Work with Illumination

Illumination provides rich visibility into your workloads (traffic flows, running services) without blocking traffic, so you can build and test policies before you enforce them.

Search in Illumination

You have the ability to search for specific locations and groups in the Illumination map at a global level. This feature is especially helpful when managing dozens or even hundreds of locations or groups in the Illumination map.

  1. Click on the magnifying glass in the upper left corner next to Search Illumination.
  2. Select the location where you want to perform search.
  3. Click inside the location to open the command panel.

  4. The command panel lists all groups on that location.
  5. Click the group for which you want to see the details.
  6. The group's command panel shows the following:
    • Workloads associated with the group
    • Workload's enforcement (with an option to edit)
    • A link to locate groups connected to the selected group in the Illumination (Connected Groups)
    • Links that allow you to view associated segmentation rulesets, to start Policy Generator, clear traffic counters or expand group roles
  7. Click the arrow next to Connected Groups.
  8. A list of all groups connected on this location shows.

The VEN uploads the traffic flow data to the PCE every 10 minutes. The “Increase VEN Update Rate” option increases the rate at which the information is uploaded, which helps you see the flow more frequently. When you click “Increase VEN Update Rate” from the App Group window, the data gets uploaded every 30 seconds for the next 10 minutes. After 10 minutes, it resets to the default value of uploading the data every 10 minutes.

Clear Traffic Counters

To draw the traffic patterns on the Illumination map, the PCE stores all traffic data that flows between workloads.

When you want see only current traffic data and purge traffic connections that might have stopped, you can clear all traffic counters between two workloads, for all the workload communication in the group, or for your entire organization: 

  • To clear all traffic between two workloads, select a traffic link and click Clear traffic counters in the command panel.
  • To clear traffic for an entire group, select the group and click Clear traffic counters in the command panel. In the dialog, select For this Group only and click OK.
  • To clear traffic for an entire group, select the group and click Clear traffic counters in the command panel. In the dialog, select For entire Organization and click OK.

Write Segmentation Rules In Illumination

You can write segmentation rules for traffic inside of groups by selecting traffic links and specifying the traffic flows you want to allow in a segmentation rule. This means that only the traffic that you permit between workloads is allowed and all other undefined traffic is blocked.

This method is for writing segmentation rules on an individual basis. To write larger sets of segmentation rules for your workloads, Illumio recommend using segmentation rulesets. See Create a Segmentation Ruleset in the Security Policy Guide for more information.

NOTE:

Inter-group traffic links to and from discovered groups from the selected group on the Details view are displayed in gray.

To write rules for traffic from the Group Detail view or Full map:

When you write a segmentation rule from the Group Detail view, you can create one of two kinds of rules, depending on the ruleset: 

  • When you click a line inside a group, the generated segmentation rule is an Intra-Scope Rule.
  • When you click a line between two groups, the generated segmentation rule is an intra-scope rule if the scope is All | All | All for the selected segmentation ruleset.
  • For the same line, if the segmentation ruleset scope matches the Provider labels, the generated segmentation rule is an Extra-Scope Rule.

To write segmentation rules for workloads:

  1. In the Illumination Draft view, select one of the traffic links between the workloads. In the command panel, workloads and enforcement are displayed.

  2. To allow this traffic, click Add segmentation rule in the command panel.

    An Add segmentation rule panel appears.

  3. You can edit the segmentation rule and choose to add it to the recommended segmentation ruleset.
  4. Click Save.

    The traffic link turns green to indicate a permitted flow for the workloads.

Write a Group-Level Segmentation Rule

In the Illumination map, you can write a segmentation rule that allows all workloads in the group to communicate with each other. You can write this type of segmentation rule from any Illumination view level: Global, Groups, and Detail view levels. This feature is useful if your goal is to ringfence A software-built “fence” that secures and typically isolates high-value assets to mitigate the risk of access from East-West connectivity to other systems. a particular application instance or high value asset, when you want only the group’s members to communicate with each other, but you want to separate it from everything else in your organization.

To write a group-level segmentation rule: 

  1. From the PCE web console menu, choose Illumination.

    The Illumination map appears.

  2. Select the group you want to write a Group-level segmentation rule for.

    The command panel appears.

  3. In the command panel, click Add Segmentation Rule.

    The command panel opens an Add Segmentation Rule dialog box. In the dialog box, you can write a segmentation rule that allows all workloads and other entities to communicate with each other for all services.

  4. In the Add segmentation rule dialog box, select a segmentation ruleset to add the segmentation rule to, or leave the default when one is already configured for the group, and complete the rest of the rule fields.
  5. (Optional) Select SecureConnect when you want to encrypt traffic between workloads.

Set Group Enforcement

After you have written segmentation rules for a group, you can change the group's enforcement, which determines how a group's rules affect the communication among the group's workloads.

You can choose from the following enforcement states for the workloads inside of a group: 

  • Visibility only. In this state the PCE displays the flow of traffic to and from the workload, providing insight into the datacenter and the applications running in it. No traffic is blocked in this state.
  • Full Enforcement. A state of a workload in which all ruleset rules are enforced and all traffic flows that are not allowed by the rules are blocked.
  • Selective Enforcement: Selective enforcement applies only to managed workloads; it does not apply to NEN-controlled or other unmanaged workloads. It controls which ports or services are enforced on workloads.

To set group enforcement:

  1. From the PCE web console menu, choose Illumination.

    The Illumination map appears.

  2. Find the group for which you want to change enforcement and click inside the group.

    The command panel appears.

  3. Click the edit tool next to Enforcement.
  4. The pop-up dialog explains that editing affects only the workloads in this group.
    Click Continue.
  5. The group's command panel allows you to select the enforcement from the dropdown list.
  6. Select the new enforcement type and click Save

Create Unmanaged Workloads from IP Addresses

From the Illumination map, you can quickly create unmanaged workloads from IP addresses. A reverse DNS lookup is done on the IP addresses to obtain and display the server name for the unmanaged workload. The server names are only displayed in the PCE web console. When you export the file, it lists IP addresses.

NOTE:

The DNS names are not displayed in Illumination for Illumio Secure Cloud customers.

When you select an IP address in Illumination that is not currently associated with another policy object, it automatically populates the IP address into an unmanaged workload with the following values:

  • A default interface of eth0
  • The hostname, which is the IP address by default

IPv4 or IPv6 addresses displayed in Illumination can be selected from the internet, IP lists, or traffic links. The default interface and hostname can be changed if needed and labels can be added to the unmanaged workload.

Until new traffic for the unmanaged workload is observed, the traffic lines are not displayed for the unmanaged workload. The traffic lines in Illumination are updated after new flows are reported by the PCE.

If you try to create an unmanaged workload from an IP address where an unmanaged workload already exists, an error message is displayed.