About Explorer

Using Explorer you can query the PCE's traffic database to analyze traffic flows for auditing, reporting, and troubleshooting. You can search for traffic flows between workloads or hosts, labeled workloads, or IP addresses, and you can restrict the search by specific port numbers and protocols.

The VEN decorates the flow summary logs with DNS names when it sends them to the PCE. Explorer appends the DNS names to the flow logs so that auditors and SOC analysts can look at these DNS names instead of performing reverse look-ups on random IP addresses.

Explorer relies on traffic flow data stored in the PCE traffic database. When a single disk is used for all PCE storage, the default traffic database disk usage limit is in effect. When the amount of traffic flow data exceeds the limit, older data is pruned, and is no longer available in Explorer. To increase the amount of storage available for traffic flow data, you can set up a separate disk for the traffic database and set runtime parameters as required for a two-storage-device configuration. For more information, see PCE Storage Device Partitions in the PCE Installation and Upgrade Guide.

Explorer Searches

When you search data using Explorer, you are searching traffic flows between providers and consumers over a specific time period over a specific port and protocol.

When you want to search for particular traffic flows on a regular basis, you can save that filter and it appears under Favorites. You can make changes to an existing favorite and save the modified query. Explorer also displays your ten most recent searches. In Explorer, you can also see the effect of currently configured and unprovisioned policies on the traffic that was observed in the past.

An Explorer search consist of the following elements: 

  • Consumers: Enter workloads, IP addresses, or labels that are consuming the service provided in the traffic flow. The entries you add in the Include field are used as a search criteria and the ones you add in the Exclude field are not used in the search.

  • Providers: Enter workloads, IP addresses, or labels that are providing the service in the traffic flow. The entries you add in the Include field are used as a search criteria and the ones you add in the Exclude field are not used in the search.

    NOTE:

    You can choose to search either “Consumers And Providers” or “Consumers Or Providers” by clicking the settings icon.

  • Services: Enter port and protocol, port ranges, process, Windows services, or policy services. Enter port numbers and protocol types to search for traffic flows whose destination port values and protocols match the search criteria. The entries you add in the Include field are used as a search criteria and the ones you add in the Exclude field are not used in the search. If you do not specify a value, all ports, protocols, port ranges, processes, and services are included in the search.
  • Time: Select how far in the past (last hour, day, week, or month, or anytime) or specify a custom time range. The custom time filter displays all the flows between the selected from-to date-time stamp.

  • Reported Policy Decision: Select the type of policy decision (allowed, potentially blocked, blocked, or unknown) to search for flows with a specific policy decision reported by the VEN.

  • Connection State: The following traffic flow states are displayed under the “Connection State” column only in the exported table.
    • Active: The flow is in progress. 
    • Closed: The flow in each direction is recorded and the connection (TCP only) is closed.
    • Static: The flow came from a static illumination “snapshot” of the current connection, from an idle VEN, or from data imported from another source.
    • Timed Out: No packets in either direction were received for a long time for this session and it is being timed out.
  • Additionally, the following two “Blocked” traffic states are also listed:
    • New: Dropped TCP packet that contains a SYN and is associated with a new connection
    • Invalid: Dropped TCP packet that does not contain a SYN and is dropped by firewall as invalid


Explorer Search Results

The Explorer search results can be displayed in the following three formats:  

  • Parallel Coordinates: Displays traffic flows as a vertical list of Consumers, Providers, and the port being used in the flows. You can click any item in the results to focus on specific flows. You can also sort the results to view based on port number or number of traffic flows.
  • Table: Displays search results in a traditional table format. This view includes a column named Policy which indicates if the flow was allowed, blocked, or potentially blocked based on your policy. Flows that are potentially blocked could mean that there is no segmentation rule written for the flow or there is a segmentation rule written for the flow, but the provider workload's enforcement is set to Visibility Only.

  • Unmanaged IP Addresses: Displays all connections to or from hosts that are unmanaged IP addresses. This view is useful for discovering the IP addresses of hosts that you want to managed with the PCE, either as managed workloads or unmanaged workloads. You can create unmanaged workloads in this page by selecting one or more of the IP addresses and clicking Create Unmanaged Workloads.

  • Unmanaged FQDNs: Displays all connections from the workload that are unmanaged FQDNs.

Flow Collection

In a data center that contains mostly Windows servers, certain types of broadcast and multicast traffic comprise a large percentage of total traffic, which can degrade the functionality and usefulness of the PCE. To resolve this, you can use the PCE web console to set per-org filters or aggregation rules to observe the ongoing traffic in your organization and filter out or aggregate the traffic based on destination address, subnet, protocol, and disposition (unicast, broadcast, or multicast).

You can configure the PCE traffic collector to drop or aggregate certain types of broadcast and multicast traffic based on the following criteria:

  • Destination address (IP address or CIDR block)
  • Destination port/protocol
  • Transmission Type (broadcast or multicast)
NOTE:

Only users with Organization Owner roles can set the Flow Collection.

To set the flow collection:

  1. From the main navigation menu of the PCE web console, click Settings > Flow Collection.
  2. Click Add.
  3. Select the Action.
    • Aggregate: Protocol, Destination IP Address, and Destination Port fields are not supported. Select the Transmission type and click Save.
  4. Select the Transmission type. You can only enter a single port for each filter. Multiple ports and port ranges are not supported.

  5. After reviewing your selections, click Save.
  6. You can edit a filter by clicking on the row in the Flow Collection Filter page.

Enforcement Boundaries in Explorer Draft View

Prior to Illumio Core 21.4.0, Enforcement Boundaries weren't reflected in Illumination or Explorer. When you moved a workload into Selective Enforcement mode, the Illumination map displayed a dotted line around the workload but didn't indicate whether an Enforcement Boundary was in place. In Explorer reported view, you could detect that traffic was blocked; however, Explorer did not distinguish between traffic that was blocked because of full enforcement or because an Enforcement Boundary was in place.

In Illumio Core 21.4.0 and later releases, Enforcement Boundaries are displayed in Explorer draft mode. In Explorer, when you view your traffic flows, you see a visual indication whether traffic is blocked by an Enforcement Boundary or allowed through an Enforcement Boundary. Viewing this information in Explorer draft mode is useful to determine where Enforcement Boundaries are in place and understand the impact of the boundaries before provisioning them.

In particular, you can obtain the following information:

  • An Enforcement Boundary is blocking a traffic flow.

  • Traffic is potentially blocked by an Enforcement Boundary.

    An Enforcement Boundary is in place but the workload is still in visibility-only mode. The traffic won't be blocked by the boundary until you move it into selective enforcement mode.

  • An Enforcement Boundary is in place but a rule is allowing traffic through the boundary.

    TIP:

    In the Draft Policy Decision column, click the text for traffic allowed across a boundary (“Allowed”) or blocked by a boundary (“Blocked”) to view the details about the boundary.

Explorer indicates these states with the following icons: