This document describes the new features, caveats, and limitations for Cisco Secure Workload software, release 3.6.x.
The Cisco Secure Workload platform, formerly branded as Cisco Tetration, is designed to provide comprehensive workload security by establishing a micro perimeter around every workload across your on-premises and multi-cloud environment using firewalling and segmentation, compliance and vulnerability tracking, behavior-based anomaly detection, and workload isolation. The platform uses an advanced analytics and algorithmic approach to offer these capabilities. This solution supports the following capabilities:
-
Automatically generated micro-segmentation policies resulting from comprehensive analysis of application communication patterns and dependencies.
-
Dynamic label-based policy definition with a hierarchical policy model to deliver comprehensive controls across multiple user groups with role-based access control
-
Consistent policy enforcement at scale through distributed control of native operating system firewalls and infrastructure elements like ADCs (Application Delivery Controllers) and physical or virtual firewalls
-
Near real-time compliance monitoring of all communications to identify and alert against policy violation or potential compromise.
-
Workload behavior baselining and proactive anomaly detection.
-
Common vulnerability detection with dynamic mitigation and threat-based workload isolation.
The following table shows the changed history for the releases:
|
Date |
Description |
|---|---|
|
February 02, 2023 |
Release 3.6.1.52 is introduced. |
|
May 26, 2022 |
Release 3.6.1.36 is introduced. |
|
March 10, 2022 |
Release 3.6.1.21 is introduced. |
|
February 14, 2022 |
Release 3.6.1.17 is introduced. |
|
October 29th, 2021 |
Release 3.6.1.5 is introduced. |
Compatibility Information
Release 3.6.1.36
|
OS |
Flavors |
|---|---|
|
New Agents Operating System Support |
Ingest Appliances
|
|
Agents |
Agents on Windows beyond 2008R2 now use NPCAP version 1.55 |
Release 3.6.1.21
|
OS |
Flavors |
|---|---|
|
No changes to the software in this release. |
– |
Release 3.6.1.17
|
OS |
Flavors |
|---|---|
|
Secure Workload Agent Installer |
Secure Workload agent installer will now permit installation on any minor Linux distribution release where the major release is supported. Support for Linux minor releases is now extended through support of the corresponding major release. Supported operating system versions are documented on Platform Information on Cisco.com. |
The software agents in the 3.6.1.5 release support the following operating systems (virtual machines and bare-metal servers) for micro-segmentation (deep visibility and enforcement). A per-version list is always accessible through the Platform Information page.
Release 3.6.1.5
|
OS |
Flavors |
|---|---|
|
Linux |
|
|
Linux on IBM Z |
|
|
Windows Server (64-bit) |
|
|
Windows VDI desktop Client |
|
|
IBM AIX operating system |
|
|
Container host OS version for policy enforcement |
|
|
Operating System support |
The 3.6.1.5 release supports the following operating systems for deep visibility use cases only:
The 3.6.1.5 release supports the following operating systems for the universal visibility agent:
The 3.6.1.5 release no longer supports the following operating systems for any software agent:
|
The 3.6.1.5 release deprecates supports the following Cisco Nexus 9000 series switches in NX-OS and Cisco Application Centric Infrastructure (ACI) mode. If you are using HW sensors, please plan a migration to NetFlow as an alternative source:
Previously Supported Cisco Nexus 9000 Series Switches in NX-OS and ACI Mode (deprecated in 3.6.1.5, see changes in behavior section).
|
Product line |
Platform |
Minimum Software Release |
|---|---|---|
|
Cisco Nexus 9300 platform switches (NX-OS mode) |
Cisco Nexus 93180YC-EX, 93108TC-EX, and 93180LC-EX |
Cisco NX-OS Release 9.2.1 and later |
|
Cisco Nexus 93180YC-FX, 93108TC-FX, and 9348GC-FXP |
Cisco NX-OS Release 9.2.1 and later |
|
|
Cisco Nexus 9336C-FX2 |
Cisco NX-OS Release 9.2.1 and later |
|
|
Cisco Nexus 9300 platform switches (ACI mode) |
Cisco Nexus 93180YC-EX, 93108TC-EX, and 93180LC-EX |
|
|
Cisco Nexus 93180YC-FX, 93108TC-FX |
Cisco ACI Release 3.1(1i) and later |
|
|
Cisco Nexus 9348GC-FXP |
Cisco ACI Release 3.1(1i) and later |
|
|
Cisco Nexus 9336C-FX2 |
Cisco ACI Release 3.2 and later |
|
|
Cisco Nexus 9500 series switches with N9K-X9736C-FX linecards only |
Cisco ACI Release 3.1(1i) and later |
Usage Guidelines
This section lists usage guidelines for the Cisco Secure Workload software.
-
You must use the Google Chrome browser version 90.0.0 or later to access the web-based user interface.
-
After setting up your DNS, browse to the URL of your Cisco Secure Workload cluster: https://<cluster.domain>
When using the commission / decommission feature for Cisco Secure Workload virtual appliance environments, please observe the following usage guidelines.
This feature is meant to be used with the assistance of TAC and can cause unrecoverable damage if used incorrectly. No two VMs should ever be decommissioned at the same time, without explicit approval from TAC. The following combinations of VMs must never be decommissioned concurrently:
-
More than one orchestrator
-
More than one datanode
-
More than one namenode (namenode or secondaryNamenode)
-
More than one resourceManager
-
More than one happobat
-
More than one mongodb (mongodb or mongoArbiter)
-
Only one decommission/commission process can be executed at a time. Do not overlap the decommission/commission of different VMs at the same time.
Please always contact TAC prior to using the esx_commission snapshot endpoint
Verified Scalability Limits
The following tables provide the scalability limits for Cisco Secure Workload (39-RU), Cisco Secure Workload M (8-RU), and Cisco Secure Workload Cloud:
|
Configurable Option |
Scale |
|---|---|
|
Number of workloads |
Up to 25,000 (VM or bare-metal). Up to 50,000 (2x) when all the sensors are in conversation mode. |
|
Flow features per second |
Up to 2 million. |
|
Number of hardware agent enabled Cisco Nexus 9000 series switches |
Up to 100 (deprecated). |
|
Configurable Option |
Scale |
|---|---|
|
Number of workloads |
Up to 5,000 (VM or bare-metal). Up to 10,000 (2x) when all the sensors are in conversation mode. |
|
Flow features per second |
Up to 500,000. |
|
Number of hardware agent enabled Cisco Nexus 9000 series switches |
Up to 100 (deprecated). |
|
Configurable Option |
Scale |
|---|---|
|
Number of workloads |
Up to 1,000 (VM or bare-metal). |
|
Flow features per second |
Up to 70,000. |
|
Number of hardware agent enabled Cisco Nexus 9000 series switches |
Not supported. |
 Note |
Supported scale is based on whichever parameter reaches the limit first. |
Behavior Changes
Release 3.6.1.36
|
Feature |
Description |
|---|---|
|
New Agents Operating System Support |
Ingest Appliances
|
|
Agents |
Agents on Windows beyond 2008R2 now use NPCAP version 1.55 |
|
Feature |
Description |
|---|---|
|
No changes to software in this patch release. |
– |
|
Feature |
Description |
|---|---|
|
Secure Workload Agent Installer |
Secure Workload agent installer will now permit installation on any minor Linux distribution release where the major release is supported. Support for Linux minor releases is now extended through support of the corresponding major release. Supported operating system versions are documented on Platform Information on Cisco.com. |
|
Feature |
Description |
|---|---|
|
External Orchestrators |
New external orchestrators for AWS or Kubernetes EKS can no longer be created. Instead, create AWS cloud connectors. For more information, sbove. Instances of external orchestrators for AWS or Kubernetes EKS that were created before upgrade to 3.6.1.5 are still functional, but they cannot be modified. If changes are required, you must create a new AWS cloud connector instead which ingests information from the same set of cloud assets and then delete the old AWS or EKS external orchestrator configuration. |
|
UI |
