Best Practices for Handling Scanner Traffic for the Illumio PCE
Use these best practices to handle scanner traffic on the Illumio PCE as you monitor network security.
Modern data centers require scanners, but the traffic that they generate is not an example of actual network traffic. Scanners can add noise, complexity, and overhead to an Illumio PCE environment without maintaining effective policy and monitoring.
Illumio recommends filtering scanner traffic so that the PCE does not ingest it. Filtering the scanner flows allows for longer retention of workload traffic and a more accurate view of the environment. This enables you to use a more precise security policy while still allowing the scanners to perform their jobs in the security stack.
Document Updates
Version | What Changed? |
|---|---|
March 17, 2025 | Initial version. |
March 20, 2025 | This version contains the following changes:
|
Identify Exclusions Using the Core Services Detector
The Core Services Detector identifies well-known applications that assist with labeling and with detecting scanner-generated flows. With the Core Services Detector, you can define security policies to allow, block, or filter known scanner traffic. See Core Services Detector.
Allow and Filter Scanner Traffic from the Environment
You should build your policy to allow scanner traffic but not retain the flows. If you do not account for scanners in your policy, they will be blocked from scanning the environment when a policy is enforced, which invalidates their purpose. Build a Flow Collection filter to discard the flows that the scanner generates. The PCE still applies policies for these flows, but it does not store the flows in the database, because there is limited value in retaining these flows within the Illumio platform.
You can create Unmanaged Workloads to represent scanners in your Visualization Map. If you allow scanner flows, the vulnerability scanner can generate reports that you can upload into Illumio using the Vulnerability Maps feature. See Upload Vulnerability Data.
Build Traffic Filters
Use the UI or an API to identify scanner sources and filter them so that traffic is filtered by source port, IP range, or protocols before it reaches the Flow Collector.
Navigate to Settings > Flow Collection, and click Add.
In the When Traffic Matches the Following Conditions section, set the following values:
Transmission: Unicast
Enforcement Node Type: Any
Network: Any
Protocol: UDP
Source IP Address: <Scanner IP>
In the Take the Following Action section, select Drop.
Create another Flow Collection to drop TCP traffic for the same sources.
Create additional Flow Collections for scanner IPs and protocols.
Reduce Traffic Stored in Flow Logs
Note that when you create a Flow Collection filter, you can also filter transmission types like broadcast and multicast traffic. Create filters for any other traffic you will not use to create security policy or if the traffic will not provide value in the Visualization Map. You can aggregate or filter broadcast and multicast traffic to improve PCE performance by reducing traffic that is not relevant to security policy. Filter the flows based on transmission type, enforcement-node type, network, protocol, and source IP/port or destination IP/port. See Reduce Traffic Stored in Flow Logs. (You must log into the Illumio Support portal to view this article.)
Review Detection Rules on a Schedule
Regularly audit your filtering rules to keep them accurate, because scanner IPs change. Also, review scanner-traffic trends regularly on a schedule that fits your organization's needs, and update your exclusion policies based on new scanning methods. For large organizations, the best practice is to review rules monthly. For small and mid-size organizations, the best practice is to review rules quarterly.