About the Visualization Tools
In the PCE UI, you can use the visualization tools to reveal the traffic flows in your network and to help you configure policies to secure your applications. These tools include the Map, Traffic table, and Mesh.
Important
The visualization tools are available in the PCE Classic UI and the PCE New UI.
To access these features in each of the PCE UIs:
In the Classic UI, choose Illumination Plus from the left navigation; select the type of visualization feature (Map, Table, or Mesh) from the left drop-down list on the page toolbar.
In the New UI, choose Map, Traffic, or Mesh under the Explore category of the left navigation.
Other than the differences in the navigation, the functionality of the visualization tools is comparable across both PCE UIs.
When you open a visualization tool for the first time or the first time during a 24-hour period, the PCE UI displays a landing page with tiles to the different views and a message to run your first query.
The following image shows the start page that appears in the PCE New UI.
Types of Visualization Features
You can view detailed information about your environment by filtering your traffic flows in the following visualization tools:
Map
Graphically visualizes workloads that form logical groups (based on labels attached to workloads) and provides an understanding of the traffic flows between workloads. You select groups in the Map view to view details about that group and develop policy for the workloads in the group.
Traffic
Note
In the PCE Classic UI, this feature is referred to as the Table view.
Displays details about your traffic flows in columns and rows. Using this view, you query the PCE traffic database for historical data that can be used for compliance and audit, as well as policy development. With an easy-to-use interface, you enter your search parameters using plain-text language and filter results by a specific time period; specific ports, protocols, or processes; and actions that were taken on that traffic based on policies (for example, “allowed” vs. “potentially blocked” vs. “blocked”).
Mesh
Using vertical axes, displays traffic flows as lists of destinations, sources, and the port being used in the traffic flows. The traffic flows between destinations and sources connect along parallel coordinates. You can sort the results based on port number or the number of traffic flows. Click any item in the results to focus on specific traffic flows.
Note
The PCE Classic UI uses the terms consumer (instead of destination) and provider (instead of source).
In the PCE Classic UI, you switch between views by selecting the view from the top-right corner of the Illumination Plus page:
In the PCE New UI, select the visualization tool you want to use from the Explore category in the left navigation.
Filters for the Visualization Tools
For each of the visualization tools, you can set one of several traffic filters to show or hide different elements of your data and focus on what is most important to you. All views allow you to filter your data by destination, source, and service. By default, you only see the Include filters to begin with.
Note
The PCE Classic UI uses the terms consumer (instead of source) and provider (instead of destination).
To modify the filters, open the More menu to select additional filter options.
Page from Illumination Plus in the Classic UI:
Note
The filters selected in previous sessions don’t persist unless you’ve added values to them. For example, the Exclusion filters won’t appear by default when you open the page unless you’ve explicitly excluded traffic in the past.
Tip
To search for traffic flows with a specific policy decision reported by the VENs, select the Show Reported Policy Decision option. This option controls the type of policy decision (allowed, potentially blocked, blocked, or unknown) that the Table and Map views display.
The Source and Destination filters include the following query options:
Label and Label Groups
App Groups
Workloads
IP Lists
IP Address/CIDR Block
FQDN
Transmission
Using the Search All Categories feature, you don’t have to enter a category first in the filters.
The Label and Label Groups category restricts the Map to only those entities that have the labels you enter in the filters. The filter does not filter the selected group. Only the connected groups are filtered.
From the Service drop-down list, search by port and protocol. You can select a specific protocol and the page allows you to search through all the services.
When you enter text in this filter, the PCE UI gives you the option to select whether that text is a process name or a service. Once selected, the UI specifies which option you chose.
Example Search using Filters
Before you write policy rules to either allow or block traffic, you want to determine if there are any traffic flows between them. For example, you might want to find traffic between Development or Testing environments from your Production environments.
Using the visualization tools, you can run, for example, the following query:
Any traffic flows during the last week between my Development and Production environments, over any port except port 80, excluding any workloads that have a Role label named “Domain Controller”
The following steps show how you use the filters in the PCE New UI for this search to reveal certain traffic flows but not others.
Note
The PCE Classic UI uses the terms consumer (instead of source) and provider (instead of destination).
In the PCE New UI, choose Explore > Map or Explore > Traffic.