From release 3.6.1.5 and later, the left menu is now the primary point of navigation as pages were moved from the top navigation bar to the left menu. The following are key changes:
|
|
Cluster Features |
The lookout feature was deprecated in 3.5 and remains in this state. In 3.6, you will no longer be able to turn on lookout features. However, if you currently use lookout, you will still be able to see your existing setup. In order to simplify this product, the UserApps feature has been removed. |
|
Agents |
|
|
Virtual Appliances |
ERSPAN virtual appliances must now be deployed using the Secure Workload Data Ingest OVA. The ERSPAN OVA is no longer published. No changes are needed for existing ERSPAN virtual appliances deployed with an older ERSPAN OVA. |
|
Support Policy |
We have released our EOL end-of-support policy for Secure Workload software versions. See Maintain and Operate TechNotes |
Enhancements
Release 3.6.1.47
|
Feature |
Description |
|---|---|
|
Software Agents |
Software Agents now support Redhat Enterprise Server 9 on x86_64 and s390x architectures. |
Release 3.6.1.36
|
Feature |
Description |
|---|---|
|
FMC External Orchestrator |
Support for enforcement per FMC Domain. You can now enable/disable enforcement on an FMC Domain by selecting the domain name while configuring the external orchestrator. |
|
Segmentation policy for Windows |
With segmentation policy for Windows, you can enter a list of users or user groups in the process level control section, in addition to just a single user name. |
|
Inventory labels while creating installer script |
You can specify inventory labels when creating the installer script. All the agents installed through the script are automatically tagged with such labels. The feature is supported only on Linux and Windows workloads deployments. |
Release 3.6.1.21
|
Feature |
Description |
|---|---|
|
Kubernetes version for External Orchestrator integration |
Kubernetes versions 1.21 and 1.22 are now supported for External Orchestrator integration. |
Release 3.6.1.17
|
Feature |
Description |
|---|---|
|
Secure Workload and flow logs |
If the AWS user account credentials provided during connector creation have access to both the VPC flow logs and the S3 bucket, Secure Workload can now ingest flow logs from an S3 bucket associated with any account. |
Release 3.6.1.5
|
Features |
Description |
||
|---|---|---|---|
|
ServiceNow supports integration with ServiceNow scripted REST APIs. |
In the configuration workflow, you can choose to The ServiceNow connector now supports integration with ServiceNow scripted REST APIs. The Cisco Integrated Management Controller (CIMC) versions have been updated. M4 CIMC has been updated to 4.1(2b) and M5 CIMC has been updated to 4.1(3b). Upgrading the Secure Workload cluster to 3.6 does not automatically upgrade CIMC firmware on bare metal nodes. Upgrading CIMC firmware is optional and may take up to four hours per bare metal host. This process should be performed only when recommended by Cisco TAC. The Secure Workload integration with Firepower Management Center (Beta feature) allows policy enforcement using the firewall. In this release, the integration uses access control policies using dynamic objects instead of prefilter policies, so changes in network inventory do not require deploy, resulting in fewer deployments and faster response to inventory changes. For details including supported versions and requirements, see the Cisco Secure Workload and Firepower Management Center Integration Guide if you have configured FMC integration in release 3.5, see important caveats before upgrading in the Cisco Secure Workload Upgrade Guide. Conversation mode Flow Analysis Fidelity now applies to AIX agents. |
||
|
Cisco Integrated Management Controller (CIMC)version updated |
The Cisco Integrated Management Controller (CIMC) versions have been updated:
|
||
|
FMC integration with Secure Workload |
The Secure Workload integration with Firepower Management Center (Beta feature) allows policy enforcement using the firewall. In this release, the integration uses access control policies using dynamic objects instead of prefilter policies, so changes in network inventory do not require deploy, resulting in fewer deployments and faster response to inventory changes. For details including supported versions and requirements, see Cisco Secure Workload and Firepower Management Center Integration Guide.
