Skip to main content

REST APIs for 24.2.20 and 24.2.10

Disable Traffic Flow Logging

You can prevent specific traffic flow information from being logged by applying a No Log setting to segmentation rules through the Illumio REST API. Once the setting is applied to rules, flows managed by those rules are not reported to the PCE. This is useful for excluding routine or low-value flows from logs, reducing log noise and storage usage, and making it easier to analyze the traffic most relevant to you.

Prerequisites

Before you begin, review these prerequisites.

  • VEN release 22.5 or later

  • Requires API access with org-level write permissions

Considerations and Limitations

Review these considerations and limitations before you disable traffic flow logging.

Considerations
  • No Log Rules control only whether flows matching the rules are logged. They have no effect on policy enforcement.

  • When a No Log segmentation rule overlaps with a standard segmentation rule (for which logging is allowed), the No Log Rule is evaluated first and traffic flows aren't logged.

  • All policies (rulesets) shown in code blocks and images are active (provisioned) as examples. You can apply the No Log setting to draft or active policies, but in either case the No Log setting takes effect only after you provision the policy.

  • The log_flow property appears in API responses only when the per_rule_flow_log_setting feature flag is enabled.

  • The terms policy and ruleset are used interchangeably. "Policy" is the term used in the PCE UI. "Ruleset" is the term used in browser developer tools and in API data structures.

  • The terms target ruleset and target rules refer to the No Log ruleset and rules you're identifying and working with.

  • Steps for finding rule_ids in target rules using developer tools (STEP 3, Method 1) are based on the Chrome browser. Dev tools in other browsers may differ.

  • See the Best Practice note in STEP 2 about creating a dedicated No Log segmentation policy.

Limitations
  • UI support for No Log Rules is currently unavailable.

  • No visual indication appears in the PCE UI when rules are modified to become No Log Rules.

No Log Rules workflow summary
STEP 1: Enable the feature flag
  1. Execute the following curl command.

    curl -X PUT 
      -u $API_USER:$API_PASS 
      -H'Content-type: application/json'
      --data-raw'[{"name": "per_rule_flow_log_setting", "enabled": true}]'
      $PCE_URL/api/v2/orgs/1/optional_features
  2. Execute this command to verify that the feature flag is enabled.

    curl -u $API_USER:$API_PASS $PCE_URL/api/v2/orgs/1/optional_features

The following is returned if the enablement succeeds:

{    
    "name": "per_rule_flow_log_setting",    
    "enabled": true  
},
STEP 2: Create a No Log segmentation policy through the PCE UI

Note

Best Practice: Create a dedicated policy for No Log Rules

Illumio recommends that you create a dedicated segmentation policy specifically for No Log Rules and give it an easily identifiable name. Because the PCE UI provides no visual indication when rules are modified with the No Log setting, a dedicated, well-named policy is useful for tracking and troubleshooting purposes.

While a dedicated No Log policy is recommended, it's not strictly required. You can still apply the No Log setting to existing provisioned rules in any policy by editing the rule, enabling "log_flow": false, and provisioning the change. You do not need to unprovision the rule first.

See Create Security Policy and About Rules in the Illumio Security Policy Guide.

STEP 3: Find the rule_id of target rules

You need the rule_id of each rule you plan to change to a No Log rule.

find-hrefs-dev-tools.png
  1. Go to Segmentation > All Policies and open the policy that contains the rules you want to identify.

    Take note of the labels, services, and other characteristics (All Workloads; Any 0.0.0.0/0) of the rules you're interested in. This information can help you identify the rules to which you'll apply the setting in coming steps.

  2. In the Preview tab, filter by rule_sets and enable Fetch XHR.

  3. In the Name column, click the entry that displays the version (draft or active) of the rules you are targeting.

    Note: In the following image, active is shown in the image only to illustrate how to select one or the other version.

    find-hrefs-dev-tools-section.png
  4. Expand rules and deny_rules to expose their rule_id. Note their pattern:

    • Allow rule: /orgs/{org_id}/sec_policy/active/rule_sets/{rule_set_id}/sec_rules/{rule_id}

    • Deny rule: /orgs/{org_id}/sec_policy/active/rule_sets/{rule_set_id}/deny_rules/{rule_id}

    Tip

    Tips for finding rule_ids in the browser developer tool

    • To distinguish rule hrefs from other hrefs, note that if an href contains /sec_rules/ or /deny_rules/, it's a rule.