The page appears. To exclude criteria, go to More > Show Exclusion Filters if they don't already appear in the page.
Under Destination, enter or select the Environment label named “Development” from the Destination drop-down list.
Under Destination, enter or select the Role label named “Domain Controller” from the Destination is not drop-down list.
Under Source, enter or select the Environment label named “Production” from the Source drop-down list.
Under Source, enter or select the Role label named “Domain Controller” from the Source is not drop-down list.
Under Service, leave the Service field blank (which means “any”) and under Service is not enter “80.”
Under Time, select Anytime.
Click Run.
Query Results in the Visualization Tools
In all views, the PCE limits the number of connections you can load per page in the PCE UI to 10,000. You can’t load your total number of connections in a single page. To handle this limitation, the PCE UI displays your connections in paginated results. To view all connections, you can paginate through your query results. For example, when you run a query that returns 200,000 traffic flows, you can paginate through your data to see all traffic flows.
To configure the maximum number of connections per page:
From the PCE left navigation, choose Map.
Choose More > Results Settings. The Results Settings dialog box appears.
Specify the maximum number of connections to display per page:
In the Displayed in Traffic field, configure the maximum number of results that can be retrieved from the PCE database and displayed per page in all views.
In the Returned from Database field, configure the results when the PCE is part of a Supercluster.
Important
Configuration for a Supercluster deployment does not apply to Illumio Core Cloud customers; you must be an Illumio Core On-Premises customer to configure your Illumio deployment as a Supercluster.
In a Supercluster, a query run on the leader PCE can return 200,000 results for each PCE in the Supercluster, including the leader. For example, in a Supercluster with four regions, the maximum results is 800,000, and in a standalone PCE, it is 200,000. When logged into a member PCE on a Supercluster, the limits are the same as for any SNC or MNC. In every case, the maximum number of results that can be shown in the PCE UI is 100,000 results. If more than 100,000 results are retrieved, the full results are available as a downloaded CSV file, and the first 100,000 are available in the PCE UI.
For more information about PCEs in a Supercluster configuration, see the PCE Supercluster Deployment Guide.
Load Results in the Map or Traffic Table
As you run searches, the PCE caches your queries and saves them for a 24-hour period. Caching your query results is beneficial because the PCE displays pages quickly. To view and access your cached queries, click Load Results at the top-right corner of the page. The Results page appears.
The load results process runs in the background to increase the speed that view pages display. Using this feature is optional, though recommended.
Switching between the Map and Traffic table doesn’t reload your data. Instead, the PCE UI switches immediately to that view.
About the Default Graph
In Core 22.5.x, the PCE cached the Illumination Plus queries (for the Map and Table views) that you ran and were saved for a 24-hour period. Caching your query results allowed the PCE to display Illumination Plus pages quickly. To view and access your cached queries, you clicked Load Results at the top-right corner of the Map page. The Results page appeared.
In 23.2.0, if you don’t have a default graph in the PCE, the page below is your start page for the Map and Traffic pages.
When you click Start, the PCE creates a map or traffic table based on the values you have in the filters at the top of the page. The PCE saves this query with those filters as the default graph The graph expires in 24 hours; however, the PCE saves the default graph as a scheduled report that runs every 24 hours (between 12:00 midnight and 8:00 AM).
Then, when you return to the Map or Traffic page, the PCE loads that saved default graph, unless you already have another graph (different filters) displayed. You won’t see this Start page again, unless you delete the default graph.
This page now appears when you click Load Results in the Map page to display the entry for the Default Graph:
When you open the Reports feature from the left navigation and select the Schedules tab, you see the scheduled report for the Default Graph.
Important
Not all Illumio users can access the Default Graph scheduled report. You must have the correct Access permissions. See the PCE Administration Guide for information.
Tips for Using the Default Graph
To change the query that the PCE runs for the Map and Traffic page:
Go to the Reports page and select a different saved query.
Delete the default graph by clicking Load Results in the Map or Traffic page and clicking Delete in the Load Results dialog box. Then, navigate to the Map or Traffic page so that the Start page appears. Click Start to create a default graph.
Click the Schedule Time field and select a new time to change when the default graph report runs each 24 hours. However, you must have the correct permission to edit the Default Graph (RBAC roles and permissions).
Asynchronous Queries
You can run asynchronous queries for your filters. You first set up your filters and then run an asynchronous query.