|
||
|
Flow Analysis Fidelity |
Conversation mode Flow Analysis Fidelity now also applies to AIX agents. |
New Features and Changed Information
New Features and Changed Information for Release 3.6.1.36
|
Feature |
Description |
|---|---|
|
Inventory |
Inventory upload: A new Merge Option is available under Inventory Upload. |
|
External Orchestrator |
Infoblox External orchestrator: You can now choose between different types of DNS record (A-record, AAAA-record, network-record and/or host-record.) |
|
Support for Kubernetes inventory |
Support for Kubernetes inventory in ADM clustering and Scope suggestion. |
|
VDI deployments |
A new --goldenImage flag for installation script and MSI installer now allows agent installation on Windows Golden Virtual Machine, so that agents will run on replicated VMs once the hostname changes. (Agent software will never run on the golden VM, even when VM boots for maintenance or upgrades). |
New Features and Changed Information for Release 3.6.1.21
|
Feature |
Description |
|---|---|
|
Micro-segmentation support for container workloads |
Micro-segmentation support for container workloads deployed through Red Hat OpenShift 4.x is now available. OpenShift 4.x leverages CRI-O as the default container runtime for Kubernetes. CRI-O is supported, and no additional changes in the existing enforcement workflow are required for running in such environments. Worker node operating systems can be either RHEL or CentOS versions that are officially supported by OpenShift 4.x. This release supports Red Hat OpenShift versions up to 4.9 for external orchestrator integration. It also adds support for Red Hat Enterprise Core OS versions up to 4.9. |
New Features and Changed Information for Release 3.6.1.17
No new software features in this patch release.
New Features and Changed Information for Release 3.6.1.5
To support the analysis and various use cases within the Cisco Secure Workload platform, consistent telemetry (flow data) is required from across the environment. Cisco Secure Workload collects rich telemetry using software agents and other methods to support both existing and new installations in data center infrastructures. This release supports the following telemetry sources:
-
Secure Workload agents installed on virtual machine and bare-metal servers
-
DaemonSets running on container host operating systems
-
ERSPAN connectors that can generate Cisco Secure Workload telemetry from mirrored packets
-
Telemetry ingestion from ADCs (Application Delivery Controllers) F5 and Citrix
-
NetFlow connectors that can generate Cisco Secure Workload telemetry based on NetFlow v9 or IPFIX records
-
ASA connector for collection of NSEL (NetFlow Secure Event Logging) telemetry
-
AWS connector for flow telemetry data generated using VPC flow log configurations
In addition, this release supports ingesting endpoint device posture, context and telemetry through integrations with:
-
Cisco AnyConnect installed on endpoint devices such as laptops, desktops, and smartphones
-
Cisco ISE (Identity Services Engine)
-
Secure Workload agents also act as a policy enforcement point for application segmentation. Using this approach, the Cisco Secure Workload platform enables consistent micro-segmentation across public, private, and on-premises deployments.
Agents enforce policy using native operating system capabilities, thereby eliminating the need for the agent to be in the data path and providing a fail-safe option. Additional product documentation is listed in the “Related Documentation” section
|
Feature |
Description |
||
|---|---|---|---|
|
AWS Connector |
A new cloud connector for AWS (Beta feature) adds support for ingesting flow telemetry, cloud workload tag/label ingest for both EC2 instances and EKS pod/service workloads and policy enforcement using AWS security groups (for EC2 workloads only) without the need to install software agents on the cloud hosts. This new cloud connector streamlines the management of the connection by consolidating the functionality previously provided through various means and does so without requiring an external appliance.
