Policy Check and Rule Search
This section explains how to use the Policy Check feature and search for rules.
Policy Check
The Policy Check feature enables you to verify whether a rule allowing communication between workloads or between a workload and another IP address already exists. On the Policy Check page, you select two workloads or IP addresses to determine if a rule exists to allow communication between them. Policy checks can utilize a network profile to account for rules that affect outbound traffic to non-corporate interfaces on endpoints. Servers cannot have non-corporate interfaces.
Note
You can do a policy check between two workloads or a single workload and an IP address.
For example, you have created several rule sets for your workloads and applications, and you want to know whether your organization has an existing rule for that traffic before you start writing new rules that duplicate those existing rules.
To perform a policy check:
From the PCE web console menu, choose Troubleshoot > Policy Check.
In the field, type or select a Workload, Container Workload, or IP address.
In the field, type or select a Workload, Container Workload, or IP address.
In the Destination Port and Protocol field, enter a port and protocol when the connection runs over TCP or UDP, or just a protocol when the connection runs over GRE or IPIP.
Choose Corporate, Non-Corporate Networks (Endpoints Only) or Any in the Network Profile field.
If an IP address is specified in both the Destination and Source fields, the Network Profile value must be " Corporate, that is, searching within the internal corporate network only.
Click Check Rules.
If a connection between the selected two workloads or IP addresses is allowed, the page will display at least one rule that allows the connection.
When a rule does not exist, the page displays “No Rules exist to allow that connection.”
Rule Search
You can't easily search for rules across policies when you have many rules organized in policies. Segmentation rule search solves this issue by making it simple to search for specific rules.
For example, it is time-consuming to narrow down the search without using this feature when you want to determine the number of rules for SNMP (UDP 161) and have around 200,000 rules organized across 700 rule sets.
You can search for and analyze rules that allow communication over a specific port and protocol.
Segmentation Rule Search enables you to locate rules that apply to sources and destinations quickly.
A workload, an IP address, or a set of labels can represent sources and destinations.
Using this feature helps you identify rules that are being applied to your workloads due to unnecessarily broad rule sets or human errors.
To search for rules:
From the PCE web console menu, choose Policies.
Choose the Rule Search tab.
Search for Active or Draft rules.
Perform a Basic or Advanced search of your rules:
Basic: Searches all attributes
Advanced: Searches by source, destination, or both.
Note
When you perform an advanced search by workload name, the search results do not display the IP list rules when the iplist contains workload IP addresses because the Illumio Core does not resolve CIDRs and ranges within an IP list.
From the Exact Results drop-down list, choose to either have the exact match of the selected search filters displayed or a match to any of the selected filters (All Results).
Filter by Sources
You can filter rule search by the following categories: Labels and Label Groups, IP Addresses, IP Lists, Virtual Services, Workloads, and User Groups.
Filter by Destinations and Rule Attributes
You can filter rule search by these categories: Labels and Label Groups, IP Address, IP Lists, Note, Rule Options, Port and/or Protocol, Port Range, Process Name, Windows Services, Policy Services, Status, Created At, Created B y, Virtual Servers, Virtual Services, Workloads, and Policy Name.
Click Run.
Click Download to download the search results in JSON format.
Rule Search by Port
The following guidelines and uses cases are provided to clarify how Rule Search works when you search for rules by the port(s) they specify.
General Guidelines
Single-port searches generally work as expected. See Row 1 in the Use Case table.
When searching for a port range, the port ranges in the search and in the rule must match exactly. See Row 3 in the Use Case table.
When searching for rules that specify multiple ports, only rules that specify all of the ports are found. See Row 5 in the Use Case table.
Use Cases: Search for Rules by Port
Row | Use case | Examples (A) Search specifies port(s) | Examples (B) Rule specifies port(s) | Is the rule found? |
|---|---|---|---|---|
1 | (A) Search for rules that specify only a single port and (B) There's a rule that specifies the same single port | 80 | 80 | Yes |
2 | (A) Search for rules that specify only a single port and (B) There's a rule that specifies a port range that encompasses the searched-for port | 80 | 50-100 | No |
3 | (A) Search for rules that specify a port range and (B) There's a rule that specifies the same port range | 50-100 | 50-100 | Yes |
4 | (A) Search for rules that specify a port range and (B) There's a rule that specifies only a single port within the searched-for range | 50-100 | 80 | No |
5 | (A) Search for rules that specify multiple ports and (B) There's a rule that specifies the same multiple ports | 50, 100 | 50, 100 | Yes |
6 | (A) Search for rules that specify only a single port and (B) There's a rule that specifies multiple ports, including the searched-for port | 50 | 50, 100 | Yes |
7 | (A) Search for rules that specify multiple ports and (B) There's a rule that specifies some, but not all, of the searched-for ports | 50, 80 | 50, 100 | No |