Skip to main content

Getting Started with the Illumio Console

Release Notes for Illumio Console 24.21

These release notes describe the new features and known limitations for Illumio 24.21.x releases.

Note

Illumio Console 24.21.0 is available for Illumio Cloud customers only.

Product Version

PCE Version: 24.21.0 (Illumio Cloud customers only)

What's New in This Release

Illumio Console is the integration of the Illumio Core and Cloud products into the same platform. Now, with the right user permissions, you can access features of two Illumio products in one unified UI. The features of Cloud are available in the Cloud menu, and the features of Core are available in the Servers & Endpoints menu.

The following new features were added in Illumio Console 24.21.0:

  • Policy is a new section in the left navigation.The Policy section replaces Rules and Rulesets in the left navigation. The Policies page differs from Rulesets and Rules in the following ways:

    • Rule types appear in a list when you click Add Rule.

    • All rule types can now be added from a single page.

    • You can add and view Override Deny rules (see Override Deny Rules).

    • Rule types are listed in the order of their precedence.

    • Scope types are listed in a Scope category when you choose Allow Rule.

  • Override Deny Rules

    Note

    Override Deny rules require VEN release 22.3.0 or later.

    • Deny and Override Deny rules are implicitly Intra-Scope rules.

    • Extra-Scope deny rules are not supported currently.

    • This release introduces Override Deny rules. These are "without exception" deny rules that have precedence over all other types of rules and can't be overridden. Use Override Deny rules to block communication that should always be blocked. For example, if an administrator in your organization creates an Allow rule that would permit communication that should always be denied, having an Override Deny rule in place denying that communication serves as a safeguard.

    • Override Deny rules provide an additional type of granular control for blocking network traffic, helping to ensure that only explicitly authorized communications are permitted. They block traffic with a type of Deny rule that can't be overridden. They can be used in scoped and un-scoped rulesets. They impact the calculation of ransomware protection coverage and V-E scores.

  • Support the Rule Hit Count

    • Support compliance with stringent regulatory requirements by enforcing the principle of least privileged access. For example, suppose you want to block all traffic between your Production and Development environments except over Splunk-data (9997 TCP) (existing capability). Additionally, you want to block all traffic between all workloads over SSH with no exceptions possible (highest precedence; new capability with this release). Add a Deny rule specifying Production as the source and Development as the destination, blocking all services. Add an Allow rule specifying the same source and destination, permitting traffic over Splunk-data (9997 TCP). Add an Override Deny rule blocking all traffic between all workloads over SSH. Because this role has the highest precedence, it can't be overridden by an Allow rule.

UI improvements in Release 24.2.0+UI2

This release provides user interface updates for Extra-Scope and Intra-Scope rules.

  • The separate tabs that contained Intra-Scope and Extra-Scope options in previous releases are removed and a new column called Scope Type appears in the Allow rules section of the Policies page.

  • Extra-Scope and Intra-Scope rules occupy different sections within Allow Rules, separated by a grey line. You can move rules up or down but only within their respective section.

  • Extra-Scope rules are now distinguished by an icon.

Rule Hit Count for Illumio Core SaaS

Beginning with this release, the Rule Hit Count feature is now available for Illumio Core SaaS customers. (Requires VEN 23.2.30 or later).

You can add a Rule Hit Count Report through the PCE UI or through the Illumio REST API.

The Rule Hit Count Report provides the following:

  • Policy Compliance: Generate a Rule Hit Count Report to provide evidence that security controls are in place and working effectively, demonstrating compliance to auditors.

  • Redundancy Removal: Identify unused or less-used rules so you can remove or modify them to reduce redundancy and clutter in your implementation.

  • Troubleshooting: When network issues arise, identify the rules that were in effect during the relevant traffic flow, allowing you to resolve problems faster and more efficiently.

The PCE and VENs require enablement through the Illumio REST API. For details and limitations, see About Reports.

Policy is a new section in the left navigation

The Policy section replaces Rules & Rulesets in the left navigation.

Note

For now, the stand-alone Deny Rules page still appears in the left navigation but it's slated to be deprecated in a future release. If your Core instance was upgraded to release 24.2.x, Illumio recommends that you migrate your Deny rules from the Deny Rules page to the Policies page and add Deny Rules from the Policies page from now on.

The Policies page differs from Rulesets and Rules in the following ways:

  • Rule types appear in a list when you click Add Rule.

  • All rule types can now be added from a single page.

  • You can add and view Override Deny rules (see Override Deny Rules).

  • Rule types are listed in the order of their precedence.

  • Scope types are listed in a Scope category when you choose Allow Rule.

Override Deny Rules

Note

  • Override Deny rules require VEN release 22.3.0 or later.

  • Deny and Override Deny rules are implicitly Intra-Scope rules. Extra-Scope deny rules are not supported currently.

This release introduces Override Deny rules. These are "without exception" deny rules that have precedence over all other types of rules and can't be overridden. Use Override Deny rules to block communication that should always be blocked. For example, if an administrator in your organization creates an Allow rule that would permit communication that should always be denied, having an Override Deny rule in place denying that communication serves as a safeguard. Override Deny rules:

  • Provide an additional type of granular control for blocking network traffic, helping to ensure that only explicitly authorized communications are permitted.

  • Block traffic with a type of Deny rule that can't be overridden.

Get the 24.21 Documentation

The Illumio documentation portal, docs.illumio.com, is undergoing major updates for the introduction of Illumio Console. The integration of two products under this new UI requires major revisions, which are underway. Until this effort is complete, please keep the following in mind when consulting documentation on docs.illumio.com.

Illumio Console 24.21 is not yet available in the Versions dropdown menu on the Illumio documentation portal. You can access Illumio Core 24.21 documentation in PDF format on the Core documentation home page for version 24.2, https://docs.illumio.com/core/24.2/Content/Home.htm, or click the links below:

  • These Release Notes

  • REST API Developer Guide 

  • Illumio Console Open Source Software and Third Party Software Notices

  • Illumio Core Open Source Software and Third Party Software Notices

Only these documents contain changes for Illumio Core 24.21. For all other topics, you can continue to use the published documentation for Core 24.2.

Resolved Issues in Release 24.21.0

Known Issues in Release 24.21.0

These known issues were reported previously in 24.12:

  • Refused to connect to the support portal with segmentation templates > sign in (E-113084)

    Clicking on segmentation templates -> sign in the support portal returns an error.Workaround: none.

  • Standalone PCE not starting up after service_discovery_encryption_key change (E-104880)

    Workaround: none

  • Removal of inactive accounts ignores API use (E-103316)

    User accounts that have been inactive for more than 90 days are removed automatically. However, the active status is determined based only on whether the account has logged in to the web console UI. If the account is used only to issue API requests, it is counted as inactive and removed after 90 days.

  • Updating max results in Illumination Plus (10K) updates the Explorer max results (E-102742)

    The maximum connection number in Explorer gets updated to the same maximum number as the update in Illumination Plus. However, the maximum number in Illumination Plus is 10,000, while in Explorer, it is 100,000.

    Workaround: Update the max results setting in Explorer to get more than 10K results.

  • Secure Connect only logs the "E" on the destination (E-101229)

    Works as designed. There is no way to tell whether Secure Connect is in the egress path.

  • Windows 11 shows as Windows 10 on the workload/VEN page (E-100844)

    Workaround: none.

  • Flow timestamp incorrect in Explore Map for inbound-only or outbound-only reported flows (E-96595)

    The flow timestamp shown in the Explore Map for Servers and Endpoints is unreliable for ingress- or egress-only reported flows.

    Workaround: None

See also: