Introduction to Cisco Secure Workload,SaaS Release 3.10.1.1
The Cisco Secure Workload platform, formerly branded as Cisco Tetration, is designed to provide comprehensive workload security by establishing a micro perimeter around every workload. The micro perimeter is available across your on-premises and multicloud environment using firewall and segmentation, compliance and vulnerability tracking, behavior-based anomaly detection, and workload isolation. The platform uses advanced analytics and algorithmic approaches to offer these capabilities.
This document describes the features, bug fixes, and behavior changes, if any, in Cisco Secure Workload, Release 3.10.1.1.
Release Information
Version: 3.10.1.1
Date: December 09, 2024
New Software Features in Cisco Secure Workload, SaaS Release 3.10.1.1
|
Feature Name |
Description |
||
|---|---|---|---|
|
Product Evolution |
|||
|
AI Policy Statistics |
The AI Policy Statistics feature in Cisco Secure Workload employs a new AI engine to track and analyze policy performance trends over time. This functionality is crucial for users, offering insights into policy effectiveness and facilitating efficient audits. With detailed statistics and AI-generated conditions like No Traffic, Overshadowed, and Broad, users can identify and address policies requiring attention. The AI Suggest feature further refines policy precision by recommending optimal adjustments based on current network flows. This comprehensive toolset is vital for maintaining a strong security posture, optimizing policy management, and aligning security measures with organizational goals. For more information, see AI Policy Statistics |
||
| AI Policy Discovery support for Inclusion Filters |
AI Policy Discovery (ADM) inclusion filters are used to whitelist the flows used in ADM runs. You can create inclusion filters which match only the required subset of flows after the ADM is enabled.
For more information, see Policy Discover Flow Filters |
||
| New skin for Secure Workload UI |
Secure Workload UI has been re-skinned to match the Cisco Security design system. There has been no change to the workflows, however, some of the images or screenshots used in the user guide may not fully reflect the current design of the product. We recommend using the user guide(s) in conjunction with the latest version of the software for the most accurate visual reference. |
||
| OpenAPI 3.0 Schema |
Partial OpenAPI 3.0 schema for APIs is now available for users. It contains about 250 operations covering users, roles, agent and forensic configs, policy management, label management and more. It can be downloaded from the OpenAPI site without authentication. For more information, see OpenAPI/schema @https://{FQDN}/openapi/v1/schema.yaml. |
||
|
Hybrid Multicloud Workloads |
|||
| Enhanced the UI of the Azure Connector and the GCP Connector |
Revamped and simplified the workflow of the Azure and GCP connectors with a configuration wizard that provides a single pane view for all projects or subscriptions of Azure and GCP connectors. For more information, see Cloud Connectors. |
||
| New Alert Connectors for Webex and Discord |
New alerts connectors- Webex and Discord are added to the alerts framework in Secure Workload. Secure Workload can now send alerts to Webex rooms, to support this integration and configure the connector. Discord is another widely used messaging platform that we now support integration to send out Cisco Secure Workload alerts. For more information, see Webex and Discord Connectors. |
||
|
Platform Enhancement |
|||
|
Service Mesh Support |
Secure workload provides comprehensive visibility and segmentation capabilities for all applications running within Kubernetes or OpenShift clusters that have Istio or OpenShift Service Mesh enabled on them. For more information, see Secure Workload for Visibility/Enforcement with Istio/Openshift Service Mesh |
||
|
Enhanced Network Telemetry with eBPF Support |
The Secure Workload Agent now leverages eBPF to capture network telemetry. This enhancement is available on the following operating systems for the x86_64 CPU architecture:
|
||
|
Secure Workload Agent Support |
|
||
|
Agent Enforcement |
Secure Workload agents now supports policy enforcement for Solaris shared-IP zones. Enforcement is managed by the agent in the global zone, ensuring centralized control and consistent policy application across all shared-IP zones. |
||
|
Flow Visibility |
When agents are not connected to a cluster, they can still capture and store data flows. These flows are now marked with a watch symbol in the Flow Start Time column on the Flow page. |
||
|
Agent Configuration Profile |
You can now disable the deep packet inspection feature of Secure Workload Agent that includes TLS information, SSH information, FQDN discovery, and Proxy flows. |
||
Changes in Behavior in Cisco Secure Workload, SaaS Release 3.10.1.1
-
The AIX Agent now includes Cisco-provided IPFilter kernel extension. During the transition from enforcement off to on, the agent will unload and uninstall any non-Cisco IPFilter then load the Cisco IPFilter extension.
-
When the Data Plane is disabled in the Agent Configuration profile, the agent will cease both reporting flows and processing network packets. However, flows that are denied or blocked by Secure Workload policies will continue to be reported.
Enhancements in Cisco Secure Workload, SaaS Release 3.10.1.1
-
Secure Workload agents support Kubernetes (K8) RHEL 8 worker node.
-
Secure Workload now provides support for enforcing pod policies in OpenShift using Open Virtual Network (OVN) as the Container Network Interface (CNI).
-
The Solaris Agent now supports simultaneous installation on both global and non-global Solaris zones.
-
Secure Workload now support enforcing domain-based policies on flows served via HTTP Proxy on AIX.
-
The Cisco SSL component of the Secure Workload Agent has been upgraded to version
1.1.1y.7.2.569. -
The Secure Connector client has been updated to support AlmaLinux 8.8, Rocky Linux 9.2, and RHEL 9.0.
-
Kubernetes versions up to 1.31 are supported for vanilla installations for visibility and enforcement.
-
Managed Cloud Kubernetes versions up to 1.31 are supported for both Azure AKS and Amazon EKS.
-
Support has been added for Red Hat OpenShift versions 4.16 and 4.17.
-
The agent registration, configuration, and metadata endpoints are now more scalable, leading to better performance and efficiency.
-
Product security has been enhanced through the modernization of the infrastructure stack.
-
A few backend storage components were transitioned to a cloud-based service, thereby enhancing both reliability and scalability.
Resolved and Open Issues
The resolved and open issues for this release are accessible through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about issues and vulnerabilities in this product and other Cisco hardware and software products.
Note: You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you do not have one, register for an account.
For more information about the Cisco Bug Search Tool, see the Bug Search Tool Help & FAQ.
Resolved Issues
|
Identifier |
Headline |
|---|---|
|
IP fragments are not handled correctly by ipfilter on AIX |
|
|
AIX: tet-main process cannot be started and generates core |
|
|
High CPU utilization in Windows agents due to no CPU Limits |
|
|
Agent may stop checking in after host reboot if temp dir does not exist |
|
|
Continuous policy deviation possible in k8s environment |
|
|
Large ipsets cause container enforcer to fail to program policy |
|
|
Secure Workload logs API tokens to internal DB |
|
|
Unable to view or download more than 5K in Policy Analysis |
|
|
Possible policy deviation with Preserve Rules ON |
|
|
Possible continuous policy deviation in k8s environment |
|
|
LDAP attribute in ISE connector being set as other label source |
|
|
Flows not received from Secure Client endpoint and Connector |
|
|
Unexpected tet-sensor version and crashes on Solaris SPARC |
Open Issues
|
Identifier |
Headline |
|---|---|
|
Azure Enforcement does not work if flow logs are configured and more than 100 VMs are in the VPC |
|
|
Identity Connector: Azure Active Directory only first 20 groups per user are ingested |
|
|
Azure Kubernetes AKS connector does not work with non-local accounts configuration |
|
|
Amazon Elastic Kubernetes Service (EKS) connector does not work with EKS-API-only access config |
|
|
ADM port and pid mapping is missing for some ports |
|
|
Scope & Inventory Page: Scope Query: returns incorrect results |
|
|
Threat Intelligence Summary NOT visible to 'Tenant Owner' |
|
|
Forensics historical events suddenly go missing |
|
|
Online documentation does not include all of the API attributes that are returned |
|
|
Cisco Vulnerabilities Workloads Multiple selections across pages does not work in the UI |
|
|
Agent Script Installer for Azure Kubernetes Service may fail for larger clusters |
|
|
Agent Script Installer for GKE Kubernetes platform in Google Cloud fails to install |
Additional Information for Secure Workload
| Information | Description |
|---|---|
| Compatibility Information | For information about supported operating systems, external systems, and connectors for Secure Workload agents, see the Compatibility Matrix. |
| Scalability Limits | For information about the SaaS scalability limits, see Cisco Secure Workload Deployment models and scale. |
Related Resources
Contact Cisco Technical Assistance Centers
If you cannot resolve an issue using the online resources listed above, contact Cisco TAC:
-
Email Cisco TAC: tac@cisco.com
-
Call Cisco TAC (North America): 1.408.526.7209 or 1.800.553.2447
-
Call Cisco TAC (worldwide): Cisco Worldwide Support Contacts
Feedback