Work with Explorer

You can use Explorer to search for information about your organization and to create unmanaged workloads. You can specify IPList (CIDR and FQDN) in the traffic_queries API and get results of all entities that match that IPList. If there are multiple IPLists matching a source or destination IP, the top five are displayed. You can also optionally specify (only available through API) a flag to obtain workloads, whose IP addresses are part of the specified IPList and have flows to/from the IP address. Explorer returns 5 matching IP lists by default, which can be expanded to 50.

Explorer Search Example

One preliminary method of creating policy is to make sure that different environments of your datacenter are segmented from each other. For example, you can separate Development or Testing environments from your Production environments. Before you write policy rules to either allow or block this traffic, you want to determine if there are any traffic flows between them.

Using Explorer you can query, for example, the following:

"any traffic flows during the last week between my Development and Production environments, over any port except port 80, excluding any workloads that have a Role label named ‘Domain Controller’"

Example search using Explorer: 

  1. In the PCE web console menu in the upper left corner, choose Explorer.

    The Explorer page appears.

  2. Under Consumers, enter or select the Environment label named “Development” from the Include drop-down list.
  3. Under Consumers, enter or select the Role label named “Domain Controller” from the Exclude drop-down list.
  4. Under Providers, enter or select the Environment label named “Production” from the Include drop-down list.
  5. Under Providers, enter or select the Role label named “Domain Controller” from the Exclude drop-down list.
  6. Under Port/Protocol, leave the Include field blank (which means “any”) and under Exclude enter “80.” One of the options is also ICMPv6.
  7. Under Time, select Anytime.

  8. Click Go.

    The results appear when the search criteria is met.

Asynchronous Queries

Asynchronous queries allow you initiate multiple queries in parallel and view the results of the queries at a later time. Prior to Release 21.2.0, going offline during a query would result in lost query results. Starting with this release, whether you remain online or offline, the results of asynchronous queries will be preserved for a period of 24 hours. In addition, while a query is in progress, you can work in other areas of the product. The query search results can be exported to either a comma-separated-value (CSV) file or displayed in the Explorer Web Console. Depending on the size of the query, the results may take time to display.

In this release, Explorer enables you to run multiple queries and allows you to change or retain the default file name for exported results.

  • Multiple Queries–You can run multiple queries, including running some in the background.

    • If there is only one query, the results of that query will display when the query completes.

    • If there are multiple queries, you may select the result that you wish to view by clicking the number beside the Results button.

    • If identical queries are run within a minute of each other, only one query will be processed. The results of the oldest query will be displayed.

  • Default File Name–The system assigns a default file name based on your query field names (Consumer, Service, or Provider) in the filter. The exported file will have the same name.

    • Giving filters a unique name will help you identify your filters when you wish to rerun a query. This name will also appear as your report name.

    • You can also specify or change a filter name as desired.

Handling Duplication Flows in Queries

A database query that spans multiple days can contain duplicate flows if the flow is repeated.

Prior to Release 20.3, these duplicate flows were merged together outside the database, and could have resulted in fewer results being returned to the user interface.

From Release 20.3 and later, duplicate flows spanning multiple days are merged in the database, allowing more unique flows to be returned.

Run Asynchronous Queries in Explorer

Asynchronous job queries are easy to initiate and can be run in parallel, which means that before the first query completes, a second query can be initiated. In the following example, two queries are initiated; the first, with Production-only entries, and the second, with Production and Staging entries.

To run a query, proceed as follows:

  1. From the main menu of the Web Console, navigate to Explorer.

  2. Enter your query criteria in the Include field.

    You can enter a Consumer, Provider, or Service, or merely indicate Production in the Provider column.

  3. Click Go to begin the query process.
  4. To process a parallel query, click Go again.
  5. In the confirmation dialog box, click Hide.
  6. Enter the next search criteria based on a new Provider. For example, Production and Staging.
  7. Press Go.

  8. Given support for asynchronous queries, you will see a number appear next to the Results button, indicating the number of simultaneous queries being processed.

    Depending on the size of the queries, your second query may complete before your first query.

  9. To view the results of your queries, click the Results Available pop-up that will appear in the bottom-right corner of the PCE Web Console.

    You will see the results of your two queries, one with Production-only entries and a second with Production and Staging entries. At any time, you may click the Results button to view what queries were run.

    Viewing results from past queries will not re-initiate a query. It will display cached query results. When you select a result, notice that the filter changes automatically, and displays new results.

View and Modify Query Result Settings

You can view results from the Resultsbutton, Results Available pop-up, or the gear drop-down in the upper-right corner of the Web Console.

In the Results window, when you see an asterisk in the Connections column, it indicates that there are more entries in the database than what you requested in your query.

To view additional results, you must increase the values in the Results Settings menu. You can access this menu from multiple locations; from the gear drop-down or your user profile drop-down.

  1. From the upper-right corner of Explorer, click the gear drop-down to view the Results Settings window.

  2. From Results Settings, change the value for maximum connections.

    You can change the number of connections for what can be 'Displayed in Explorer' or 'Returned from the Database per Region'. Up to 100,000 can be 'Displayed in Explorer' and up to 200,000 can be 'Returned from the Database per Region.'

Export Query Results

There are multiple locations from where you can export results. Depending on the location from which you export results, the number of results that are shown may differ. The number of results from Explorer may differ from the number of results returned by the PCE web service.

In the Web Console, you can display additional data if you include draft rules and FQDN look ups.

Export from the Explorer Web Console

From the central pane of the Explorer window, you can export query results with enhanced information.

  1. From the Reported View drop-down, choose Draft View.

    This will include Draft Policy Decision (All Draft, Blocked, or Allowed) entries in your exported file. If you do not make a selection, you will receive information on the Reported Policy Decision results.

  2. Click Resolve Unknown FQDNs to export FQDN information for unknown IP Addresses and Done from the confirmation dialog box.

  3. Click Export. This button appears next to Resolve Unknown FQDNs.

    NOTE:

    Clear cached FQDN values and reload the results if you do not find relevant information.

    Depending on the number of draft rules, the data may be slow to load. Once it loads, columns called Draft Policy Decision and Reported Policy Decision will be populated with data and will appear in the exported zip file.

Export from the Results Button

Once your query completes and results are available, you can export these results to a CSV file.

  1. Click Results to view the list of your queries.
  2. Click the query result list item to view the results for a particular report.

  3. Click Export to gather your data in a CSV file.

    When you create a direct export from the Results list, you will receive Reported Policy Decision entries in the report. This report will not contain Draft Policy Decision entries or FQDN information.

Global Explorer for Superclusters

Explorer is referred to as Global Explorer in the context of Superclusters.

Global Explorer leverages the capabilities of asynchronous job queries for every region in a Supercluster. If you have a Supercluster and you initiate a query from the Supercluster leader, Explorer will display results from all its members. Queries run from a Supercluster member will only show flows reported by VENs paired to that member.

Note that the maximum number of results that can be retrieved from the PCE database has changed. In a Supercluster, a query run on the leader PCE can return 200,000 results for each PCE in the Supercluster, including the leader. For example, in a Supercluster with four regions, the maximum is 800,000, and in a stand-alone PCE, it is 200,000. When logged in to a member PCE on a Supercluster, the limits are the same as for any SNC or MNC. In every case, the maximum number of results that can be shown in the Web Console is 100,000 results, as in earlier releases. If more than 100,000 results are retrieved, the full results are available as a downloaded CSV file, and the first 100,000 are available in the Web Console.

Create Unmanaged Workload from Unmanaged IP Address

After you convert an unmanaged IP address to an unmanaged workload, you can use it in your policy; for example, you want to allow one of your hosts to communicate with a managed workload. A reverse DNS lookup is done on the IP addresses listed under the Consumer column and you see the name of the server instead of the IP address.

NOTE:

The DNS names are not displayed in Explorer for Illumio Secure Cloud customers.

To create an unmanaged workload from an IP address:

  1. In the PCE web console menu, choose Explorer.

    The Explorer page appears.

  2. On the right side of the page, from the Format drop-down list select Unmanaged IP Addresses.

    If you have a reverse DNS lookup, the server name is used instead of the IP address.

  3. Click Go.

    The results display any unmanaged lP addresses that are communicating with your managed workloads.

  4. To convert an IP addresses into an unmanaged workload, select the checkbox next to the IP address and click Create Unmanaged Workloads.

  5. In the Assign Labels dialog box, assign labels that you want to assign the unmanaged workload and click OK.

    The new unmanaged workload is created.

  6. To complete the configuration of the unmanaged workload, choose Workloads from the PCE web console menu.

    The Workloads page appears.

    In the Workloads list, you can identify the new unmanaged workload by its name, which is its IP address.

    The new unmanaged workload does not list any information for its enforcement because it does not have a VEN installed on it.

  7. To complete the configuration for the unmanaged workload, click its IP address in the Workload list.

    The Unmanaged Workload page appears.

  8. Click Edit and complete the workload information.
  9. Click Save.