Xpress Visualization Tools Reported and Draft Views

The Illumio Xpress visualization tools provide two views into your organization: Reported and Draft.

Reported View

The Reported view visualizes your policy coverage as reported by your workloads, so you can examine the current state of your provisioned policy. This view displays the traffic using red, orange, or green lines to indicate whether the VEN had a rule that allows the traffic when the connection was attempted.  

• A green line indicates that the VEN had an explicit rule to allow the traffic when the connection was attempted
• A red line indicates that the VEN did not have an explicit rule to allow the traffic when the connection was attempted
• An orange line indicates that no explicit rule exists, but because of the enforcement state of the workloads, the traffic is not blocked when provisioned.

If multiple rules allow traffic between entities, only one green line is displayed.

This view provides visibility for the actual traffic handling (rather than the expected traffic handling provided by the Draft view) and loads more quickly, especially when you have a large number of workloads and traffic flows.

Rules created for existing or live traffic don't change the color of the traffic lines in the Reported view, even when they are provisioned, until new traffic is detected.

The Reported view is a view-only map. You can view all the rulesets that apply to the workloads from the Reported view but you must change to the Draft view to add rules. The Reported view does not immediately reflect the latest changes to the policy. It is updated only after you provision a change to the policy and when new traffic flows that use the updated policy are reported from the VEN.

Reported and Draft view handle unmanaged workloads differently. In Draft view, rule coverage (the connections that have been included in draft rules) has limited support for traffic between unmanaged workloads. The Reported view always provides accurate rule coverage for traffic between unmanaged workloads.

The Reported view helps you to understand your traffic patterns. If you click the View Rulesets link, the Rulesets page displays.

For each flow with a unique port/protocol, if there is a policy service created for that port/protocol, the name of that policy service displays, in addition to the names of the actual services that reported the flows. The Reported view shows reported rule coverage for the latest reported flow with that port/protocol in the command panel.

Different services can be running on the same port at different times or on different interfaces. The Reported view shows reported rule coverage of each flow separately, as well as its timestamp. In both cases, the Draft view shows the calculated rule coverage for traffic. For Windows, it looks at the port, protocol, the process name (but not the process path), and the Windows service name. For Linux, it looks at only the port and protocol.

Draft View

The Draft view immediately visualizes the potential impact of your draft policy. This view displays the traffic using red or green lines to indicate whether the PCE has a rule to allow the connection that was reported by the VEN. This way, you can add rules and see their anticipated effect in real-time before the rules are implemented. Specifically: 

• A green line indicates that the PCE had an explicit rule (in either a draft or an active policy) to allow traffic when the connection was attempted.
• A red line indicates that the PCE did not have an explicit rule (in either a draft or an active policy) to allow traffic when the connection was attempted.
• An orange line indicates that no explicit rule exists, but because of the enforcement state of the workloads, the traffic will not be blocked when the rules are provisioned.

This view helps provide an understanding of the expected traffic handling (rather than the actual traffic handling provided by the Reported view) and considers both recently provisioned policy and draft policy. This map can take longer to load than the Reported view, especially if you have a large number of workloads and traffic flows, since the PCE has to compute the expected coverage for each traffic flow.

In Draft view, you can either view the rule that would permit traffic (turning the color of the line from red to green) or add a rule to allow a specific flow. In this view, you can immediately see the impact of the latest changes to the active or draft policy as they are reflected in the color of the traffic lines.

Limitations of Draft View

The Draft view is the result of a “what-if” analysis conducted by the PCE. It is a modeling tool that depicts whether flows known to the PCE will be allowed or blocked, based on the configured policy. The modeling might not work entirely correctly for the following types of rules configured on the PCE: 

• Process-based rules: Process-based rules are written using the process name or service name that sends or receives the traffic on the workload.
• User-based rules: User-based rules allow administrators to leverage the Microsoft Active Directory User Groups to control access to computing resources.
• Custom iptables rules: Custom iptables rules are configured on each workload and can include processes that are not known to the PCE.
• System rules: The VEN has implicit rules to permit necessary traffic (for example, rules permitting DHCP and DNS outbound traffic on the workload).

In most cases, the Reported view provides an accurate representation of what will be allowed or blocked by the VEN, so the Reported view should be used to verify your changes.

Changing Views

You can switch between the two views by selecting the view from the top right corner of the Illumio Xpress UI.