Skip to main content

REST APIs 25.2.10 and 25.2.20

No Log Rules

The No Log Rules feature allows you to reduce data volume (and cost) by ignoring traffic that is not worth inspecting from a security perspective, such as 443/80 traffic from the internet to public-facing web servers.

The No Log Rules feature enables you to mark rules as "no log," which means that any flows matching those rules will not be logged in the vTap logs on the VEN and will not be reported to the PCE.

To use this feature, you need to enable the flag:

[{ "name": "per_rule_flow_log_setting", "enabled": true }]

Implementing the No Log Rules Feature

To implement the No Log Rules feature, follow these steps:

  1. Enable the flag per_rule_flow_log_setting by setting it to true.

  2. Write segmentation rules for the flows you want to allow without logging.

  3. Use the API to flip the property log_flow on these rules.

When to use the No Log feature:

  • In cases where "regular" and "no log" rules overlap, the "no log" rule is evaluated first, and flows are not logged.

  • These rules will only be sent to VENs 22.5.0 or newer.

  • If the feature flag is disabled, the "log_flow" property will not be returned in API responses, and it will not be possible to set it via the API.

  • There is currently no UI support for this feature - there will be no visual indication that the rules are set to "log_flow: false".

Enable the Feature Flag

To enable the No Log feature flag, execute the cURL command:

curl -X PUT -u $API_USER:$API_PASS -H 'Content-type: application/json' --data-raw '[{"name": "per_rule_flow_log_setting", "enabled": true}]' $PCE_URL/api/v2/orgs/1/optional_features

Verify that the flag was enabled:

curl -u $API_USER:$API_PASS $PCE_URL/api/v2/orgs/1/optional_features | jq '.' | grep "per_rule_flow_log_setting" -C 

If the commands were successful, you will see the following:

{    
    "name": "per_rule_flow_log_setting",    
    "enabled": true  
},
Writing Segmentation Rules

When writing rules to implement the No Log Rules feature, do not provision them immediately.

You might create a separate ruleset for these rules and make it very clear in the name that they are No Log Rules, since there is currently no UI indication of whether the flag is enabled on these rules.

Once you've created the rules, you'll need to get the rule HREFs. You can do that either by making an API call to the rule sets API for this rule set or by using the developer console.

Enable the Feature Flag for a Rule

To apply the No Logs feature flag to a rule, follow these steps:

  1. Send the API call to apply the feature to the rule:

    curl -X PUT -u $API_USER:$API_PASS -H 'Content-type: application/json' --data-raw '{ "log_flow": false }' $PCE_URL/api/v2/orgs/1/sec_policy/draft/rule_sets/3/sec_rules/92

  2. Verify that the feature is enabled on the rule:

    curl -u $API_USER:$API_PASS -H 'Content-type: application/json'  $PCE_URL/api/v2/orgs/1/sec_policy/draft/rule_sets/3/sec_rules/92

Here is the sample response:

{"href":"/orgs/1/sec_policy/draft/rule_sets/3/sec_rules/92","created_at":"2025-08-12T21:25:02.452Z","updated_at":"2026-01-27T21:24:27.326Z","deleted_at":null,"created_by":{"href":"/users/1"},"updated_by":{"href":"/users/1"},"deleted_by":null,"update_type":"update","description":"No Log","enabled":true,"providers":[{"actors":"ams"}],"consumers":[{"label":{"href":"/orgs/1/labels/15"},"exclusion":false}],"consuming_security_principals":[],"sec_connect":false,"stateless":false,"machine_auth":false,"unscoped_consumers":false,"network_type":"brn","use_workload_subnets":[],"log_flow":false,"ingress_services":[{"port":1231,"proto":6}],"egress_services":[{"href":"/orgs/1/sec_policy/draft/services/181"}],"resolve_labels_as":{"providers":["workloads"],"consumers":["workloads"]}}
Disable the Feature Flag for a Rule

Disable flow logging for the given rule by making a PUT request to the sec_rules API with the property log_flow set to false.

  1. Execute a cURL and an HREF:

    curl -X PUT -u $API_USER:$API_PASS -H 'Content-type: application/json' --data-raw '{ "log_flow": false }' $PCE_URL/api/v2/orgs/1/sec_policy/draft/rule_sets/3/sec_rules/

  2. Use a GET command to verify that the property is now false.

    curl -u $API_USER:$API_PASS -H 'Content-type: application/json' $PCE_URL/api/v2/orgs/1/sec_policy/draft/rule_sets/3/sec_rules/3 | jq '.'

Provision the ruleset, and the No Log rules will be sent down to the relevant VENs.