Asynchronous queries allow you initiate multiple queries in parallel and view the results of the queries later. Going offline during a query does not result in lost query results. Whether you remain online or offline, the results of asynchronous queries will be preserved for a period of 24 hours. In addition, while a query is in progress, you can work in other areas of the product. The query search results can be exported to either a comma-separated-value (.CSV) file or displayed in the PCE UI. Depending on the size of the query, the results might take time to display.
In the visualization tools, you can run multiple queries and change or retain the default file name for exported results.
Multiple Queries: You can run multiple queries, including running some in the background.
If there is only one query, the results of that query will display when the query completes.
If there are multiple queries, you can select the result that you want to view by clicking the number beside the Load Results button.
If identical queries are run within a minute of each other, only one query will be processed. The results of the oldest query will be displayed.
Default File Name: The system assigns a default file name based on your query field names (Source, Service, or Destination) in the filter. The exported file will have the same name.
Giving filters a unique name will help you identify your filters when you want to rerun a query. This name will also appear as your report name.
You can also specify or change a filter name as needed.
Note
Handling Duplication Flows in Queries
A database query that spans multiple days can contain duplicate flows if the flow is repeated.
Run Asynchronous Queries
Asynchronous job queries are easy to initiate and can be run in parallel, which means that before the first query completes, a second query can be initiated. In the following example, two queries are initiated: the first, with Production-only entries, and the second, with Production and Staging entries.
To run an asynchronous query:
From the PCE UI left navigation, choose Map or Traffic from the Explore category.
Enter your query criteria in the fields. If you want to exclude criteria, browse to More > Show Exclusion Filters.
You can enter a Source, Destination, or Service, or merely indicate Production in the Destination column.
Click Run to begin the query process.
In the confirmation dialog box, click Hide.
Enter the next search criteria based on a new Destination; for example, Production and Staging.
Given support for asynchronous queries, you will see a number appear next to the Load Results button, indicating the number of simultaneous queries being processed
Note
Depending on the size of the queries, your second query could complete before your first query.
You will see the results of your two queries, one with Production-only entries and a second with Production and Staging entries.
. At any time, can click the Load Results button to view what queries were run.
Viewing results from past queries will not re-initiate a query. It displays cached query results. When you select a result, notice that the filter changes automatically, and displays new results.
Global Queries for Superclusters
Important
Configuration for a Supercluster deployment does not apply to Illumio Core Cloud customers; you must be an Illumio Core On-Premises customer to configure your Illumio deployment as a Supercluster.
Global queries leverage the capabilities of asynchronous job queries for every region in a Supercluster. When you have a Supercluster and you initiate a query from the Supercluster leader, the Illumination Plus Table view displays results from all its PCE members. Queries run from a Supercluster member only show flows reported by VENs paired to that member.
Note
In a Supercluster, a query run on the leader PCE can return 200,000 results for each PCE in the Supercluster, including the leader. For example, in a Supercluster with four regions, the maximum is 800,000, and in a stand-alone PCE, it is 200,000.
When logged in to a member PCE on a Supercluster, the limits are the same as for any SNC or MNC. In every case, the maximum number of results that can be shown in the PCE web console is 100,000 results. If more than 100,000 results are retrieved, the full results are available as a downloaded CSV file, and the first 100,000 are available in the PCE UI.
View Menu in the Map and Traffic Pages
Important
The View menu only appears when you are in the Map and Traffic pages. The Mesh always displays traffic flows based on the Reported view. You cannot switch to the Draft view for the Mesh.
Using the View menu, you configure how the PCE UI displays your traffic data. The options on this menu are unaffected by how you've grouped traffic in your Map or Traffic pages. This menu provides flexibility in how you see the connections between your groups.
From the View menu, select the following options:
Reported View
For a description, see Reported View.
Draft View Options – All, Allowed, All Blocked, Potentially Blocked, Blocked
In the Draft view, you can choose all connections, or filter by the policy state (allowed, potentially blocked, or blocked). For a description, see Draft View Options.
Quick Draft Rules
Provides a fast way to analyze your environment and display results in your views because it determines policy decisions based on label-set rules only.
