Skip to main content

Security Policy Guide 25.2.10

Blocked Traffic

Blocked traffic identifies blocked and potentially blocked traffic among workloads and other entities that the PCE manages.

Overview of Blocked Traffic

The Blocked Traffic option is available for each workload.

Blocked traffic alerts provide information such as the port and protocol of the service, as well as the IP address of the Destination, the total number of flows, and the time the last detection occurred.

workloads_blocked_traffic-1_18-1.png

Under the following conditions, traffic is marked as potentially blocked or blocked based on the active policy at the PCE when the latest flow was recorded:

  • Traffic is blocked when a workload is in the enforced state, and the PCE doesn't have rules in the active policy to allow that traffic.

  • Traffic is potentially blocked when a workload is in a Visibility Only state, and the PCE doesn't have rules in the active policy to allow that traffic.

Existing connections are reported as static connections during the pairing process. These connections display as blocked or potentially blocked until new traffic for the connections is detected.

When you select the blocked connection, the Detail view provides more information on when the connection was last reported (when available).

The Blocked Traffic page allows you to verify that only unauthorized traffic is blocked and that permitted communication between workloads is not unintentionally blocked before moving workloads to the enforced state.

You can use the page buttons in the upper left to navigate the listings.

You can also use the Refresh button to refresh the page's content with the latest information without clearing the filters or the results.

Note

Only the latest 500 blocked traffic entries are displayed.

For each traffic record, the following information is displayed:

  • Traffic Type: Specifies whether the traffic is blocked or potentially blocked and whether it is blocked by the Destination or by the source.

  • Source: Displays the source's workload name and IP address.

  • Source Labels: Displays labels assigned to the source.

  • Service: Displays the process name, port, and protocol information of the reported traffic, along with an indication of whether the destination or the source reported the record.

    Note

    For optimal scale and performance, when the PCE has two connections with the same source workload, destination workload, destination port, and protocol, but the process or service names are different, the two connections are combined in the Illumination map. The process or service name that was part of the most recently reported connection is displayed.

  • Destination: Displays the workload name and IP address of the Destination.

  • Destination Labels: Displays labels assigned to the Destination.

  • Total Flows: Displays the total number of traffic flows for that connection.

  • Last Detected: Displays a timestamp for the most recent recorded connection.

Note

When the source reports the record, the information in the Destination column is grayed out. When the Destination reports the record, the information in the source column is grayed out.

Create an Unmanaged Workload from Blocked Traffic

In some cases, your policy might be blocked from the host's IP address that you want to allow to communicate with one of your managed workloads. You can achieve this by converting the IP address to an unmanaged workload, which enables the PCE to permit its use in policy.

Click the IP address in the blocked traffic event and fill out the Unmanaged Workload page. Once you have converted the IP address into an unmanaged workload, you can use it in policies to allow other managed workloads to communicate with it, or you can later convert it into a managed workload by pairing it.

For more information about unmanaged workloads, see Workload Setup Using PCE Web Console.

  1. From the PCE web console menu, choose Servers & Endpoints > Workloads.

  2. Double-click on a workload.

  3. Manage the details by selecting any tab: Summary, Processes, Rules, Deny Rules, Blocked Traffic, Vulnerabilities, or Ransomware Protection.

Reject Connections

You can configure Workloads to reject traffic that does not meet the required policy instead of blocking it in the Enforced state.

  1. Select Settings > Security > and then the tab Reject Connections.

  2. A new firewall security setting provides two options:

    • Reject blocked inbound traffic: When this setting is applied, the firewall is configured to send:

      • TCP RST for TCP connections

      • ICMP port unreachable for UDP connections

      • ICMP protocol unreachable for other connections

      • Drop disallowed traffic (default).

    The setting acts at the VEN level, not at the interface level, and is selected by the Label set.