Explorer
Explorer queries are used to search and analize PCE traffic flows.
The Public Experimental APIs search and analyze PCE traffic flows for auditing, reporting, and troubleshooting. You can search for traffic flows between workloads or hosts, labeled workloads, or IP addresses, and you can restrict the search by specific port numbers and protocols.
There are two APIs for the traffic flows search:
Traffic Analysis Queries
This was the basic traffic analyzer for queries that is deprecated
Functionality | HTTP | URI |
---|---|---|
Search the PCE traffic data database to discover traffic patterns and write policy. |
POST
|
|
Asynchronous Queries for Traffic Flows
, which has an additional parameter, query_name
, and the max-results
limit is raised from 100,000 to
200,000.Request Parameters for POST
The following table describes the request parameters for POST [api_version][org_href]/traffic_flows/traffic_analysis_queries
.
Property | Description | Type | Req |
---|---|---|---|
start_date
|
Starting date for the query. If left empty, the default interpretation is “today,” which is “now” minus 24 hours. |
Date-time string ( YYYY-MM-DDTHH:MM:SS ) |
Yes |
end_date
|
Ending date for the query. If left empty, the default interpretation is “today,” which is “now” plus 24 hours. |
Data-time string ( YYYY-MM-DDTHH:MM:SS ) |
Yes |
sources
|
Source labels, workloads, or IP addresses The response can contain up to 50 matching The response returns Sub-properties:
|
Array of JSON objects |
Yes
No
|
destinations
|
Target labels, workloads, or IP addresses to The response returns Required sub-properties:
|
Array of JSON objects |
Yes
Yes Yes |
services |
Services (5-tuple of port/to_port/proto/process/service) to include or exclude Required properties:
Additional properties:
|
Yes Yes
No |
|
policy_decisions
|
Allows you to filter the query based on
|
Array of strings | Yes |
max_results
|
Maximum number of flows to return | Integer | No |
exclude_workloads_from_ip_list_query
|
Exclude workload traffic when IP List is provided either in consumer or provider part of the traffic query |
Boolean |
Default is: true |
Response Properties
Property | Description | Required/Type |
---|---|---|
src
|
Workloads (
|
Required
|
dst
|
Workloads (
|
Required String JSON list of strings |
service
|
Port, protocol, process, service name and user_name of this flow Additional required properties:
|
Required, Object
Integer Integer String String String |
num_connections
|
Number of traffic flows reported in the connection. | Required, Integer |
policy_decisions
|
If there is a rule in place for the returned traffic data, this property indicates the policy decision for the flow. Indicates if the traffic flow was allowed, potentially blocked (but allowed), or blocked.
|
Required, String |
flow_direction
|
Flow direction is inbound or outbound. | Required, String |
transmission
|
Transmission type is broadcast or multicast. | Not required, String |
timestamp_range
|
The time range during which the flows were reported in date-time format. Includes both of these sub-properties:
|
Required, String |
state
|
State of the flow, which can be one of the following values:
|
Not required, String |
dst_bo
|
Bytes sent till now by the destination over the flow during the interval | Integer |
dst_bi
|
Bytes received till now by the destination over the flow during the interval | Integer |
icmp_type
|
ICMP type for the flow | Integer |
icmp_code
|
ICMP code for the flow | Integer |
Example Explorer Search
One preliminary method of creating policy is to make sure that different datacenter environments are segmented from each other, such as separating development and testing environments from production environments. Before writing policy rules to allow or block this traffic, determine if there are any traffic flows between them.
With Explorer, you can ask the PCE:
Were there any traffic flows between my development and production environments, over any port besides port 80, excluding any Workloads that have a "Domain Controller" role label?
To construct this query, specify the following information:
sources
: In the JSON request,include
the HREF of the “Development” environment label andexclude
the HREF of the “Domain Controller” role label.targets
: In the JSON request,include
the HREF of the “Production” environment label andexclude
any workloads that do not have a role label assigned to them.ports
: Search for traffic over any port except port 80.
