Blocked Traffic

Blocked traffic identifies blocked and potentially blocked traffic among workloads and other entities managed by the PCE.

IMPORTANT:

In the 19.1.0 release, blocked traffic was marked for deprecation and will be turned off by default in a future release. When a large number of traffic summaries are reported to the PCE, the blocked traffic functionality consumes more memory, which can cause side-effects such as:

  • Illumination dropping some traffic flows
  • PCE slowing down due to extra processing

When upgrading to 19.3.0, Illumio recommends that you turn off blocked-traffic by setting the appropriate value in the PCE runtime_env file.

The functionality provided by blocked traffic is available in Explorer. In 18.3.1 and later, when the Explorer feature is configured, the Blocked Traffic page was updated using the Explorer data. The Blocked Traffic page will continue to work using the data from Explorer.

Overview of Blocked Traffic

To view the Blocked Traffic page, choose Troubleshooting > Blocked Traffic from the PCE web console menu. The Blocked Traffic tab shows you all traffic that attempted to communicate with your workload but was blocked due to policy. Blocked traffic alerts provide information such as the port and protocol of the service, as well the IP address of the consumer, the total number of flows, and the time last detected.

Under the following conditions, traffic is marked as potentially blocked or blocked based on the active policy at the PCE when the latest flow was recorded:

  • Traffic is blocked when a workload is in the enforced state and the PCE doesn't have rules in the active policy to allow that traffic.
  • Traffic is potentially blocked when a workload is in a Visibility Only state and the PCE doesn't have rules in the active policy to allow that traffic.

Traffic that is blocked in the following ways is reported as blocked traffic in the Illumination map, regardless of the workload enforcement:

  • Firewalls on the workload not managed by Illumio Core
  • WFP policies not managed by Illumio Core 

Existing connections are reported as static connections during pairing. These connections display as blocked or potentially blocked until new traffic for the connections is detected.

When you select the blocked connection, the Detail view provides more information on when the connection was last reported (when available).

The Blocked Traffic page allows you to verify that only unauthorized traffic is blocked and permitted communication between workloads is not unintentionally blocked before moving workloads to the enforced state.

You can use the page buttons in the upper left to navigate the listings. You can also use the Refresh button to refresh the content of the page with the latest information without clearing the filters or the results.

NOTE:

Only the latest 500 blocked traffic entries are displayed.

For each traffic record, the following information is displayed:

  • Traffic Type: Specifies whether the traffic is blocked or potentially blocked and whether it is blocked by the consumer or by the provider.
  • Provider: Displays the workload name and IP address of the provider.
  • Provider Labels: Displays labels assigned to the provider.
  • Service: Displays the process name, port, and protocol information of the traffic that was reported along with an indication of whether the record was reported by the consumer or the provider.

    NOTE:

    For optimal scale and performance, when the PCE has two connections with the same source workload, destination workload, destination port, and protocol but the process or service names are different, the two connections are combined in the Illumination map. The process or service name that was part of the most recently reported connection is displayed.

  • Consumer: Displays the workload name and IP address of the consumer.
  • Consumer Labels: Displays labels assigned to the consumer.
  • Total Flows: Displays the total number of traffic flows for that connection.
  • Last Detected: Displays a timestamp for the most recent recorded connection.
NOTE:

When the provider reports the record, the information in the consumer column is grayed out. When the consumer reports the record, the information in the provider column is grayed out.

From the 18.3.1 release on, the traffic entries displayed on the blocked traffic page cannot be removed via the PCE web console.

Filter Blocked Traffic

The Blocked Traffic page displays the 500 most recent entries from all workloads managed by the PCE. When you are monitoring or writing rules for a specific set of workloads, use Blocked Traffic filters to display up to 500 of the most relevant entries based on the 10,000 entries in the PCE.

The PCE web console allows you to use filters to display only the blocked traffic entries of interest. You can filter based on workload name, label, traffic type (blocked or potentially blocked), or any combination of these attributes. When you apply the filter by clicking Go, the 500 most recent entries that match the search criteria are displayed.

To filter blocked traffic, type the keywords for the filter in the Select properties to filter view field at the top of the Blocked Traffic page.

NOTE:

You can filter blocked traffic using multiple properties at the same time. Only entries that match all the entered criteria are displayed.

To specify the type of results, click the arrow at the end of the text entry field and select one or more of the available properties: 

  • Role
  • Application
  • Environment
  • Location
  • Traffic status
  • Workload name

After entering your keywords, click Go to the right of the text entry field. The results display below the text entry field. The following information is included: 

  • Traffic Type: A link to additional information about that entry
  • Provider: The provider of the service
  • Service: The service type
  • Consumer: The consumer of the service
  • Total Flows: The total number of times this blocked traffic flow occurred
  • Last Detected: A timestamp (in hh:mm:ss format) of the last time this flow occurred

Create Unmanaged Workload from Blocked Traffic

In some cases, your policy might be blocked from the IP address of a host that you want to allow to communicate with one of your managed workloads. You can do this by converting the IP address to an unmanaged workload, which enables the PCE to permit it to be used in policy.

Click the IP address in the blocked traffic event and fill out the Unmanaged Workload page. Once you have converted the IP address into an unmanaged workload, you can use it in rulesets to allow other managed workloads to communicate with it, or you can later convert it into a managed workload by pairing it. For more information about unmanaged workloads, see Unmanaged Workloads.

  1. From the PCE web console menu, choose Troubleshooting > Blocked Traffic.
  2. From the list of blocked traffic events, under the Consumer column, click any of the linked IP addresses.

    The Unmanaged Workload page appears.

  3. Complete all the fields and click Save.

    You can now use the unmanaged workload in your policy. For example, you can configure rules to allow incoming traffic from this unmanaged workload to other managed workloads.

    Reject Connections

    You can configure Workloads to reject traffic that does not meet the required policy, instead of blocking it in the Enforced state. You can edit Reject Connections from the Settings > Security menu option.

    A new firewall security setting provides two options:

    • Reject blocked inbound traffic: When this setting is applied, the firewall is configured to send:
      • TCP RST for TCP connections
      • ICMP port unreachable for UDP connections
      • ICMP protocol unreachable for other connections
    • Drop disallowed traffic (default).
    • The setting acts at the VEN level and not at the interface level. It is selected by a Label set.
    • It is visible on the Workload detail page.