About Illumination Plus

Illumination Plus provides a unique way to reveal the traffic flows in your network and to help you configure policies to secure your applications.

When you open Illumination Plus the first time or the first time during a 24-hour period, the PCE web console displays a landing page with tiles to the different views and a message to run your first query:

Illumination Plus Views

You can view detailed information about your environment by filtering your traffic flows in the following Illumination Plus views:

  • Table

    Displays details about your traffic flows in columns and rows. Using the Table view, you query the PCE traffic database for historical data that can be used for compliance and audit, as well as policy development. With an easy-to-use interface, you enter your search parameters using plain-text language and filter results by a specific time period; specific ports, protocols, or processes; and actions that were taken on that traffic based on policies (for example, “allowed” vs. “potentially blocked” vs. “blocked”).

  • Map

    Graphically visualizes workloads that form logical groups (based on labels attached to workloads) and provides an understanding of the traffic flows between workloads. You select groups in the Map view to view details about that group and develop policy for the workloads in the group.

  • Mesh

    Using vertical axes, displays traffic flows as lists of consumers, providers, and the port being used in the traffic flows. The traffic flows between consumers and providers connect along parallel coordinates. You can sort the results based on port number or the number of traffic flows. Click any item in the results to focus on specific traffic flows.

To switch between views, select the view from the top-right corner of the Illumination Plus page:

Illumination Plus Filters

In all views of Illumination Plus, you can set one of several traffic filters to show or hide different elements of your data and focus on what is most important to you. All views allow you to filter your data by consumer, provider, and service. By default, you only see the Include filters to begin with. To modify the filters, open the More menu to select additional filter options:

NOTE:

The filters selected in previous sessions don’t persist unless you’ve added values to them. For example, the Exclusion filters won’t appear by default when you open the page unless you’ve explicitly excluded traffic in the past.

TIP:

To search for traffic flows with a specific policy decision reported by the VENs, select the Show Reported Policy Decision option. This option controls the type of policy decision (allowed, potentially blocked, blocked, or unknown) that the Table and Map views display.

The Consumer and Provider filters include the following query options:

  • Label and Label Groups
  • App Groups
  • Workloads
  • IP Lists
  • IP Address/CIDR Block
  • FQDN
  • Transmission

Using the Search All Categories feature, you don’t have to enter a category first in the filters.

The Label and Label Groups category restricts the Illumination Plus map to only those entities that have the labels you enter in the filters. The filter does not filter the selected group. Only the connected groups are filtered.

From the Service drop-down list, search by port and protocol. You can select a specific protocol and the page allows you to search through all the services.

When you enter text in this filter, the PCE web console gives you the option to select whether that text is a process name or a service. Once selected, the UI specifies which option you chose; for example:

Example Search using Illumination Plus Filters

Before you write policy rules to either allow or block traffic, you want to determine if there are any traffic flows between them. For example, you might want to find traffic between Development or Testing environments from your Production environments.

Using Illumination Plus you can run, for example, the following query:

Any traffic flows during the last week between my Development and Production environments, over any port except port 80, excluding any workloads that have a Role label named “Domain Controller”

The following steps show how you use the filters for this search and reveal certain traffic flows but not others.

  1. In the PCE web console main menu, choose Illumination Plus.

    The Illumination Plus page appears. To exclude criteria, go to More > Show Exclusion Filters if they don't already appear in the page.

  2. Under Consumer, enter or select the Environment label named “Development” from the Consumer drop-down list.
  3. Under Consumer, enter or select the Role label named “Domain Controller” from the Consumer is not drop-down list.
  4. Under Provider, enter or select the Environment label named “Production” from the Provider drop-down list.
  5. Under Provider, enter or select the Role label named “Domain Controller” from the Provider is not drop-down list.
  6. Under Service, leave the Service field blank (which means “any”) and under Service is not enter “80.”
  7. Under Time, select Anytime.

  8. Click Run.

The results appear when the search criteria are met. The results default to the Table view, but you can select Map from the drop-down list.

Query Results in Illumination Plus

In all Illumination Plus views, the PCE limits the number of connections you can load per page in the PCE web console to 10,000. You can’t load your total number of connections in a single page. To handle this limitation, the PCE web console displays your connections in paginated results. To view all connections, you can paginate through your query results. For example, when you run a query that returns 200,000 traffic flows, you can paginate through your data to see all traffic flows.

To configure the maximum number of connections per page:

  1. From the PCE web console main menu, choose Illumination Plus.

  2. From any Illumination Plus view, choose More > Results Settings. The Results Settings dialog box appears.

  3. Specify the maximum number of connections to display per page:

    In the Displayed in Explorer field, configure the maximum number of results that can be retrieved from the PCE database and displayed per page in all views.

    In the Returned from Database field, configure the results when the PCE is part of a Supercluster.

    In a Supercluster, a query run on the leader PCE can return 200,000 results for each PCE in the Supercluster, including the leader. For example, in a Supercluster with four regions, the maximum results is 800,000, and in a standalone PCE, it is 200,000. When logged into a member PCE on a Supercluster, the limits are the same as for any SNC or MNC. In every case, the maximum number of results that can be shown in the PCE web console is 100,000 results. If more than 100,000 results are retrieved, the full results are available as a downloaded CSV file, and the first 100,000 are available in the PCE web console.

    For more information about PCEs in a Supercluster configuration, see the PCE Supercluster Deployment Guide.

Load Results in Illumination Plus

As you run searches, the PCE caches your queries and saves them for a 24-hour period. Caching your query results is beneficial because the PCE displays Illumination Plus pages quickly. To view and access your cached queries, click Load Results at the top-right corner of the page. The Results page appears.

The load results process runs in the background to increase the speed that view pages display. Using this feature is optional, though recommended.

Selecting a view from the drop-down menu, doesn’t reload your data. Instead, the PCE web console switches immediately to that view.

Asynchronous Queries

You can run asynchronous queries for your filters. You first set up your filters and then run an asynchronous query.

Asynchronous queries allow you initiate multiple queries in parallel and view the results of the queries later. Going offline during a query does not result in lost query results. Whether you remain online or offline, the results of asynchronous queries will be preserved for a period of 24 hours. In addition, while a query is in progress, you can work in other areas of the product. The query search results can be exported to either a comma-separated-value (.CSV) file or displayed in the PCE web console. Depending on the size of the query, the results might take time to display.

Illumination Plus enables you to run multiple queries and allows you to change or retain the default file name for exported results.

  • Multiple Queries: You can run multiple queries, including running some in the background.
    • If there is only one query, the results of that query will display when the query completes.
    • If there are multiple queries, you can select the result that you want to view by clicking the number beside the Load Results button.
    • If identical queries are run within a minute of each other, only one query will be processed. The results of the oldest query will be displayed.
  • Default File Name: The system assigns a default file name based on your query field names (Consumer, Service, or Provider) in the filter. The exported file will have the same name.
    • Giving filters a unique name will help you identify your filters when you want to rerun a query. This name will also appear as your report name.
    • You can also specify or change a filter name as needed.
NOTE:

Handling Duplication Flows in Queries

A database query that spans multiple days can contain duplicate flows if the flow is repeated.

Run Asynchronous Queries

Asynchronous job queries are easy to initiate and can be run in parallel, which means that before the first query completes, a second query can be initiated. In the following example, two queries are initiated: the first, with Production-only entries, and the second, with Production and Staging entries.

To run an asynchronous query:

  1. From the PCE web console main menu, choose Illumination Plus.

  2. Enter your query criteria in the fields. If you want to exclude criteria, browse to More > Show Exclusion Filters.

    You can enter a Consumer, Provider, or Service, or merely indicate Production in the Provider column.

  3. Click Run to begin the query process.
  4. In the confirmation dialog box, click Hide.

  5. Enter the next search criteria based on a new Provider; for example, Production and Staging.

    Given support for asynchronous queries, you will see a number appear next to the Load Results button, indicating the number of simultaneous queries being processed

    NOTE:

    Depending on the size of the queries, your second query could complete before your first query.

    You will see the results of your two queries, one with Production-only entries and a second with Production and Staging entries.

  6. . At any time, can click the Load Results button to view what queries were run.

    Viewing results from past queries will not re-initiate a query. It displays cached query results. When you select a result, notice that the filter changes automatically, and displays new results.

Global Queries for Superclusters

Global queries leverage the capabilities of asynchronous job queries for every region in a Supercluster. When you have a Supercluster and you initiate a query from the Supercluster leader, the Illumination Plus Table view displays results from all its PCE members. Queries run from a Supercluster member only show flows reported by VENs paired to that member.

NOTE:

In a Supercluster, a query run on the leader PCE can return 200,000 results for each PCE in the Supercluster, including the leader. For example, in a Supercluster with four regions, the maximum is 800,000, and in a stand-alone PCE, it is 200,000.

When logged in to a member PCE on a Supercluster, the limits are the same as for any SNC or MNC. In every case, the maximum number of results that can be shown in the PCE web console is 100,000 results. If more than 100,000 results are retrieved, the full results are available as a downloaded CSV file, and the first 100,000 are available in the PCE web console.

View Menu in Illumination Plus

IMPORTANT:

The View menu only appears when you are in the Illumination Plus Table and Map views. The Mesh view always displays traffic flows based on the Reported view. You cannot switch to the Draft view for the Mesh.

Using the View menu, you configure how the PCE web console displays your traffic data. The options on this menu are unaffected by how you've grouped traffic in your Map or Table views. This menu provides flexibility in how you see the connections between your groups.

From the View menu, select the following options:

  • Reported View

    For a description, see Reported View.

  • Draft View Options – All, Allowed, Potentially Blocked, Blocked

    In the Draft view, you can choose all connections, or filter by the policy state (allowed, potentially blocked, or blocked). For a description, see Draft View.

  • Quick Draft Rules

    Provides a fast way to analyze your environment and display results in your views because it determines policy decisions based on label-set rules only.

  • Deep Rule Analysis

    Returns additional rulesets that the Quick Draft Rules option won’t detect. However, displays results more slowly than using Quick Draft Rules due to the deeper analysis of rulesets. This option will find any rules written directly for workloads versus created by using labels. It can combine two rules that use IP lists; for example, workload “A” has connections to IP addresses in an IP list (“IP list B”). IP list B connects to another workload C. Deep analysis shows when rules have been optimized so that workload A can connect to workload C.

  • Refresh Draft Policy

    if you’ve written rules after the draft policy was last run, you can force it to refresh in the PCE web console.

Reported View

The Reported view visualizes your policy coverage as reported by your workloads, so that you can examine the current state of your provisioned policy. This view provides visibility for the actual traffic handling (rather than the expected traffic handling provided by the Draft view) and loads more quickly, especially when you have a large number of workloads and traffic flows. The Reported view helps you to understand your traffic patterns.

The Reported view is a read-only view. You can view all the rulesets that apply to the workloads from the Reported view, but you must change to the Draft view to add rules. The Reported view does not immediately reflect the latest changes to the policy. It is updated only after you provision a change to the policy and when new traffic flows that use the updated policy are reported from the VEN.

The Reported and Draft views handle unmanaged workloads differently. In Draft view, rule coverage (the connections that have been included in draft rules) has limited support for traffic between unmanaged workloads. The Reported view always provides accurate rule coverage for traffic between unmanaged workloads.

For each flow with a unique port/protocol, if there is a policy service created for that port/protocol, the name of that policy service displays, in addition to the names of the actual services that reported the flows. The Reported view shows reported rule coverage for the latest reported flow with that port/protocol in the right side panel.

Different services can be running on the same port at different times or on different interfaces. The Reported view shows reported rule coverage of each flow separately, as well as its timestamp. In both cases, the Draft view shows the calculated rule coverage for traffic. For Windows, it looks at the port, protocol, the process name (but not the process path), and the Windows service name. For Linux, it looks at only the port and protocol.

Reported View (Table)

Reported View (Map)

Draft View Options

The Draft view immediately visualizes the potential impact of your draft policy. This view helps provide an understanding of the expected traffic handling (rather than the actual traffic handling provided by the Reported view) and considers both recently provisioned policy and draft policy. The Draft view can take longer to load than the Reported view, especially when you have a large number of workloads and traffic flows, since the PCE has to compute the expected coverage for each traffic flow.

In Draft view, you can either view the rule that would permit traffic or add a rule to allow a specific flow. In this view, you can immediately see the impact of the latest changes to the active or draft policy.

Draft View (Table)

Draft View (Map)

Limitations of Draft View

The Draft view is the result of a “what-if” analysis conducted by the PCE. It is a modeling tool that depicts whether flows known to the PCE will be allowed or blocked, based on the configured policy. The modeling might not work entirely correctly for the following types of rules configured on the PCE: 

  • Process-based rules: Process-based rules are written using the process name or service name that sends or receives the traffic on the workload.
  • User-based rules: User-based rules allow administrators to leverage the Microsoft Active Directory User Groups to control access to computing resources.
  • Custom iptables rules: Custom iptables rules are configured on each workload and can include processes that are not known to the PCE.
  • System rules: The VEN has implicit rules to permit necessary traffic (for example, rules permitting DHCP and DNS outbound traffic on the workload).

In most cases, the Reported view provides an accurate representation of what will be allowed or blocked by the VEN, so the Reported view should be used to verify your changes.

Customize Columns

In the following Illumination Plus tables, you can customize the columns from the default display:

  • Table view
  • Map view > Connections tab
  • Map view > Workloads tab

Columns in these areas are customizable from the Customize columns menu. Most columns can be further customized by setting what data will appear within that column. Hover over the up and down arrows to the left of a column checkbox and select or deselect data within that column:

Customizing the columns that appear in the Tables does not impact how you create your rules or the data that they contain.

How Illumination Plus Works with FQDNs

Illumination Plus maps the outbound connections from workloads to unknown IP addresses to fully qualified domain names (FQDNs) or DNS-based names. For example, Illumination Plus could display that the outbound connections from a workload are going to maps.google.com instead of 100s of different IP addresses. The FQDNs used are reported by the VEN to the PCE in the flow summaries. The VEN learns about the FQDNs by snooping the DNS responses on the workloads, which is the FQDN for the IP addresses as seen by the workloads.

The Illumination Plus Map visualizes the workloads that form logical groups (based on labels attached to workloads) and provides an understanding of the traffic flows between workloads.