Request Body
{
"sources": {
"include": [
[
{
"label": {
"href": "/orgs/45/labels/7",
/* HREF of an environment label named Development. */
}
}
]
],
"exclude": [
{
"label":{
"href": "/orgs/45/labels/45",
/* HREF of an role label named Domain Controller. */
}
}
]
},
"destinations": {
"include":[
[
{
"label": {
"href": "/orgs/45/labels/8",
/* HREF of an environment label named Production. */
}
}
]
],
"exclude": [
{
"label": {
"href": "/orgs/45/labels?key=role&exists=false"
/* Exclude any workloads that have no role labels defined. */
}
}
]
},
"services": {
"include": [
[
{
"port": "21"
/* Include port number 21 for TCP traffic. */
},
{
"proto": "6"
/* Include TCP number. */
}
]
],
"exclude": [
[
{
"port": "5"
/* Exclude port number 5 for UDP traffic. */
},
{
"proto": "17"
/* Exclude UDP protocol identified by number. */
}
]
]
},
"policy_decision": [
{
"allowed", "blocked"
},
]
},
}
Curl Command to Search Traffic Data with Explorer
curl -i -X POST https://pce.my-company.com:8443/api/v2/orgs/7/traffic_flows/traffic_analysis_queries -H "Content-Type: application/json" -u $KEY:$TOKEN -T explorer-example.json
The above command is listing contents of explorer-example.json
to specify the query.
The example should be similar to the following:
explorer-example.json
{
"sources": {
"include": [
[
{
"label": {
"href": "/orgs/1/labels/20"
}
}
]
],
"exclude": [
{
"label": {
"href": "/orgs/1/labels/21"
}
}
]
},
"destinations": {
"include": [
[
{
"label": {
"href": "/orgs/1/labels/202"
}
}
]
],
"exclude": [
{
"label": {
"href": "/orgs/1/labels/205"
}
}
]
},
"services": {
"include": [
{
"port": 80
}
],
"exclude": [
{
"port": 888
}
]
},
"policy_decisions": ["allowed"],
"max_results": 2
}
Response
The response shows that there is a single traffic flow between your Development and Production Environment, the consumer of which is a workload identified by its IP address and labels, communicating with an unidentified IP address on TCP (number 6) over port 80.
{
"src": {
"ip": "10.2.3.161",
"workload": {
"href": "/orgs/1/workloads/3a5f2482-1188-4449-b035-0c7880486a4f",
"hostname": "jorge-test-client5",
"name": null,
"os_type": linux,
"labels": [{
"href": "/orgs/1/labels/144",
"key": "app",
"value": "test_app_1"
},
{
"href": "/orgs/1/labels/143",
"key": "role",
"value": "test_access_1"
}]
}
},
"dst": {
"ip": "10.2.3.165",
"workload": {
"href": "/orgs/1/workloads/87a10385-7466-488f-bce4-899de08974a0",
"hostname": "jorge-test-server-4",
"name": null,
"os_type": linux,
"labels": [{
"href": "/orgs/1/labels/145",
"key": "app",
"value": "test_app_2"
}, {
"href": "/orgs/1/labels/151",
"key": "env",
"value": "test_env_2"
}, {
"href": "/orgs/1/labels/149",
"key": "loc",
"value": "test_place_1"
}, {
"href": "/orgs/1/labels/143",
"key": "role",
"value": "test_access_1"
}]
}
},
"port": 14000,
"proto": 17,
"num_connections": 2,
"policy_decision": "allowed",
"timestamp_range": {
"last_detected": "2020-03-03T00:38:12Z",
"first_detected": "2020-03-03T00:38:12Z"
}
}, {
"src": {
"ip": "10.2.3.161",
"workload": {
"href": "/orgs/1/workloads/3a5f2482-1188-4449-b035-0c7880486a4f",
"hostname": "jorge-test-client5",
"name": null,
"os_type": linux,
"labels": [{
"href": "/orgs/1/labels/144",
"key": "app",
"value": "test_app_1"
.........
{
"href": "/orgs/1/labels/143",
"key": "role",
"value": "test_access_1"
}]
}
},
"dst": {
"ip": "10.2.3.165",
"workload": {
"href": "/orgs/1/workloads/87a10385-7466-488f-bce4-899de08974a0",
"hostname": "jorge-test-server-4",
"name": null,
"os_type": linux,
"labels": [{
"href": "/orgs/1/labels/145",
"key": "app",
"value": "test_app_2"
..........
{
"href": "/orgs/1/labels/143",
"key": "role",
"value": "test_access_1"
}]
}
},
"port": 14000,
"proto": 6,
"num_connections": 6,
"policy_decision": "allowed",
"timestamp_range": {
"last_detected": "2020-03-03T00:38:10Z",
"first_detected": "2020-03-03T00:38:10Z"
}
}
Asynchronous Queries for Traffic Flows
query_name
, while the max-results
limit is raised to
200,000.Currently there is no change to
POST[api_version][org_href]/traffic_flows/traffic_analysis_queries
,which will eventually be deprecated.The maximum of returned results in POST [api_version][org_href]/traffic_flows/traffic_analysis_queries
is100,000, which is a reasonable number a user can view in the UI.
