Skip to main content

Illumio Core What's New and Release Notes 25.2.10, 25.2.11

  • Illumio Core What's New and Release Notes 25.2.10, 25.2.11
  • What's New in 25.2.10
  • What's New and Changed in Release 25.2.10

What's New and Changed in Release 25.2.10

Before upgrading to Illumio Core 25.2.10, familiarize yourself with the new and modified features in this release for PCE, REST API, and the PCE web console.

Rule Search now supports Deny and Override Deny rules

You can now search for any combination of Allow, Deny, and Override Deny rules from the Policies > Rule Search tab. Previously, Rule Search was limited to Allow rules. Also, the total number of each rule type is prominently displayed just below the search filter.

rule-search-all-types.png

Deny and Override Deny rules now support Intra- and Extra-Scopes

You can now specify an Intra-Scope or Extra-Scope scope when you add Deny and Override Deny rules. Previously, this was only possible for Allow rules.

intra-extra-scope-full-modal.png

Rule IDs now included in Syslog

To help you trace and investigate traffic flows, each traffic flow entry in Syslog now includes the rule ID associated with the policy decision of the flow. This provides an explicit reference to the rule that affected the flow's policy state.

Caution

For large customers with 10K+ messages per second, adding rule IDs to the syslog events will make the recorded data significantly larger.

To use this feature, perform these steps:

  1. Enable Rule Hit Count on the PCE and the VEN.

  2. Enable the Rule ID feature as described in Showing Rule ID in Syslog in the Illumio REST API Guide.

  3. Find the rule IDs in your syslog.

    rule-ID-in-syslog.png

Label Exclusion now available for Deny and Override Deny rules

The ability to use an "all labels except. . ." approach when selecting labels for your rules is now available for Override Deny and Deny Rules. Previously, this feature was only available for Allow rules.

label-exclusion-ord-and-deny.png

VEN Remote Restart

You can now restart a VEN directly from the PCE without physical access to the workload. Remote Restart is similar to other VEN operations that you can initiate from the PCE, such as unpairing and upgrading. For details, see Restart the VEN Remotely.

Note

The Restart button is grayed out if the VEN is Suspended or Offline.

VEN-remote-restart.png

Conflicted Rules panel

You are now alerted when rules are in conflict with one or more other rules in the same or another policy in your organization. Click the yellow icon to display a panel with the conflict details and use the information to perform housekeeping on your policy or troubleshoot unexpected policy behavior.

conflict-panel-icon.png

Rules are in conflict when:

  • Traffic allowed by an Allow rule in your policy is overridden by an Override Deny rule in the same or another policy in your organization. Result: traffic is denied, which you may or may not have intended.

    conflicted-rules-panel-allow-ordeny.png

  • Traffic denied by a Deny rule in your policy is overridden by an Allow rule in the same or another policy in your organization. Result: traffic is allowed, which you may or may not have intended.

    conflicted-rules-panel-deny-allow.png

Deny Rules created from a Template now appear in the Policies page

When you add a deny rule from a template, it's now placed in the Policies list page, not the Deny Rules page as before.

Note

Although the stand-alone Deny Rules page still appears in the left navigation, Illumio plans to deprecate it in a future release. If your Core instance was upgraded to release 25.2.10 or later, Illumio recommends that you migrate your Deny rules from the Deny Rules page to the Policies page and add and manage Deny Rules from the Policies page from now on.

template-deny-new-storage.png

Support for searching App Groups by Deny and Override Deny rules

You can now search for Deny and Override Deny rules from an App Group's details page. Previously, you could only search for App Groups containing Allow rules from this page.

app-group-rules-tab-all-types.png

Support for checking policy by Deny and Override Deny rules

Beginning with this release, the policy check feature (Troubleshooting > Policy Check) checks for policies that include Deny and Override Deny rules. Previously, this featured only checked policies containing Allow rules.

policy-check-all-types.png

Support for Enhanced Data Collection in all enforcement modes

You can now enable the Enhanced Data Collection option in any enforcement mode, not just Full Enforcement as before. Enhanced Data Collection allows the VEN to log byte counts and connection details for Allowed, Blocked, and Potentially Blocked traffic.

enhanced-data-collection-all-enforcement.png

Alert when certificate is nearing expiration

Note

This feature is available only to on-premise deployments of 25.2.10-PCE.

On-premise PCE users are now alerted when a certificate on a PCE node is nearing expiration. A message is logged to syslog and displayed in the PCE health page.

expiring-cert-alert-mag.png