New and Changed for APIs in Illumio 25.3
Here's a summary of the new and enhanced features in this release.
New APIs
Release 25.3 introduces these new APIs:
ip_list_attributes_get
This new endpoint extends IP Lists to add support for attributes.
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"required": [
"name"
],
"properties": {
"id": {
"description": "ID of the ip list attribute",
"type": "string"
},
"href": {
"description": "URI of the ip list attribute",
"type": "string"
},
"name": {
"description": "Name (must be unique)",
"type": "string"
},
"external_data_set": {
"description": "External data set identifier",
"type": [
"string",
"null"
]
},
"external_data_reference": {
"description": "External data reference identifier",
"type": [
"string",
"null"
]
}
}
}
ip_list_attributes_post
This API creates an IP List attribute. It has a name, an External data set identifier, and an External data reference identifier.
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"additionalProperties": false,
"required": [
"name"
],
"properties": {
"name": {
"description": "Name (must be unique)",
"type": "string"
},
"external_data_set": {
"description": "External data set identifier",
"type": [
"string",
"null"
]
},
"external_data_reference": {
"description": "External data reference identifier",
"type": [
"string",
"null"
]
}
}
}sec_policy_ip_lists_bulk_upload_put
This API allows customers to upsert IP lists in bulk via CSVs.
{
"$schema": "http://json-schema.org/draft-04/schema#",
"description": "IpList bulk_update",
"type": "array",
"maxItems": 1000
}vens_remote_action_put
This API was designed to control the VEN from the PCE and restart it without access to the server.
Using vens_remote_action_put, you can refresh the VEN's internal states and resolve cases where the VEN may not be fully operational. Currently, this API allows for the remote VEN service to restart.
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"additionalProperties": false,
"required": [
"action",
"vens"
],
"properties": {
"action": {
"description": "Remote action type",
"type": "string",
"enum": [
"restart"
]
},
"vens": {
"description": "An array of VENs to restart",
"type": "array",
"minItems": 1,
"maxItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"required": [
"href"
],
"properties": {
"href": {
"description": "VEN URI",
"type": "string"
}
}
}
}
}
}Users can implement this API as follows:
Initiate a 'restart' action for a particular VEN to the PCE, which archives this remote action request for the VEN in a database.
The heartbeat response includes the 'restart' command upon receiving the VEN heartbeats.
The VEN processes the command and undergoes a restart operation.
During the subsequent heartbeat, the VEN transmits the timestamp of the last restart performed, which the PCE logs.
At this point, the PCE designates this action request as fulfilled.
Changed APIs
The following APIs have been changed in release 25.3:
common-aggregated_detected_vulnerabilityType NULL added for port, proto, and cve_ids
common-vulnerability_summary,common-workloads_detected_vulnerabilitiesType NULL added for num_vulnerabilities, vulnerability_score, max_vulnerability_score, and last_updated_at
container_clusters_getAdded new properties:
machine_idandname.destination_getType NULL added for the
tls_ca_bundle.label_mapping_rule_expressionlA new property was added:
regex. It involves writing regular expressions for labeling.label_mapping_rules_getlabel_mapping_rules_post,label_mapping_rules_putA new property
overwritewas added. If set to true, an existing label of the same dimension will be overwritten.network_device_getThe property
endpointswas deleted and replaced with the propertynetwork_endpoints.network_enforcement_node_getThis schema was expanded with new properties:
first_reported_timestampandlatest_event.optional_features_putTwo new properties have been added:
hybrid_policyandcontainer_cluster_label_set_based_kubernetes_workload_instructionshybrid_policy: For more details abouthybrid_policysee Hybrid Policy in the document What's New in release 25.2.10.container_cluster_label_set_based_kubernetes_workload_instructions: This property is enabled by default for each organization. The PCE uses policy deduplication for Kubernetes workloads within the CLAS Container Clusters.This means you must calculate only one instruction for every Kubernetes workload with the same set of labels. This reduces the number of calculated instructions in production by 70-95%.
orgs_auth_security_principalandorgs_auth_security_principals: Two properties,nameanddisplay_name, were removed, while the new propertyuuid, was added to supply the UUID for the authentication security principal.reports_postMinor change for reports_post: in addition to mxLengt:255, the additional type NULL was added.
sec_policy_ip_lists_getThe added query parameter
ip_list_attributeallows filtering IP Lists with an attribute assigned.sec_policy_ip_lists_postThe added query parameter
ip_list_attributespecifies which attribute should be linked to an IP List.sec_policy_ip_lists_putThe added query parameter
ip_list_attributespecifies which attribute should be linked to an IP List.service_accounts_postThe property
uuidwas added for the service account.settings_putIn 25.3, the flag
use_census_permissionswas deleted.This flag indicates whether the PCE org will obtain permissions from the census or from the local database.
users_getFor the new object
user_full,new properties have been added:display_name-user's display name), andpermissions- list of permissions for this user.For the new object
user_org_permissionsadditional properties have been added:href- URI of the user,display_name- user's display name, andpermissions- list of permissions for this user.vulnerabilityThis API in 25.3 has a change for the property _ids: in addition to the type array, type NULL was added