|
||
|
Micro-segmentation support for container workloads |
Micro-segmentation support for container workloads deployed through Red Hat OpenShift 4.x is now available. OpenShift 4.x leverages CRI-O as the default container runtime for Kubernetes. CRI-O is supported, and no additional changes in the existing enforcement workflow are required for running in such environments. Worker node operating systems can be either RHEL or CentOS versions that are officially supported by OpenShift 4.x. This release supports up to Red Hat OpenShift version 4.6. This release adds support to Red Hat CoreOS as worker node operating system. |
||
|
Policy Templates |
Policy Templates have been added to help you get started with common configurations. |
||
|
PIV/CAC |
Integration with PIV/CAC identity verification is now supported. |
||
|
Hardware clusters |
The Cisco Secure Workload hardware clusters can now be configured with IPv6 for external network connectivity during deployment or upgrading to version 3.6.1.5. For limitations, requirements, and instructions, please see the Upgrade Guide or the Hardware Deployment Guide as applicable. |
||
|
Windows workloads |
Added support for service/application/user-based policy enforcement for Windows workloads. Support for policy discovery based on Kubernetes pod and service flows.
|
||
|
Software agents health |
Software Agents Health page now shows anomalies for memory and CPU usage levels and agent running state. Conversation mode Flow Analysis Fidelity now report 4-tuple conversations L4 port whenever the conversation’s initiator can be determined. |
For detailed compatibility information, please refer to Platform Information on Cisco.com.
Caveats
This section contains lists of resolved and open bugs and known behaviors.
The resolved and open bugs for this release are accessible through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products.
Note |
You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you do not have one, you can https://www.cisco.com/c/en/us/about/help/login-account-help.html. |
For more information about the Cisco Bug Search Tool, see the Bug Search Tool Help & FAQ.
Known Behaviors
Refer to the known behaviors for Cisco Secure Workload software releases 3.6.x.
|
Release |
Known behaviour |
|---|---|
|
3.6.1.47 |
Same as the known behaviors in 3.6.1.5 |
|
3.6.1.36 |
Same as the known behaviors in 3.6.1.5 |
|
3.6.1.21 |
Same as the known behaviors in 3.6.1.5 |
|
3.6.1.17 |
Same as the known behaviors in 3.6.1.5 |
|
3.6.1.5 |
|
Caveats for Release 3.6.1.52
The following table lists the caveats in this release.
Click a bug ID to access Cisco’s Bug Search Tool to see additional information about that bug.
Resolved Bugs
|
Identifier |
Headline |
|---|---|
|
Data Not Rendering in Tetration UI if User is Using IP Virtualization to Obtain Network Information. |
|
|
Labels associated to a host IP will be replicated to all other IPs reported by this host. |
|
|
Provider port 0 found for tcp flows. |
|
|
Disk Space starvation on datanodes due to incorrect regular expression in forensic rules. |
Open Caveats
The following table lists the open caveats in this release. Click a bug ID to access Cisco’s Bug Search Tool to see additional information about that bug.
|
Identifier |
Headline |
|---|---|
|
Conversation Mode: 39RU cluster may not support 50k sensors when enforcement is enabled. |
|
|
FMC-CSW orchestrator: CSW pushes ipv6 hop by hop if protocol is set to any. |
|
|
AWS Flow Logs: Policies Analysis with AWS Flow logs doesn’t work. |
Caveats for Release 3.6.1.47
The following table lists the caveats in this release.
Click a bug ID to access Cisco’s Bug Search Tool to see additional information about that bug.
Resolved Bugs
|
Identifier |
Headline |
|---|---|
|
Secure workload internal cluster orchestrator local dns may fail in very rare cases. |
|
|
DNS external orchestrator - not able to get metadata - kafka producer error - message was too large. |
|
|
Windows agent installer powershell script does not provide option to install agent in custom path. |
|
|
Agent on RHEL hosts would repeatedly appear in Agent Restarted anomaly. |
|
|
CSW 3.7 Upgrade may fail due to rsync version < 3.1.2 on orchestrators. |
|
|
Disabling network visibility also disables process/package visibility. |
|
|
namenode switchover script may fail to wait for namenode to start |
|
|
Disabling the Forensic feature does not stop logging events into audit logs. |
|
|
RHEL 8.x enforcement agents don't display in Upgrade tab. |
|
|
Agent installer script with user label update caveat. |
|
|
Clock Drift Observed on Windows Server 2008 R2 with Cisco Secure Workload Agent. |
|
|
Enforcement Agent may restart when processing a policy with specific IPv6 ranges. |
|
|
Unable to perform a massive CSW agent deployment for their workloads. |
|
|
Error decoding netflow datasets received from ACI with EOF errors. |
|
|
Netflow sensor dropping received netflow data. |
|
|
Constant errors in decoding netflow packets from Netflow Connector. |
|
|
Policy Template import does not change Analyze Latest Policies button. |
|
|
[North Star] Add Requirement to Import Working SSH Keys Before Upgrade. |
|
|
Feature Enhancement - Match Condition Support for All Label Types |
Open Bugs
|
Identifier |
Headline |
|---|---|
|
Conversation Mode: Short lived non TCP flows in conversation mode can have client server flipped |
|
|
policy analysis in child scopes for aws flow logs will not work |
|
|
Conversation Mode: 39RU cluster may not support 50k sensors when enforcement is enabled. |
|
|
Conversation Mode: 39RU cluster may not support 50k sensors when enforcement is enabled. |
Caveats for Release 3.6.1.36
The following table lists the caveats in this release.
Click a bug ID to access Cisco’s Bug Search Tool to see additional information about that bug.
Resolved Bugs
|
Identifier |
Headline |
|---|---|
|
Secure Workload enforcement agent may incorrectly summarize IPv6 subnets |
|
|
Services for AgentContainers and HelmCharts failing after patch upgrade. |
|
|
namenode switchover script may fail to wait for namenode to start |
|
|
ERSPAN sensor running in server with 40Gbps links, only receives 100Kpps |
|
|
Enforcement agent depends on Windows Firewall Service when enforcement mode is WFP |
|
|
EHN: Tet Agent installation should provides information the agent type details during installation |
|
|
Document minimum required roles for SNOW integration |
|
|
ENH - NPCAP version upgrade to latest 1.5 |
|
|
DNS external orchestrator failing on zone transfer |
|
|
Federation/DBR: Unable to determine status of sensor migration from source cluster |
|
|
Site DNS resolvers config change may fail |
|
|
http proxy enable in 3.6 without port breaks appserver iptables template |
|
|
ISE connector unable to process multiple memberOf attributes when integrated with LDAP |
|
|
Log rotation broken for noisy.log on appserver virtual machines |
|
|
Tetration incompatible with Rocky Linux 8 |
|
|
Conversation Mode: Short lived non TCP flows in conversation mode can have client server flipped |
Open Bugs
|
Clock Drift Observed on Windows Server 2008 R2 with Cisco Secure Workload Agent |
|
|
policy analysis in child scopes for aws flow logs will not work |
|
|
Conversation Mode: 39RU cluster may not support 50k sensors when enforcement is enabled. |
|
|
License Count Inaccurate |
|
|
FMC-CSW orchestrator: CSW pushes ipv6 hop by hop if protocol is set to any |
Caveats for Release 3.6.1.21
The following table lists the caveats in this release.
Click a bug ID to access Cisco’s Bug Search Tool to see additional information about that bug.
Resolved Bugs
|
Bug ID |
Description |
|---|---|
|
Reflect the NIC Teaming version compatibility matrix in Sensor Deployment documentation. |
Open Bugs
|
Identifier |
Headline |
|---|---|
|
ERSPAN sensor running in server with 40Gbps links, only receives 100Kpps. |
|
|
Enforcement agent depends on Windows Firewall Service when enforcement mode is WFP. |
|
|
Federation/DBR: Unable to determine status of sensor migration from source cluster. |
|
|
Clock Drift Observed on Windows Server 2008 R2 with Cisco Secure Workload Agent. |
|
|
policy analysis in child scopes for aws flow logs will not work. |
|
|
Conversation Mode: Short lived non TCP flows in conversation mode can have client server flipped. |
|
|
Conversation Mode: 39RU cluster may not support 50k sensors when enforcement is enabled. |
|
|
FMC-CSW orchestrator: CSW pushes ipv6 hop by hop if protocol is set to any. |
Caveats for Release 3.6.1.17
The following table lists the caveats in this release.
Click a bug ID to access Cisco’s Bug Search Tool to see additional information about that bug.
Resolved Bugs
|
Identifier |
Headline |
|---|---|
|
Tetration Vulnerabilities Site, Output Issues |
|
|
F5 external orchestrator improperly handles services marked with all protocols |
|
|
Agent fails to register when using a vmware VDI instant clone (Windows10 w/ enforcement) |
|
|
Tetration SSH keys not synced between Primary and secondary sites for cluster in federation |
|
|
ADM generates polices with provider port set as 0 in conversation mode |
|
|
Describe the differences between Strong Ciphers Enabled option set True or False. |
|
|
ENH: Tetration Agent support for Windows Storage Server 2012R2/ Storage Server 2016 |
|
|
ADM Job Failing after upgrade to 3.6.1.5 for Workspaces using Provided service requests |
|
|
FabricPath is not displayed correctly in scenario with two ACI fabric connected to Tetration Cluster |
|
|
Error opening Workload profile page of Sensors with locale name contianing non utf-8 characters |
|
|
ENH : Deep Visibility Sensor to regularly poll windows registry update Tetration with new UBR |
|
|
Agent upgrade on RHEL 8.2 VM's is failing with Reason: No PGP signature |
|
|
Enforcement Agent stats for CPU overhead metric on workload profile page are reported incorrectly |
|
|
Windows agent shows inactive after upgrade to 3.6.1.5 while using proxy with internal only DNS |
|
|
ADM generates policies for un-established TCP flows when agents are in conversation mode |
|
|
Error - Upgrade to 3.6.1.5 failed with site_enable_strong_ciphers_sensor_vip undefined |
|
|
3.6(1.5) agent installation script cannot install 3.5(1.x) agent packages on Windows host |
|
|
Reflect the NIC Teaming version compatibility matrix in Sensor Deployment documentation |
|
|
Add Tetration agent support for Windows 10 Enterprise LTSC |
|
|
ADM failing after 4 hours when admFlowDb batches are too large. |
|
|
After reconfiguring listening port of ingest connector, the connector gets in inactive state. |
|
|
Need alerts when new workloads are seen for the first time |
Open Bugs
|
Identifier |
Headline |
|---|---|
|
ERSPAN sensor running in server with 40Gbps links, only receives 100Kpps |
|
|
Enforcement agent depends on Windows Firewall Service when enforcement mode is WFP |
|
|
Flow Learned Inventories build up from uni-dir flows in Conversation mode |
|
|
Federation/DBR: Unable to determine status of sensor migration from source cluster |
|
|
Clock Drift Observed on Windows Server 2008 R2 with Cisco Secure Workload Agent |
|
|
policy analysis in child scopes for aws flow logs will not work |
|
|
Conversation Mode: Short lived non TCP flows in conversation mode can have client server flipped |
|
|
Conversation Mode: 39RU cluster may not support 50k sensors when enforcement is enabled. |
|
|
FMC-CSW orchestrator: CSW pushes ipv6 hop by hop if protocol is set to any. |
Caveats for Release 3.6.1.5
The following table lists the caveats in this release.
Click a bug ID to access Cisco’s Bug Search Tool to see additional information about that bug.