However, when Explorer is used for capturing all traffic flows into a CSV file to build rules offline, the queries take longer to return, traffic data contains more than 100,000 rows, and so on.
Explorer queries are required to support both the single-node and multi-node Explorer in the SuperCluster environment. Therefore, limitation of 100,000 results was raised to 200,000 to better support SuperCluster environments in Explorer.
Async Queries API Methods
Functionality | HTTP | URI |
---|---|---|
Create a new async traffic query |
|
|
Get a collection of async traffic queries |
|
|
Download the completed async traffic query results | GET
|
api_version][org_href]traffic_flows_async_queries/:uuid/dowload
|
Update an async traffic query (request cancellation of the queued async query) |
|
|
Delete the completed async traffic query | DELETE
|
[api_version][org_href]traffic_flows_async_queries/:uuid
|
Properties for Async Queries
query_name
, and the max-results
limit is raised to
200,000.Property | Description | Type | Required |
---|---|---|---|
query_name
|
(POST) Name of the query. | String | Yes |
sources
|
(POST) Source labels, workloads, IP addresses to include or exclude:. Required parameters: include , exclude |
Object | Yes |
destinations
|
(POST)Target labels, workloads, IP addresses, domain names, transmission to include or exclude. Required parameters: include , exclude |
Yes | |
services
|
(POST)Services (5-tuple of port/to_port/proto/process/service) to include or exclude. Required parameters: include , exclude |
Object | Yes |
policy_decisions
|
(POST)List of policy decisions. Available types are:allowed |
Array | Yes |
max_results
|
(POST) Maximum number of flows to return.
"maximum": 200000 |
Integer | No |
status | (PUT, GET) Query status | String | Yes |
href
|
(GET) Query URI | String | Yes |
created_at
|
(GET) Timestamp in UTC when this query was created
|
date/time | Yes |
created_by
|
(GET) User who created this query |
String Format URI |
Yes |
updated_at
|
(GET) Timestamp in UTC when this async query was last updated | date/time | No |
generated_at
|
(GET) Async query generation timestamp in UTC | date/time | No |
query_parameters
|
(GET) Explorer query parameters | Object | Yes |
matches_count
|
(GET) Query result count | Integer | No |
flows_count
|
(GET) Result count after query limits and RBAC filtering are applied | Integer | No |
reqions
|
(GET) Region-specific response metadata. Required properties:
This section is present only in supercluster leader queries. |
Object | No |
Example Async Explorer Queries
Curl command for traffic_flows_async_queries_post
curl -i -u api_1195cf055cf8a834c:148afd87ecc980900eaf10d6c54e6c0f607b22e0dbf768dd007e51e731096282 https://devtest0.ilabs.io:8443/api/v2/orgs/1/traffic_flows/async_queries -H "Content-Type: application/json" -X POST -d
Response:
'{"sources":{"include":[[{"workload":{"href":"/orgs/1/workloads/a3ffb374-f6c6-4cce-ac57-642c66f1498f"}}]],"exclude":[]},"destinations":{"include":[[]],"exclude":[]},"services":{"include":[],"exclude":[]},"sources_destinations_query_op":"and","start_date":"2016-01-29T17:04:03.149Z","end_date":"2021-01-29T17:06:03.151Z","policy_decisions":[],"max_results":1000,"query_name":"worklaod test"}'
HTTP/1.1 202 Accepted
content-location: 7734501b-74a2-47a4-9ded-77bf4ceea938
content-type: application/json
content-length: 615
x-request-id: 00c8fa00-dbd8-4a28-a5c7-354fb5ae3886
cache-control: no-store
x-frame-options: DENY
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
{"status":"queued","href":"/orgs/1/traffic_flows/async_queries/7734501b-74a2-47a4-9ded-77bf4ceea938","created_by":{"href":"/users/1"},"query_parameters":{"sources":{"include":[[{"workload":{"href":"/orgs/1/workloads/a3ffb374-f6c6-4cce-ac57-642c66f1498f"}}]],"exclude":[]},"destinations":{"include":[[]],"exclude":[]},"services":{"include":[],"exclude":[]},"sources_destinations_query_op":"and","start_date":"2016-01-29T17:04:03.149Z","end_date":"2021-01-29T17:06:03.151Z","policy_decisions":[],"max_results":1000,"query_name":"worklaod test"},"created_at":"2021-04-09T20:50:30Z","updated_at":"2021-04-09T20:50:30Z"}
Curl command for for traffic_flows/async_queries_get
This query gets the collection of all async jobs for the current user, including anything that was already submitted.
