Traffic

This topic describes the purpose of the Illumio CloudSecure traffic feature, found in the Cloud > Explore menu, and provides a general example of how you would use it. For instructions on how to use the search function in the Traffic page, see Search Traffic.

The traffic page lets you view denied and allowed flows in a table. Click on a table row to see more details about the source and destination of the flow, such as IP Addresses, account IDs, labels, categories, resource types, etc.

Supported Resource Types

See Traffic Supported Resources. For a list of resources against which you can write policy, see Resources that Support Policy.

Exporting Traffic Lists

  1. Click Export to export the traffic data.
  2. Edit the report name, select a time range, and select the format.
  3. Click Save when done.
  4. Go to the Reports page to download the exported report.

Click the down arrow and select View All Reports to go to the Reports page and download the exported traffic list (report).

Limitations for Displaying Traffic

In the Traffic page, the list displays only 10,000 results. This display limit is not configurable. This may cause you to see only the most recent 10,000 flows, irrespective of the earliest time you select, because collection of flows starts from the current day. For example, if the current day already has 10,000 flows, then irrespective of your time selection (such as the last 7 or 14 days), it will show only the first 10,000 flows from the current day. Illumio set this display limitation to provide optimal page display performance. You can filter your traffic list to retrieve data about traffic that isn't initially displayed when you elect to display everything. CloudSecure does not display your traffic in any specific order. When you don't filter your traffic, the page will typically display the most recent 10,000 results. Note that traffic records older than 90 days will be automatically removed.

Generating Risk Reports

This is an overview of the Risk Report feature. For instructions on generating a Risk Report, see the in-application help on the Traffic page. For a list of services that Illumio considers to be at risk, see Risky Services. The Risk Report tab lets you download a .PDF report summarizing the following at the account/subscription level:

  • Total count of ransomware-susceptible traffic flows
  • Total count of resources in your cloud environment affected by such flows

Before you click Download, you can toggle to include or exclude the following details from the report:

  • Top Sources/Destinations
  • Top Conversations

You can also select the time frame and whether to sort by byte count or flow count.

When generating the report, CloudSecure reviews your traffic against a list of services that are susceptible to ransomware attacks. It provides an executive summary. If it finds any susceptible services, it displays the following details:

An Onboarded Account Summary table, containing the following columns:

  • Cloud
  • Number of Accounts with Risk
  • Number of Accounts
  • An Observed Risky Activities Summary table, containing the following columns:
    • Service
    • Port
    • Protocol
    • Severity
    • Active Accounts
  • A Ransomware Risky Services Detected table for each at-risk service, with the following columns:
    • Account, tallying all accounts identified as affected by the risk
    • Flow Count, tallying all traffic flows identified as affected by the risk
    • Byte Count, tallying the volume identified as affected by the risk
    • Resource Count, tallying all resources identified as affected by the risk
  • If enabled, a Top Sources By Flow/Byte Count table for each service, with the following columns:
    • Top Sources By Flow/Byte count, ordering all sources identified as affected by the risk
    • CSP Resource ID
    • Account
    • Flow Count, tallying all traffic flows identified as affected by the risk
    • Byte Count, tallying the volume identified as affected by the risk
    • Origin, indicating if the risk is external or internal

  • If enabled, a Top Destinations By Flow/Byte Count table for each account, with essentially the same columns as the top sources tables

  • If enabled, a Top Conversation Flow/Byte Count table for each account, with essentially the same columns as the top sources/top destinations tables

If CloudSecure does not find any of your traffic in the list of services it considers risky, it displays a Ransomware Risky Services Not Detected section, containing a table with the following details:

  • Heading row, containing the following columns:
    • Severity
    • Service
    • Port
    • Protocol