleset, click Save or Save and Provision, depending on whether you want to immediately provision to ruleset.
See "Provisioning" in Security Policy Guide for information.
After saving your ruleset and rules, the PCE web console reloads your data so that the Table view and Map view reflect the changes.
Set Visibility Feature in PCE Web Console
In Illumio Core 22.5.0, you have the option on how to view your visualization data. The PCE web console includes two ways to visualization data:
By using Illumination Classic
Illumination Classic is the visualization feature that has been available in Illumio Core for many releases. This feature does not support using customizable labels and is limited to displaying the four default label types that will always be available for customers: Role, Application, Environment, and Location.
If you are a new Illumio Core customer, using Illumination Classic is disabled (hidden) in the PCE web console. However, individual Illumio Core users can enable it through their My Profile settings.
Important
Illumio Core administrators cannot enable or disable Illumination Classic at the organization level.
By using Illumination Plus
Illumination Plus is a new feature in Illumio Core 22.5.0, and by default, this feature is the visibility feature enabled (visible) in the PCE web console for all new Illumio Core customers.
To view these settings, from your user menu, choose My Profile and scroll to the Visibility section.

If you select to continue using Illumination Classic in the PCE web console in Illumio Core 22.5.0, both forms of data visibility appear in the PCE web console main menu.
Monitor Traffic Database Size and Receive Alerts Using Illumination Plus
In Illumination Plus, you can monitor the traffic database size and be alerted when you are close to capacity.
Note
The storage information is based on your customer organization limit and not the overall capacity of the PCE for your environment.
To monitor traffic database size:
In the PCE web console menu, choose Illumination Plus.
The Illumination Plus page appears.
From the top status bar, hover over the database icon:
A pop-up window appears, which displays the amount of disk space your traffic data is consuming and how much space you have available. The feature also displays how many days of traffic data you can query and how many more days of data you can store. You receive an alert when your disk space is within 15% of your available space.