How Rule Hit Counts are calculated
The following example scenarios help explain how rule hit counts are calculated and reported.
Scenario 1
Flow: Workload A → Workload B on TCP/443 (reported by both sides)
Enforcement Mode: n/a
Rules | Count | Comments |
|---|---|---|
Workload A → Workload B on TCP/443 | 2 | Both workloads reported the flow and this rule is executed by both of them. |
Workload A → Any IP List | 1 | Only workload A executes this rule. |
Some IP List Covering A → B | 1 | Only workload B executes this rule. |
Scenario 2
Flow: Workload A → Workload B on TCP/443 through a network enforcement point that blocks A → B (so only reported by A)
Enforcement Mode: n/a
Rules | Count | Comments |
|---|---|---|
Workload A → Workload B on TCP/443 | 1 | Because A has a VEN on it and it allowed the flow and B hasn't reported it. |
Workload A → Any IP List | 1 | Because A has a VEN on it and it allowed the flow. |
Some IP List Covering A → B | 0 | Because A has a VEN on it and it allowed the flow. |
Scenario 3
Flow: Workload A → Workload B on TCP/445
Case 1 Enforcement:
Workload A Enforcement Mode - Visibility and TCP/445 is not allowed outbound
Workload B Enforcement Mode - Full
Rules | Count |
|---|---|
Allow Any (0.0.0.0/0) → Workload B on all services | 1 |
Case 2 Enforcement:
Workload A Enforcement Mode - Full and TCP/445 is not allowed outbound
Workload B Enforcement Mode -Full
Rules | Count |
|---|---|
Allow Any (0.0.0.0/0) → Workload B on all services | 0 |
Case 3 Enforcement:
Workload A Enforcement Mode - Selective
Workload B Enforcement Mode -Full
Rules | Count |
|---|---|
TCP/445 is blocked outbound on A via boundary | 1 |
Allow Any → Workload B on all services | 0 |
Scenario 4
Flow: Workload (Endpoint) C → Workload (Server) B on TCP/443
Endpoint A - Label:Loc1 (IP address: 10.3.2.4/24 → subnet = 10.3.2.0/24 == 10.3.2.0 → 10.3.2.255)
Server B - Label:App1
Endpoint C - Label:Loc2 (IP address: 10.3.2.7/24 → subnet = 10.3.2.0/24 == 10.3.2.0 → 10.3.2.255)
Behavior:
Endpoint C will drop the flow if it's in Enforcement Mode (because there's no rule allowing outbound)
Server B will accept a flow from either Endpoint A or Endpoint C if the flow makes it to server B
Case 1 Enforcement:
Endpoint C Enforcement Mode - Full
Rules | Count | Comments |
|---|---|---|
Loc1 | Endpoints (Use WL subnets) → App1 | 0 | Endpoint C will drop the flow because there is no outbound rule. |
Case 2 Enforcement:
Endpoint C Enforcement Mode - Selective
Rules | Count | Comments |
|---|---|---|
Loc1 | Endpoints (Use WL subnets) → App1 | 1 | Endpoint C will allow the flow because there is no boundary. Server B will allow the flow because Endpoint C is in the same subnet as Endpoint A. The report indicates that the Loc1 rule was hit, but the flow is coming from a Loc2 Endpoint. |
Scenario 5 (PCE rule optimization)
Flow: Workload A → Workload B on TCP/443
If the address of workload B and workload C overlap, then PCE rule optimization could merge the following rules resulting in the second rule also being incremented.
Rules | Count | Comments | |
|---|---|---|---|
Workload A → Workload B on TCP/443 | 2 | Both workloads report the flow. | 2 |
Workload A → Workload C on TCP/443 | 2 | The reported flow could potentially contain this rule ID as well because of PCE rule optimization. |