Skip to main content

Illumio REST APIs 25.4

Optional Features

This API was introduced to help prevent misconfigured DNS, which can disrupt VEN connectivity. Likewise, misconfiguring DHCP can cause IP address conflicts.

Invoke the Optional Features API

You need a key to invoke the /optional_features API to enable editable_dns_client_rule or editable_dhcp_client_rule. Such a key involves a portion that is tightly controlled so that it cannot be randomly generated.

Once the key is generated, it cannot be used in more than one place. For example, an API call made to customer #1 cannot be replayed for customer #2, who must request their own key.

An example of the generated key:

secret = 
		'...'   # value embedded in code 
 
data = Base64.strict_encode64({ 
	'pce_fqdn'   => Illumio::RuntimeEnvironment.pce_fqdn, 
	'org_id'   => xorg_id, 
	'optional_feature'   => 
	'editable_dns_client_rule' , 
	'not_valid_after'   => Time.now.utc.iso8601 
}) 
 
key = data + OpenSSL::HMAC.hexdigest( 'SHA256' , secret, data)
Setting Optional Features

Analytics opt-out

The property configurable_label_dimension was added so that the UI users can determine if an organization has enabled user analytics.

Analytics is opt-in by default. If it has been disabled, the UI does not track analytics for that organization.

To set or clear the optional analytics feature, use:

{ 
name: "ui_analytics", enabled: false|true 
}

Illumination Classic opt-out

The property illumination_classic is added to enable or disable the feature.

To set or clear the optional Illumination Classic feature, use:

{ 
name: "illumination_classic", enabled: false|true 
}
Label-Based Network Detection

The APIs

  • POST /api/v2/orgs/{org_id}/networks

  • PUT /api/v2/orgs/{org_id}/networks/:network_id

require that one of the following optional features is enabled :

  • label_based_network_detection

  • cidr_network_detection_enabled

In addition, both APIs are implementing input validation on payload content:

  • If the CIDRs field is provided, the optional feature cidr_network_detection_enabled must be set.

  • If the scopes field is provided, the optional feature label_based_network_detection must be enabled.

The example response for the API optional_features_put with the label_based_network_detection enabled:

"illumination_classic",
		"ransomware_readiness_dashboard",
		"per_rule_flow_log_setting",
		"lightning_default",
		"label_based_network_detection"
		]
	},
	"enabled": {
labels_editing_warning_for_enforcement_mode

In releases 23.2.10 and 23.4, for the required property name a new optional feature flag for label editing was added: labels_editing_warning_for_enforcement_mode.

To enable or disable this flag, use the following CURL command:

curl -u ${your_api_key}: ${your_api_secret} -H "Content-Type: application/json" -X PUT -d '[{"name":"labels_editing_warning_for_enforcement_mode","enabled":true}]' https://${your_pce_server}:8443/api/v2/orgs/${your_ord_id}/optional_features
windows_outbound_process_enforcement

In release 23.5, an optional feature flag for the Windows outbound process was added: windows_outbound_process_enforcement.

This feature flag can be enabled or disabled using the following CURL command:

curl -u ${your_api_key}: ${your_api_secret} -H "Content-Type: application/json" -X PUT -d '[{"name":"windows_outbound_process_enforcement","enabled":true}]' https://${your_pce_server}:8443/api/v2/orgs/${your_ord_id}/optional_features

where you can define the part of the command: "enabled":true or "enabled":false.

container_cluster_label_set_based_kubernetes_workload_instructions

This flag is enabled by default at the organization level.

When enabled, PCE uses policy de-duplication for Kubernetes workloads in CLAS Container Clusters. This means we calculate only one workload instruction per Kubernetes Workload with the same set of labels.

This reduces the number of calculated instructions in production by 70-95%, depending on the customer.

hybrid_policy

The property hybrid_policy activates the feature flag of the same name.

"properties": {
          "name": {
            "description": "Name of the feature",
            "type": "string",
            "enum": [
              "ip_forwarding_firewall_setting",
              "ui_analytics",
              "illumination_classic",
              "ransomware_readiness_dashboard",
              "per_rule_flow_log_setting",
              "lightning_default",
              "collector_scanner_filters",
              "corporate_ips_groups",
              "labels_editing_warning_for_enforcement_mode",
              "label_based_network_detection",
              "cloudsecure_enabled",
              "windows_outbound_process_enforcement",
              "rule_based_label_mapping",
              "core_insights",
              "rule_info_exposure_to_syslog",
              "hybrid_policy",
              "container_cluster_label_set_based_kubernetes_workload_instructions"

To see more details about using the feature flag hybrid_policy, see Hybrid Policy in the document What's New in release 25.2.10.

After hybrid policies are enabled, your on-premises and applicable cloud networks can use non-overlapping private IP subnets. Any policies between on-premises and cloud workloads are distributed to the appropriate on-premises workloads and cloud resources.

Hybrid policy support is available only to applicable customers.

container_cluster_label_set_based_kubernetes_workload_instructions

This parameter is enabled with HelmChart flag policyLabelSetEnable set to true.

For label-based rules, workload instructions calculate unique label sets only once.

This new parameter reduces overall policy calculation time by eliminating redundant calculations.