Resolved Bugs
|
Identifier |
Headline |
|---|---|
|
Inbound WFP filters can block subsequent ports in some policies in older Windows releases |
|
|
Tetration agent upgrade may fail npcap installation on Windows |
|
|
ERSPAN appliance reflecting as "PENDING REGISTRATION" |
|
|
Enforcement agent keeps re-deploying firewall rules intermittently to Windows Systems |
|
|
ERSPAN agents not upgrading after 3.5.x |
|
|
Old LDAP attribute is still visible in Flow Search After deleting from Ldap conf for the anyconnect |
|
|
Agent installer scripts from LDAP/ AD accounts with auto role mapping fail after user is logged out. |
|
|
Linux Enforcement agent fails to program firewall rules due to issue with iptables version 1.8.4 |
|
|
ENH: Add an alert for CPU quota exceeded in Enforcement Alert types. |
|
|
NET Vulnerabilities wrongly queried, eventually causing the FP in Tetration for Server 2008 R2 |
|
|
CVEs are detected post latest data pack installation |
|
|
Windows Agent Install: error: Older version of Tetration agent cannot be removed |
|
|
ISE Integration causing stale annotations for EAP chaining and IP address change cases |
Open Bugs
The following table lists the open bugs in this release.
Click a bug ID to access Cisco’s Bug Search Tool to see additional information about that bug.
|
Identifier |
Headline |
|---|---|
|
ERSPAN sensor running in server with 40Gbps links, only receives 100Kpps |
|
|
Enforcement agent depends on Windows Firewall Service when enforcement mode is WFP |
|
|
Enforcement Agent stats for CPU overhead metric on workload profile page are reported incorrectly |
|
|
Clock Drift Observed on Windows Server 2008 R2 with Cisco Secure Workload Agent |
|
|
policy analysis in child scopes for aws flow logs will not work |
|
|
After reconfiguring listening port of ingest connector, the connector gets in inactive state. |
|
|
ADM generates polices with provider port set as 0 in conversation mode |
|
|
Error - Upgrade to 3.6.1.5 failed with site_enable_strong_ciphers_sensor_vip undefined |
|
|
Conversation Mode: Short lived non TCP flows in conversation mode can have client server flipped |
|
|
ADM generates policies for un-established TCP flows when agents are in conversation mode |
|
|
3.6(1.5) agent installation script cannot install 3.5(1.x) agent packages on Windows host |
|
|
Conversation Mode: 39RU cluster may not support 50k sensors when enforcement is enabled. |
|
|
FMC-CSW orchestrator: CSW pushes ipv6 hop by hop if protocol is set to any. |
Related Documentation
The Cisco Secure Workload documentation can be accessed from these websites:
|
Document |
Description |
||
|---|---|---|---|
|
Cisco Secure Workload Cluster Deployment Guide |
Describes the physical configuration, site preparation, and cabling of a single- and dual-rack installation for Cisco Secure Workload (39-RU) platform and Cisco Secure Workload M (8-RU). Cisco Tetration (Secure Workload) M5 Cluster Hardware Deployment Guide |
||
|
Cisco Secure Workload Virtual Deployment Guide |
Describes the deployment of Cisco Secure Workload virtual appliances (formerly known as Tetration-V). Cisco Secure Workload Virtual (Tetration-V) Deployment Guide |
||
|
Cisco Secure Workload Upgrade Guide |
Cisco Secure Workload Upgrade Guide
|
||
|
Latest Threat Data Sources |
If you cannot resolve an issue using the online resources listed above, contact Cisco TAC:
-
Email Cisco TAC: tac@cisco.com
-
Call Cisco TAC (North America): 1.408.526.7209 or 1.800.553.2447
-
Call Cisco TAC (worldwide): Cisco Worldwide Support Contacts
Contact Cisco
If you cannot resolve an issue using the online resources listed above, contact Cisco TAC:
-
Email Cisco TAC: tac@cisco.com
-
Call Cisco TAC (North America): 1.408.526.7209 or 1.800.553.2447
-
Call Cisco TAC (worldwide): Cisco Worldwide Support Contacts
Feedback