curl -i -u api_1195cf055cf8a834c:148afd87ecc980900eaf10d6c54e6c0f607b22e0dbf768dd007e51e731096282 https://devtest0.ilabs.io:8443/api/v2/orgs/1/traffic_flows/async_queries
Response
HTTP/1.1 200 OK
content-type: application/json
content-length: 1510
x-request-id: fcf065e5-e465-4161-ba98-542182734c38
cache-control: no-store
x-frame-options: DENY
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
[{"matches_count":1984,"flows_count":1000,"status":"completed","href":"/orgs/1/traffic_flows/async_queries/88675fbd-a88e-44bd-b358-2d6f2fc4f95a","result":"/orgs/1/traffic_flows/async_queries/88675fbd-a88e-44bd-b358-2d6f2fc4f95a/download","created_by":{"href":"/users/1"},"query_parameters":{"sources":{"include":[[{"workload":{"href":"/orgs/1/workloads/a3ffb374-f6c6-4cce-ac57-642c66f1498f"}}]],"exclude":[]},"destinations":{"include":[[]],"exclude":[]},"services":{"include":[],"exclude":[]},"sources_destinations_query_op":"and","start_date":"2016-01-29T17:04:03.149Z","end_date":"2021-01-29T17:06:03.151Z","policy_decisions":[],"max_results":1000,"query_name":"worklaod tesrrrrrt"},"created_at":"2021-04-09T20:50:19Z","updated_at":"2021-04-09T20:50:27Z"},{"matches_count":1984,"flows_count":1000,"status":"completed","href":"/orgs/1/traffic_flows/async_queries/7734501b-74a2-47a4-9ded-77bf4ceea938","result":"/orgs/1/traffic_flows/async_queries/7734501b-74a2-47a4-9ded-77bf4ceea938/download","created_by":{"href":"/users/1"},"query_parameters":{"sources":{"include":[[{"workload":{"href":"/orgs/1/workloads/a3ffb374-f6c6-4cce-ac57-642c66f1498f"}}]],"exclude":[]},"destinations":{"include":[[]],"exclude":[]},"services":{"include":[],"exclude":[]},"sources_destinations_query_op":"and","start_date":"2016-01-29T17:04:03.149Z","end_date":"2021-01-29T17:06:03.151Z","policy_decisions":[],"max_results":1000,"query_name":"worklaod test"},"created_at":"2021-04-09T20:50:30Z","updated_at":"2021-04-09T20:50:32Z"
Curl command for traffic_flows/async_queries/:uuid_get
This query gets a specific job included in the collection.
curl -i -u api_1195cf055cf8a834c:148afd87ecc980900eaf10d6c54e6c0f607b22e0dbf768dd007e51e731096282 https://devtest0.ilabs.io:8443/api/v2/orgs/1/traffic_flows/async_queries/88675fbd-a88e-44bd-b358-2d6f2fc4f95a
Response
HTTP/1.1 200 OK
content-type: application/json
content-length: 756
x-request-id: f328b845-8542-4b96-a128-43aefdf7ba5a
cache-control: no-store
x-frame-options: DENY
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
{"matches_count":1984,"flows_count":1000,"status":"completed",
"href":"/orgs/1/traffic_flows/async_queries/88675fbd-a88e-44bd-b358-2d6f2fc4f95a",
"result":"/orgs/1/traffic_flows/async_queries/88675fbd-a88e-44bd-b358-2d6f2fc4f95a/download",
"created_by":{"href":"/users/1"},"query_parameters":{"sources":{"include":[[{"workload":{"href":"/orgs/1/workloads/a3ffb374-f6c6-4cce-ac57-642c66f1498f"}}]],"exclude":[]},"destinations":{"include":[[]],"exclude":[]},"services":{"include":[],"exclude":[]},"sources_destinations_query_op":"and","start_date":"2016-01-29T17:04:03.149Z","end_date":"2021-01-29T17:06:03.151Z","policy_decisions":[],"max_results":1000,"query_name":"worklaod tesrrrrrt"},"created_at":"2021-04-09T20:50:19Z","updated_at":"2021-04-09T20:50:27Z"}