    • To distinguish multiple rules of the same type, expand the data structure further and search for labels, services, and other identifying characteristcs (All Workloads; Any 0.0.0.0/0) .

    • The term "actors" : "ams" in a rule array means All Workloads.

  5. Copy the rule_ids for use in STEP 4.

  • Requires API credentials (see My API Keys in your PCE profile).

  • Requires your Illumio org ID (hover over your profile initials in the PCE UI).

  • {pversion} refers to either the draft or active version of the policy, depending on whether or not the policy is provisioned (active). You can apply the No Log setting to draft or active policies, but in either case the setting takes effect only after you provision the policy.

  1. Find the name of the policy in the PCE UI.

    Go to Segmentation > All Policies and make note of the name of the policy that contains the rules that are to become No Log rules. You'll need the policy name to search for the rule_set_ID of the target ruleset in a later step.

  2. Execute a GET comand to return all of the rulesets in your org.

    curl -X GET "$PCE_URL/api/v2/orgs/<org_id>/sec_policy/active/rule_sets" \
      -u "$API_USER:$API_SECRET" \
      -H 'Accept: application/json' \
      | jq . # optional: formats JSON output; requires jq
    
  3. Search the output for the name of the target ruleset you identified step 1 to find its rule_set_ID.

    {
        "href": "/orgs/<org_id>/sec_policy/active/rule_sets/{rule_set_id}",
        "created_at": "2026-04-20T05:13:59.959Z",
        "updated_at": "2026-05-12T23:03:15.088Z",
        "deleted_at": null,
        "created_by": {
          "href": "/users/246810121416"
        },
        "updated_by": {
          "href": "/users/246810121416"
        },
        "deleted_by": null,
        "update_type": "update",
        "name": "{ruleset_name}",
        "description": "",
        "enabled": true,
        "scopes": [
          []
        ],
  4. To work with a smaller data structure, Execute a GET command that references the rule_set_id you found in the previous step to generate a rule array for just your target ruleset.

    curl -X GET "$PCE_URL/api/v2/orgs/<org_id>/sec_policy/active/rule_sets"/<rule_set_id> \
      -u $KEY:$TOKEN
      -H 'Accept: application/json' \
    | jq .
  5. In the output, find target rules by looking for labels, services, and other identifying characteristcs (All Workloads; Any 0.0.0.0/0).

    To narrow your search, search by the terms deny_rules and sec_rules:

    • Deny rule_ids appear in paths that include deny_rules: "/orgs/<org_id>/sec_policy/active/rule_sets/<rule_set_id>/deny_rules/<rule_id>"

    • Allow rule_ids appear in paths that include sec_rules: "/orgs/<org_id>/sec_policy/active/rule_sets/<rule_set_id>/sec_rules/<rule_id>"

  6. Copy rule_ids for use in STEP 4.

STEP 4: Apply the No Log setting to target rules
  1. Apply the No Log setting to the rule, making sure to replace the bracketed values with the rule_ids you found in STEP 3.

    curl -X PUT -u "$API_USER:$API_PASS" \
      -H 'Content-type: application/json' \
      --data-raw '{ "log_flow": false }' \
      "$PCE_URL/api/v2/orgs/1/sec_policy/active/rule_sets/<rule_set_id>/sec_rules/<sec_rule_id>"
  2. Verify that the No Log Rule is enabled on the rule. Replace the bracketed values with the same values you used in the previous step.

    curl -u "$API_USER:$API_PASS" \
      -H 'Content-type: application/json' \
      "$PCE_URL/api/v2/orgs/1/sec_policy/active/rule_sets/<rule_set_id>/sec_rules/<sec_rule_id>"
  3. Provision the policy to send the No Log Rule to the relevant VEN.

Change a No Log Rule back to a standard logging rule

If you need to change a No Log Rule back to a "standard" rule so that its traffic flow information is logged, execute a PUT request to the sec_rules API with the property log_flow set to true.

  1. Execute this PUT request to reset: "log_flow": true.

    curl -X PUT -u $API_USER:$API_PASS -H 'Content-type: application/json' --data-raw '{ "log_flow": true }' $PCE_URL/api/v2/orgs/1/sec_policy/active/rule_sets/<rule_set_id>/sec_rules/<sec_rule_id>
  2. Execute this GET request to verify: "log_flow": true.

    curl -u $API_USER:$API_PASS -H 'Content-type: application/json' $PCE_URL/api/v2/orgs/1/sec_policy/active/rule_sets/<rule_set_id>/sec_rules/<sec_rule_id>
  3. Provision your changes.