Skip to main content

Illumio Visualization User Guide 24.2.20

Traffic Table

The Traffic table in the visualization tools displays search results in a traditional table format. You can use the Traffic table in the following ways:

About the Traffic Table

You can use the Traffic table to query the PCE's traffic database to analyze traffic flows for auditing, reporting, and troubleshooting. You can query for traffic flows between workloads or hosts, labeled workloads, or IP addresses, and you can restrict the query by specific port numbers and protocols.

The VEN decorates the flow summary logs with DNS names when it sends them to the PCE. In the Traffic table, the PCE appends the DNS names to the flow logs so that auditors and SOC analysts can look at these DNS names instead of performing reverse look-ups on random IP addresses.

When you want to query for traffic flows on a regular basis, you can save that filter and it appears under your Saved filters in the Load Filter drop-down list. You can save up to 100 filters. You can make changes to an existing Saved filter and save the modified query. The Traffic table also displays your ten most recent queries.

Queries

When you query data in the Traffic table, you are searching traffic flows between sources and destinations over a specific time period and over a specific port and protocol. A query consists of the following elements:

  • Source: Enter workloads, IP addresses, or labels that are consuming the service provided in the traffic flow. The entries you add in the filter that includes the data are used as a search criteria and the ones you add in the a field that excludes data are not used in the search.

  • Destination: Enter workloads, IP addresses, or labels that are providing the service in the traffic flow. The entries that you add to include the data are used as a search criteria and the ones you add to exclude the data not used in the search.

    Note

    You can choose to query either “Destination And Source” or “Destination Or Source” by selecting the option from the More menu.

  • Service: Enter port and protocol, port ranges, process, Windows services, or policy services. Enter port numbers and protocol types to search for traffic flows whose destination port values and protocols match the search criteria. The entries you add to the search are used as a search criteria and the ones you add to exclude data are not used in the query. If you do not specify a value, all ports, protocols, port ranges, processes, and services are included in the query.

  • Time: Select how far in the past (last hour, day, week, month, or anytime) or specify a custom time range. The custom time filter displays all the flows between the selected from-to date-time stamp.

  • Reported Policy Decision: (To enable this drop-down, click More and then select Show Reported Policy Decision Filter). To query for flows with a specific policy decision reported by the VEN, select the type of policy decision.

    For more information, see Deny Rules and the Traffic Table in this topic.

  • Exclude Workloads from IP List Query: (Available in the More drop-down menu.) This setting applies to queries that contain an IP list in the Source or Destination fields. It specifies whether known managed and unmanaged workloads are excluded from the query results. When selected (the default setting), managed and unmanaged workloads are excluded from query results when their IP addresses are within the range of one of the IP lists in the query. When this option is not selected, workloads are not excluded from the query results.

    explorer-more-exclude-wkloads-IP-list.png
Export Query Results

To gather the results of the current query in a .CSV file, click Export.

To export results from previous queries, click Load Results to display queries from the past 24 hours. Click the Export button in the Action column for the results you want to save as a .CSV file.

The exported .CSV file uses a separate column for each label type and the column data is alphabetized.

If you are an Illumio Core customer who has upgraded to 22.5.0 and are using Illumination Plus, be aware that the format of exported CSV files has changed from previous releases of Illumination Classic. You should update any scripts that you used for processing these CSV files.

Ways to View Query Results
connections-menu.png

Options in the Connections menu allow you to view traffic connections in the Traffic table as:

  • Aggregations of multiple connections, for a more concise view

  • Individual connections, for a more granular view

  • Connections with unknown IP addresses

View Traffic as Aggregated Connections

Select the Connections option for an aggregated, more concise view of the traffic flows.

Tip

Contrast this method with the View Traffic as Individual Connections below.

Note the following in the image below:

  • Connections is selected in the Connections menu.

  • Common Set of Labels is selected in the Group by menu. (This Group by selection is optional and shown here merely as an example grouping method. You can select this and/or any other combination of grouping options in the Group by menu, or no option at all.)

  • The Source column shows an aggregation of 8, commonly-labeled IP addresses.

  • The Flow/Bytes column shows 8 connections.

  • The total row count for the page is 11.

connections-aggregated.png
View Traffic as Individual Connections

Select the Individual Connections option for a more detailed, granular view of the traffic flows.

Tip

Contrast this method with View Traffic as Aggregated Connections above.

Note the following in the image below:

  • Individual Connections is selected in the Connections menu.

  • The Group by menu does not appear when Individual Connections is selected.

  • The Source column shows several rows of individual, commonly-labeled IP addresses.

  • The Flow/Bytes column shows that each row represents a single connection

  • The total row count for the page is 50

connections-individual.png
View Connections with Unknown IP Addresses

From the Connections menu, select the Connections with Unknown IPs option to see a list of connections found by the query that your organization has not turned into unmanaged workloads. You can easily create unmanaged workloads from these connections using the Create Unmanaged Workloads option above the list. For more information, see View Connections with Unknown IP Addresses.

connections-unknown-ips.png
Mouse-over Policy Objects

You can mouse-over workloads, IP addresses, and IP lists in the table to access information and functionality.

  • View IP address associated with a workload.

    traffic-reveal-wl-ip.png

  • (Not available in all versions of the PCE) View and copy IP addresses in an IP list.

    traffic-reveal-wl-ip-2.png

  • (Not available in all versions of the PCE) Right-click an IP address to create an unmanaged workload.

    traffic-single-ip-to-umwl-combo.png
View Policy Details from the Traffic Table

The Traffic table includes a Policy Decision column (either Reported or Draft depending on the view selected), which indicates whether traffic flows are allowed, blocked, or potentially blocked based on your policy.

When you see traffic flows that are potentially blocked, it could mean that you haven't created rules for those flows or you have rules written for the flows but the Destination workload enforcement is set to Visibility Only for those flows.

Clicking a link for Allowed traffic opens the View Policy dialog box. When applicable, the dialog box displays in separate tabs all your policy, including Deny Rules, Rules, and Essential Service rules that apply to the selected traffic flow

Deny Rules and the Traffic Table

In the Classic UI, Deny Rules are still referred to as Enforcement Boundaries.

Deny Rules are displayed in Draft and Reported views of the Traffic table. When you view your traffic flows in the table, you see whether traffic is blocked by a Deny Rule or allowed through a Deny Rule. Viewing this information is useful to determine where Deny Rules are in place and to understand their impact before provisioning them.

Tip

To view the details about a Deny Rule, click the linked text for traffic allowed across the rule (“Allowed”) or blocked by a Deny Rule (“Blocked”) while in a Draft view of the Traffic table. The View Policy dialog box opens. Then, click the tab.

You can obtain the following information:

  • A Deny Rule is blocking a traffic flow.

  • Traffic is potentially blocked by a Deny Rule.

    A Deny Rule is in place but the workload is still in visibility-only mode. The traffic won't be blocked by the rule until you move it into selective enforcement mode.

  • A Deny Rule is in place but an allow rule is allowing traffic through the Deny Rule.

Resolve Unknown FQDNs

  1. Click Resolve Unknown FQDNs to export FQDN information for unknown IP Addresses and then click OK.

    glob-exp-resolve-unknown-fqdns-dialog-new.png

  2. Click Export adjacent to the Resolve Unknown FQDNs button.

    Note

    If you do not find relevant information, clear cached FQDN values and reload the results.

    Depending on the number of draft rules in your instance, the data might be slow to load. Once it loads, the Draft Policy Decision and Reported Policy Decision columns are populated with data and appear in the exported zip file.