Skip to main content

REST APIs 25.2.10 and 25.2.20

Traffic Flow Types and Properties

The Illumio Core logs traffic flows based on the Visibility setting. Events have attributes that can be Allowed, Blocked, or Potentially Blocked and might not appear in the traffic flow summary.

Visibility Settings

The table below indicates whether or not a traffic summary is logged as Allowed, Blocked, or Potentially Blocked according to a workload's visibility setting.

Note

Traffic from workloads in the “Idle” policy state is not exported to syslog from the PCE.

Visibility

Logged-in Traffic Flow Summary

Off

VEN does not log traffic connection information

Blocked - Low Detail

VEN logs connection information for blocked and potentially blocked traffic only

Blocked + Allowed - High Detail

VEN logs connection information for allowed, blocked, and potentially blocked traffic

Enhanced Data Collection

VEN logs byte counts in addition to connection details for allowed, blocked, and potentially blocked traffic

Event Types

In a traffic flow summary, the event type is designated by Policy Decision (pd).

Note

An asterisk ( * ) indicates that the attribute might not appear in the summary.

Event Attributes

Allowed (pd=0)

Potentially Blocked (pd=1)

Blocked (pd=2)

version

count

interval_sec

timestamp

dir

src_ip

dst_ip

proto

dst_prt

state

pd

code*

type*

dst_vulns*

fqdn*

un*

X

pn*

X

sn*

X

src_labels*

dst_labels*

src_hostname*

dst_hostname*

src_href*

dst_href*

Showing the Data Transfer Amount

The JSON, CEF, and LEEF for the accurate byte count work events are related to the 'Show Amount of Data Transfer' preview feature, which is available with the 20.2.0 release.

The PCE now reports the amount of data transferred into and out of workloads and applications in a data center. The number of bytes sent by and received by an application's source is provided separately. These values can be seen in traffic flow summaries streamed from the PCE. You can enable this capability on a per-workload basis in the Workload page. You can also enable it in the pairing profile so that workloads are directly paired into this mode.

The direction reported in the flow summary is from the viewpoint of the source of flow:

Destination Total Bytes Out (

      dst_tbo

): Number of bytes transferred out of source.

Destination Total Bytes In (

      dst_tbi

): Number of bytes transferred to source.

To activate the 'Show Amount of Data Transfer' capability on the PCE, contact your Illumio representative.

LEEF Mapping

  • LEEF field X contains JSON field Y

  • srcBytes contains dst_tbo

  • dstBytes contains dst_tbi

  • dbi contains dst_dbi

  • dbo contains dst_dbo

CEF Mapping

  • CEF field cn2 is dst_dbi with cn2Label is “dbi”

  • CEF field cn3 is dst_dbo with cn3Label is “dbo”

  • CEF field “in” is dst_tbi

  • CEF field “out” is dst_tbo