Skip to main content

REST APIs 25.2.10

No Log Rules

The No Log Rules feature allows you to reduce data volume (and cost) by ignoring traffic that is not worth inspecting from a security perspective, like 443/80 from the internet to public-facing web servers.

The No Log Rules feature enables you to mark rules as "no log," which means that any flows matching those rules will not be logged in the vTap logs on the VEN and will not be reported to the PCE.

To use this feature, you need to enable the flag:

[{ "name": "per_rule_flow_log_setting", "enabled": true }]

Implementing No Log Rules Feature

To implement the No Log Rules feature, follow these steps:

  1. Enable the flag per_rule_flow_log_setting by setting it to true.

  2. Write segmentation rules for the flows you want to allow without logging.

  3. Use the API to flip the property log_flow on these rules.

When using the No Log Feature:

  • In cases where "regular" and "no log" rules overlap, the "no log" rule will always be evaluated first, and the flows will not be logged.

  • These rules will only be sent to VENs 22.5.0 or newer.

  • If the feature flag is disabled, the "log_flow" property will not be returned in the API responses, and it will not be possible to set the property using the API.

  • There is currently no UI support for this feature - there will be no visual indication that the rules are set to "log_flow: false".

Enabling the Feature Flag

To enable the No Log feature flag, execute the cURL command:

curl -X PUT -u $API_USER:$API_PASS -H 'Content-type: application/json' --data-raw '[{"name": "per_rule_flow_log_setting", "enabled": true}]' $PCE_URL/api/v2/orgs/1/optional_features

Verify that the flag was enabled:

curl -u $API_USER:$API_PASS $PCE_URL/api/v2/orgs/1/optional_features | jq '.' | grep "per_rule_flow_log_setting" -C

If the commands were successful, you will see the following:

{    
    "name": "per_rule_flow_log_setting",    
    "enabled": true  
},
Writing Segmentation Rules

When writing rules to implement the No Log Rules feature, do not provision them immediately.

You might create a separate ruleset for these rules and make it very clear that these are No Log Rules in the name, because there is currently no UI indication whether or not the flag is enabled on the rules.

Once you've created the rules, you'll need to get the rule HREFs. You can do that either by making an API call to the rule sets API for this rule set or by using the developer console.

Disabling Flow Logging

Disable flow logging for the given rule by making a PUT request to the sec_rules API with the property llog_flow set to false.

Execute a cURL and an HREF:

curl -X PUT -u $API_USER:$API_PASS -H 'Content-type: application/json' --data-raw '{ "log_flow": false }' $PCE_URL/api/v2/orgs/1/sec_policy/draft/rule_sets/3/sec_rules/

Use a GET command to verify that the property is now false.

curl -u $API_USER:$API_PASS -H 'Content-type: application/json' $PCE_URL/api/v2/orgs/1/sec_policy/draft/rule_sets/3/sec_rules/3 | jq '.'

Provision the ruleset, and the No Log rules will be sent down to the relevant VENs.