Deep Rule Analysis
Returns additional rulesets that the Quick Draft Rules option won’t detect. However, displays results more slowly than using Quick Draft Rules due to the deeper analysis of rulesets. This option will find any rules written directly for workloads versus created by using labels. It can combine two rules that use IP lists; for example, workload “A” has connections to IP addresses in an IP list (“IP list B”). IP list B connects to another workload C. Deep analysis shows when rules have been optimized so that workload A can connect to workload C.
Refresh Draft Policy
if you’ve written rules after the draft policy was last run, you can force it to refresh in the PCE web console.
Reported View
The Reported view visualizes your policy coverage as reported by your workloads, so that you can examine the current state of your provisioned policy. This view provides visibility for the actual traffic handling (rather than the expected traffic handling provided by the Draft view) and loads more quickly, especially when you have a large number of workloads and traffic flows. The Reported view helps you to understand your traffic patterns.
The Reported view is a read-only view. You can view all the rulesets that apply to the workloads from the Reported view, but you must change to the Draft view to add rules. The Reported view does not immediately reflect the latest changes to the policy. It is updated only after you provision a change to the policy and when new traffic flows that use the updated policy are reported from the VEN.
The Reported and Draft views handle unmanaged workloads differently. In Draft view, rule coverage (the connections that have been included in draft rules) has limited support for traffic between unmanaged workloads. The Reported view always provides accurate rule coverage for traffic between unmanaged workloads.
For each flow with a unique port/protocol, if there is a policy service created for that port/protocol, the name of that policy service displays, in addition to the names of the actual services that reported the flows. The Reported view shows reported rule coverage for the latest reported flow with that port/protocol in the right side panel.
Different services can be running on the same port at different times or on different interfaces. The Reported view shows reported rule coverage of each flow separately, as well as its timestamp. In both cases, the Draft view shows the calculated rule coverage for traffic. For Windows, it looks at the port, protocol, the process name (but not the process path), and the Windows service name. For Linux, it looks at only the port and protocol.
Reported View (Traffic)
Reported View (Map)
Draft View Options
The Draft view immediately visualizes the potential impact of your draft policy. This view helps provide an understanding of the expected traffic handling (rather than the actual traffic handling provided by the Reported view) and considers both recently provisioned policy and draft policy. The Draft view can take longer to load than the Reported view, especially when you have a large number of workloads and traffic flows, since the PCE has to compute the expected coverage for each traffic flow.
In Draft view, you can either view the rule that would permit traffic or add a rule to allow a specific flow. In this view, you can immediately see the impact of the latest changes to the active or draft policy.
Limitations of Draft View
The Draft view is the result of a “what-if” analysis conducted by the PCE. It is a modeling tool that depicts whether flows known to the PCE will be allowed or blocked, based on the configured policy. The modeling might not work entirely correctly for the following types of rules configured on the PCE:
Process-based rules: Process-based rules are written using the process name or service name that sends or receives the traffic on the workload.
User-based rules: User-based rules allow administrators to leverage the Microsoft Active Directory User Groups to control access to computing resources.
Custom iptables rules: Custom iptables rules are configured on each workload and can include processes that are not known to the PCE.
System rules: The VEN has implicit rules to permit necessary traffic (for example, rules permitting DHCP and DNS outbound traffic on the workload).
In most cases, the Reported view provides an accurate representation of what will be allowed or blocked by the VEN, so the Reported view should be used to verify your changes.
Customize Columns
In the following visualization tools, you can customize the columns from the default display:
Traffic
Map > Traffic tab
Map > Workloads tab
Columns in these areas are customizable from the Customize columns menu. Most columns can be further customized by setting what data will appear within that column. Hover over the up and down arrows to the left of a column checkbox and select or deselect data within that column:
Customizing the columns that appear in the Tables does not impact how you create your rules or the data that they contain.
How the Map Works with FQDNs
The visualization tools map the outbound connections from workloads to unknown IP addresses to fully qualified domain names (FQDNs) or DNS-based names. For example, Illumination Plus could display that the outbound connections from a workload are going to maps.google.com instead of 100s of different IP addresses. The FQDNs used are reported by the VEN to the PCE in the flow summaries. The VEN learns about the FQDNs by snooping the DNS responses on the workloads, which is the FQDN for the IP addresses as seen by the workloads.
The Map visualizes the workloads that form logical groups (based on labels attached to workloads) and provides an understanding of the traffic flows between workloads.