Skip to main content

Getting Started with the Illumio Console

Release Notes for Illumio Console 24.21

These release notes describe the new features and known limitations for Illumio 24.21.x releases.

Note

Illumio Console 24.21.0 is available for Illumio Cloud customers only.

Product Version

PCE Version: 24.21.0 (Illumio Cloud customers only)

What's New in This Release

Illumio Console is the integration of the Illumio Core and Cloud products into the same platform. Now, with the right user permissions, you can access features of two Illumio products in one unified UI. The features of Cloud are available in the Cloud menu, and the features of Core are available in the Servers & Endpoints menu.

The following new features were added in Illumio Console 24.21.0:

Rule Hit Count for Illumio Core SaaS

Beginning with this release, the Rule Hit Count feature is now available for Illumio Core SaaS customers. (Requires VEN 23.2.30 or later).

You can add a Rule Hit Count Report through the Console UI or through the Illumio REST API.

The Rule Hit Count Report provides the following:

  • Policy Compliance: Generate a Rule Hit Count Report to provide evidence that security controls are in place and working effectively, demonstrating compliance to auditors.

  • Redundancy Removal: Identify unused or less-used rules so you can remove or modify them to reduce redundancy and clutter in your implementation.

  • Troubleshooting: When network issues arise, identify the rules that were in effect during the relevant traffic flow, allowing you to resolve problems faster and more efficiently.

The PCE and VENs require enablement through the Illumio REST API. For details and limitations, see Rule Hit Count Report.

Policy is a new section in the left navigation

The Policy section replaces Rules & Rulesets in the left navigation.

Note

For now, the stand-alone Deny Rules page still appears in the left navigation but it's slated to be deprecated in a future release. If your Core instance was upgraded to release 24.2.x, Illumio recommends that you migrate your Deny rules from the Deny Rules page to the Policies page and add Deny Rules from the Policies page from now on.

The Policies page differs from Rulesets and Rules in the following ways:

  • Rule types appear in a list when you click Add Rule.

  • All rule types can now be added from a single page.

  • You can add and view Override Deny rules (see Override Deny Rules).

  • Rule types are listed in the order of their precedence.

  • Scope types are listed in a Scope category when you choose Allow Rule.

Override Deny Rules

Note

  • Override Deny rules require VEN release 22.3.0 or later.

  • Deny and Override Deny rules are implicitly Intra-Scope rules. Extra-Scope deny rules are not supported currently.

This release introduces Override Deny rules. These are "without exception" deny rules that have precedence over all other types of rules and can't be overridden. Use Override Deny rules to block communication that should always be blocked. For example, if an administrator in your organization creates an Allow rule that would permit communication that should always be denied, having an Override Deny rule in place denying that communication serves as a safeguard. Override Deny rules:

  • Provide an additional type of granular control for blocking network traffic, helping to ensure that only explicitly authorized communications are permitted.

  • Block traffic with a type of Deny rule that can't be overridden.

Known Issues in Release 24.21.0

These known issues were reported previously in 24.12:

  • Refused to connect to the support portal with segmentation templates > sign in (E-113084)

    Clicking on segmentation templates -> sign in the support portal returns an error.Workaround: none.

  • Standalone PCE not starting up after service_discovery_encryption_key change (E-104880)

    Workaround: none

  • Removal of inactive accounts ignores API use (E-103316)

    User accounts that have been inactive for more than 90 days are removed automatically. However, the active status is determined based only on whether the account has logged in to the web console UI. If the account is used only to issue API requests, it is counted as inactive and removed after 90 days.

  • Updating max results in Illumination Plus (10K) updates the Explorer max results (E-102742)

    The maximum connection number in Explorer gets updated to the same maximum number as the update in Illumination Plus. However, the maximum number in Illumination Plus is 10,000, while in Explorer, it is 100,000.

    Workaround: Update the max results setting in Explorer to get more than 10K results.

  • Secure Connect only logs the "E" on the destination (E-101229)

    Works as designed. There is no way to tell whether Secure Connect is in the egress path.

  • Windows 11 shows as Windows 10 on the workload/VEN page (E-100844)

    Workaround: none.

  • Flow timestamp incorrect in Explore Map for inbound-only or outbound-only reported flows (E-96595)

    The flow timestamp shown in the Explore Map for Servers and Endpoints is unreliable for ingress- or egress-only reported flows.

    Workaround: None