Skip to main content

Getting Started with the Illumio Console

  • Getting Started with the Illumio Console
  • Insights into Risky Ports

Insights into Risky Ports

IIlumio Platform now provides insights into Risky Ports across your network. The Risky Ports insight helps network administrators easily identify and analyze traffic flows that have been detected on risky ports between IP Lists on the network. Use these insights to proactively manage and mitigate potential security risks by having detailed visibility into the source, destination, traffic volume, and other details of these ports.

 

Launching Risky Ports Insights

  1. From Home, click Insights.

  2. From the carousel, click the Traffic on Risky Ports tile.

    Risky port traffic is shown in a summary table .

 

Risky Ports Summary Table

The risky ports table summarizes an aggregate of active risky ports, initially sorted by amount of traffic flow that changed over the time period or periods shown next to the table heading. Aggregated flows are based on IP Lists, which can include any lists defined by you.

New customers will have default IP Lists of "Corporate Network" (as defined in RFC 1918) and “Multicast.” These default IP Lists provide quick time-to-value by capturing any traffic on Risky Ports, even if a new customer has not defined any custom IP Lists yet.

By default, traffic is collected over the most recent seven-day period, aggregated, analyzed, and then characterized by risk.

You can also compare traffic that was analyzed between two timeframes. For example, compare traffic observed during a Aug 4 - Aug 10 timeframe with traffic observed during a July 28 - August 3 timeframe. The change in traffic between the two timeframes is shown as a percentage next to the aggregated amounts.

Change timeframes by clicking on a date range shown next to the table heading, and in the popup menu select the desired timeframe. Also use this menu to filter results by other characteristics, such as Traffic Type, Source, Destination, or Port/Protocol.

Traffic is shown in table columns:

  • Traffic Type - Shows status of the aggregated traffic: Allowed, Blocked, or Mixed

  • Source - Based on defined IPlist

  • Destination - Based on defined IP List

  • Services - Risky ports and protocols listed here are those defined under the Policies menu, which are also used by the Ransomware dashboard.

  • Flows - Total count of flows, both in and out between Source and Destination. If two timeframes are defined, the percentage change that occurred over the specified time periods is also shown here.

  • Bytes - Total count of bytes, both in and out between Source and Destination, If two timeframes are defined, the percentage change that occurred over the specified time periods is also shown here.

By default, traffic is sorted by Flow amount (most to least), which you can change. Alternatively, you can sort by Traffic Type or Bytes.

Caveats

  • “No Rule” ports are shown in this Insight as an “Allowed” Traffic Type.

See also: